Perhaps the single most vexing issue with SSL certificate configuration is the installation of chain (a.k.a. intermediate) certificates. First of all, many site owners don't realize that they have to configure their server with one or more chain certificates in addition to their own certificate. Certificate vendors do little to inform their customers, and often make it difficult to find the correct chain (just witness this thread of people trying to find new certificate chains after switching to SHA-2 certificates). Or, they confuse matters by also including the root certificate, which doesn't need to be included with the chain.

Server software is confusing as well. Some programs require you to specify the certificate and the chain in different files, but most server software on Linux makes you append the chain to your certificate, which requires yet another manual step after purchasing a cert.

To make matters even worse, web browsers cache chain certificates, making it hard to reliably test for chain certificate problems. A website with an improperly-configured chain might load successfully in your browser if you've previously visited a different website which served the correct chain for your certificate authority. However, other users might not be so lucky to have the correct chain cached, so you can't assume that a site works for other users just because it works for you.

SSLMate solves these problems by making chain cert installation an integral part of the purchase process. There's no need to go hunting for chain certs. When you buy a cert, three .crt files are downloaded: the certificate itself, the chain certificate, and a file containing the concatenation of the two. This combination covers all the common cases of certificate configuration on Linux (and we'll soon be adding support for more exotic configurations, such as the Java key store). And last week we unveiled the sslmate test command to quickly test that your certificate has been properly installed.

However, SSLMate is committed to improving the state of SSL across the Internet, and for those cases where using SSLMate is not an option, we've developed a site, whatsmychaincert.com, as a one stop shop for chain certificate issues. This site not only tests whether a server is serving the correct chain certificate, but also generates the correct chain for you on the fly, sparing you the hassle of hunting around your certificate authority's website. It also features a configuration guide to help you configure your server with your chain certificate.