---
Too long; don't read (tl;dr): you must use the "Intermediates/root only Reverse" bundle certificate referenced in the email that notifies you that your certificate is ready to create a verifiable chained certificate.
---

Today I learned (TIL) something interesting about the certificates that I purchase through IT Services.  Last summer I purchased one of these certificates and installed it on my nginx web server after combining it with the bundled cert file referenced on the Instant SSL Comodo support website (http://goo.gl/4bDou).  The web server accepted it and it worked just fine in desktop Chrome, desktop Safari, desktop Firefox, Internet Explorer and mobile Safari.  However mobile Chrome would tell me that it couldn't verify the certificate, but I chalked that up to it being relatively new (on iOS) and disregarded it.

Earlier this week in testing some new software that makes requests to this website's API using curl it would report back error messages about the connection not working with the certificate.  When I attempted to connect using the openssl tool with the following command:

openssl s_client -connect git.phd.msu.edu:443

It reported a number of errors, such as:
  verify error:num=20:unable to get local issuer certificate
  verify error:num=27:certificate not trusted
  no client certificate CA names sent
  verify return code: 21 (unable to verify the first certificate)

After some trouble-shooting and a discussion with Comodo I found out that I must to use the bundle certificate that's referenced in the email that I receive from Certificate Services Manager when my certificate is available and approved.  Specifically the slightly ambiguously named " X509 Intermediates/root only Reverse, Base64 encoded" file.

Armed with this file I was able to concatenate the certificate files into the correct order (server + bundle) to create a chained certificate that works correctly now with mobile Chrome and curl.

cat git_phd_msu_edu_cert.cer git_phd_msu_edu_interm.cer > git_phd_msu_edu_chained.cer

Now openssl s_client -connect git.phd.msu.edu:443 correctly reports no verification errors.



Troy Murray
Michigan State University
College of Medicine
Life Science
1355 Bogue St, B-136D
East Lansing, MI 48824
E: [log in to unmask]
P: 517-432-2760
F: 517-355-7254
CompTIA Security+ certified
RedHat 5 Certified Technician
RedHat 5 Certified Systems Administrator
HL7 V2.6/2.5 Certified Control Specialist