Parliament Hill Computers LtdParliament Hill Computers Ltd

Chaining Let's Encrypt Certificates

Why Chain Let's Encrypt Certificates ?

Let's Encrypt is a new CA (Certificate authority) thus it's signing certificate is not installed very widely. This means that many machines do not know that it is to be trusted.

To cure this Let's Encrypt certificate is cross signed by IdenTrust who's certifcate is widely trusted.

So: Let's Encrypt's IdenTrust signed certificate must be given to the connecting client (eg web browser) when a Let's Encrypt signed certificate is given to the client. This is called certificate chaining.

Long term the Let's Encrypt certificate will become widely trusted in it own right.

How to Deliver Let's Encrypt chain certificate

Apache is easy, the directive SSLCertificateChainFile is used, see here.

Many other programs do not have a directive like SSLCertificateChainFile. For these the chain certificate should be put after the Let's Encrypt signed certificate (ie your certificate) in the same file.

These scripts create such a file for you, it has -chained as part of the name. Eg: SignedCertificates/phcl-chained.crt

Next page: Using Let's Encrypt certificates in a non web environment

Return to How to Configure Let's Encrypt with

Return to tutorial home.

If you want any help using the above, or have any comments or suggestions, please contact us.