Skip to content
SSL certificate chain resolver
Go Shell
Branch: master
Clone or download

Latest commit

Latest commit fa92b0b Apr 9, 2020


Type Name Latest commit message Commit time
Failed to load latest commit information.
.github Create FUNDING.yml Apr 9, 2020
certUtil all: gofmt Jun 16, 2018
images added tests Feb 3, 2015
tests Move local aia server to port 8080. Jun 2, 2016
.editorconfig Rewrite to Go Oct 31, 2015
.gitignore Fix test http server Jun 2, 2016
LICENCE added licence Feb 3, 2015 Update readme Jun 2, 2016 Update build script May 25, 2016
circle.yml Update build script May 25, 2016
glide.lock Update readme Jun 2, 2016
glide.yaml Update readme Jun 2, 2016
main.go Bump version Jul 3, 2018

SSL certificate chain resolver

CircleCI Licence

This application downloads all intermediate CA certificates for a given SSL server certificate. It can help you fix the incomplete certificate chain issue, also reported as Extra download by Qualys SSL Server Test.

See Releases for prebuilt binaries or build it yourself.

NOTE: In case of any troubles with Go you can try the deprecated shell script in shell branch.


   cert-chain-resolver - SSL certificate chain resolver

   cert-chain-resolver [global options] [INPUT_FILE]


   --output OUTPUT_FILE, -o OUTPUT_FILE  output to OUTPUT_FILE (default: stdout)
   --intermediate-only, -i               output intermediate certificates only
   --der, -d                             output DER format
   --include-system, -s                  include root CA from system in output
   --version, -v                         print the version


$ cert-chain-resolver -o domain.bundle.pem domain.pem
1: *
2: COMODO RSA Domain Validation Secure Server CA
3: COMODO RSA Certification Authority
Certificate chain complete.
Total 3 certificate(s) found.



go get
glide install
go build


go test $(glide novendor)


Incomplete certificate chain

All operating systems contain a set of default trusted root certificates. But CAs usually don't use their root certificate to sign customer certificates. Instead of they use so called intermediate certificates, because they can be rotated more frequently.

A certificate can contain a special Authority Information Access extension (RFC-3280) with URL to issuer's certificate. Most browsers can use the AIA extension to download missing intermediate certificate to complete the certificate chain. This is the exact meaning of the Extra download message. But some clients (mobile browsers, OpenSSL) don't support this extension, so they report such certificate as untrusted.

A server should always send a complete chain, which means concatenated all certificates from the certificate to the trusted root certificate (exclusive, in this order), to prevent such issues. Note, the trusted root certificate should not be there, as it is already included in the system’s root certificate store.

You should be able to fetch intermediate certificates from the issuer and concat them together by yourself, this script helps you automatize it by looping over certificate's AIA extension field.

Other implementations


The MIT License (MIT). See LICENCE file for more information. TL;DR

If you use my code in some interesting project, I'd be happy to know about it.

You can’t perform that action at this time.