When you install an SSL certificate, your server may ask to import a CA bundle along with your primary certificate. Here’s where users usually encounter difficulties. They either don’t know where to find the CA bundle or struggle to create it.
So, what is a CA bundle? This guide will take you through the key aspects of the CA Bundle file and show you how to get it during your SSL configuration.
Table of Contents
- What Is a CA Bundle in SSL?
- Why is the CA Bundle important?
- How to get the CA Bundle?
- How to create the CA Bundle from CRT?
- Can I generate the CA Bundle?
- What are some CA bundle examples?
What Is a CA Bundle in SSL?
CA Bundle is the file that contains root and intermediate certificates. Together with your server SSL certificate (issued specifically for your domain), these files complete the SSL chain of trust. The chain is required to improve the compatibility of the certificates with web browsers, email clients, and mobile devices.
Why is the CA Bundle important?
The CA bundle is essential for older browser versions and obsolete systems. If an intermediate certificate is missing or isn’t configured correctly, browsers won’t recognize your certificate.
A missing intermediate is one of the most common causes of SSL connection errors. To avoid this issue, you must import the right CA Bundle file. Moreover, the certificates inside the CA Bundle must be in the correct order.
How to get the CA Bundle?
Not all Certificate Authorities will send you the CA Bundle file. You may receive your root and intermediate certificates as separate files. If your certificate is in the PKCS#7 format (appropriate mostly for IIS/Microsoft Exchange), the bundle is already included in your certificate and you do not need to install it separately.
After successfully applying for an SSL certificate, the CA will provide you with all the necessary installation files. Download and extract its contents on your device. If there’s a file with a .ca-bundle extension, all you have to do is upload it to your server in the relevant field.
If you’ve received your root and intermediate certs as separate files, you should combine them into a single one to create the CA Bundle file. Here’s how to do it:
How to create the CA Bundle from CRT?
To create the CA Bundle file, you’ll need a text editor such as Notepad, and of course, the root and intermediate certificates as separate files. A typical SSL installation pack may include the following files:
- Root certificate – Root CA Certificate: AddTrustExternalCARoot.crt
- Intermediate certificate 1: SectigoRSAAddTrustCA.crt OR SectigoECCAddTrustCA.crt
- Intermediate certificate 2: SectigoRSAECCDomain/Organization/ExtendedvalidationSecureServerCA.crt
- Intermediate certificate 3: SectigoSHA256SecureServerCA.crt
- SSL certificate issued for your domain: yourDomain.crt
To create your own CA bundle, place the root and intermediate SSL certificates in the exact CA bundle order as shown below inside a single text file.
Step 1: Open all files except your domain certificate in a text editor.
Step 2: Create a new blank text file and name it “yourdomain.ca-bundle”
Step 3: Copy the contents of all files in the exact order and paste them into the new file.
The CA bundle order:
- Intermediate certificate 3
- Intermediate certificate 2
- Intermediate certificate 1
- Root Certificate
Step 4: Save the newly created file.
You can now upload it to your server.
If you’ve lost the CA bundle or the root and intermediate files, you can get the bundle from your CA.
Can I generate the CA Bundle?
You can’t automatically generate a CA bundle with a tool similar to a CSR generator. You have three options when it comes to getting the SSL bundle:
- Receive it directly from the Certificate Authority together with your server SSL certificate.
- Download it from the CAs website
- Create the CA Bundle manually by merging the intermediate and root SSL files.
If you don’t get the bundle straight from your CA, you should download it from the official source. More experienced users can create by themselves, as already explained in the paragraph above.
What are some CA bundle examples?
Here are some CA bundle examples from Sectigo and DigiCert:
For more questions about the CA Bundle contact your CA or SSL vendor.
CA Bundle is an essential element of SSL certificate configuration. Without it, you won’t even be able to install the certificate on some servers. Now that you know what is a CA Bundle and how it works, you can add an SSL cert to any system and avoid annoying SSL connection errors caused by a missing intermediate certificate.
Image by macrovector on Freepik
Save 10% on SSL Certificates when ordering today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10