15.3. Importing an Intermediate Certificate Chain
Before beginning, please change directories into the NSS DB:
Ensure that your web service is offline (stopped, disabled, etc.) while performing these steps and ensure no concurrent access to the NSS DB by other processes (such as a browser). Doing so may corrupt the NSS DB or result in improper usage of these certificates.
If you have not imported and trusted the root certificate, see Section 15.2, “Importing a Root Certificate”.
When given a series of intermediate certificates between your root and end server or client certificates, we need to import and validate the signed certificate chain in order from closest to furthest from the root CA certificate. We assume the Intermediate CAs are in files named
ca_sub_2.crt, and so on). Substitute names and paths for your certificates as appropriate to your deployment.
In the unlikely scenario that you are instead given a single file named
fullchain.pem, or similar and it contains multiple certificates, split it into the above format by copying each block (between and including the ----BEGIN CERTIFICATE----- and an -----END CERTIFICATE----- markers) to its own file. The first ones should be named
ca_sub_<num>.crtand the last will be your server cert named
service.crt. Server certificates are discussed in later sections.
First, we will import and validate any intermediate CAs in order of closest to furthest from the root CA certificate. If you don't have any, you can skip to the next section.
For more information about the
PKICertImportoptions used below, see Section 15.1, “About
For every intermediate certificate in the chain:
PKICertImport -d . -n "CA Sub $num" -t "CT,C,C" -a -i ca_sub_$num.crt -u LThis command validates and imports the Intermediate CA certificate into your NSS DB. The validation succeeds when no error message is printed and the return code is 0. To check the return code, execute
echo $?immediately after executing the previous command above. In most cases, a visual error message is printed. If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.