14.3. Importing an Intermediate Certificate Chain
ca_sub_2.crt, and so on). Substitute names and paths for your certificates as appropriate to your deployment.
fullchain.pem, or similar and it contains multiple certificates, split it into the above format by copying each block (between and including the ----BEGIN CERTIFICATE----- and an -----END CERTIFICATE----- markers) to its own file. The first ones should be named
ca_sub_<num>.crtand the last will be your server cert named
service.crt. Server certificates are discussed in later sections.
PKICertImportoptions used below, see Section 14.1, “About
For every intermediate certificate in the chain:
PKICertImport -d . -n "CA Sub $num" -t "CT,C,C" -a -i ca_sub_$num.crt -u LThis command validates and imports the Intermediate CA certificate into your NSS DB. The validation succeeds when no error message is printed and the return code is 0. To check the return code, execute
echo $?immediately after executing the previous command above. In most cases, a visual error message is printed. If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.