Sslmerge - Tool To Help You Build A Valid SSL Certificate Chain From The Root Certificate To The End-User Certificate

Is an open source tool to help you build a valid SSL certificate chain from the root certificate to the end-user certificate. Also can help you fix the incomplete certificate chain and download all missing CA certificates.

How To Use
It's simple:

# Clone this repository
git clone https://github.com/trimstray/sslmerge

# Go into the repository
cd sslmerge

# Install
./setup.sh install

# Run the app
sslmerge -i /data/certs -o /data/certs/chain.crt

• symlink to bin/sslmerge is placed in /usr/local/bin
• man page is placed in /usr/local/man/man8

Parameters
Provides the following options:

  Usage:
    sslmerge <option|long-option>

  Examples:
    sslmerge --in Root.crt --in Intermediate1.crt --in Server.crt --out bundle_chain_certs.crt
    sslmerge --in /tmp/certs --out bundle_chain_certs.crt --with-root
    sslmerge -i Server.crt -o bundle_chain_certs.crt

  Options:
        --help        show this message
        --debug       displays information on the screen (debug mode)
    -i, --in          add certificates to merge (certificate file, multiple files or directory with ssl certificates)
    -o, --out         saves the result (chain) to file
        --with-root   add root certificate to the certificate chain

How it works
Let's start with ssllabs certificate chain. They are delivered together with the sslmerge and can be found in the example/ssllabs.com directory which additionally contains the all directory (containing all the certificates needed to assemble the chain) and the server_certificate directory (containing only the server certificate).
The correct chain for the ssllabs.com domain (the result of the openssl command):

Certificate chain
 0 s:/C=US/ST=California/L=Redwood City/O=Qualys, Inc./CN=ssllabs.com
   i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
 1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
   i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
 2 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority

The above code presents a full chain consisting of:

• Identity Certificate (Server Certificate)
  issued for ssllabs.com by Entrust Certification Authority - L1K
  
• Intermediate Certificate
  issued for Entrust Certification Authority - L1K by Entrust Root Certification Authority - G2
  
• Intermediate Certificate
  issued for Entrust Root Certification Authority - G2 by Entrust Root Certification Authority
  
• Root Certificate (Self-Signed Certificate)
  issued for Entrust Root Certification Authority by Entrust Root Certification Authority
  

Scenario 1
In this scenario, we will chain all delivered certificates. Example of running the tool:

Scenario 2
In this scenario, we only use the server certificate and use it to retrieve the remaining required certificates. Then, as above, we will combine all the provided certificates. Example of running the tool:

Certificate chain
In order to create a valid chain, you must provide the tool with all the necessary certificates. It will be:

• Server Certificate
• Intermediate CAs and Root CAs

This is very important because without it you will not be able to determine the beginning and end of the chain.
However, if you look inside the generated chain after generating with sslmerge, you will not find the root certificate there. Why?
Because self-signed root certificates need not/should not be included in web server configuration. They serve no purpose (clients will always ignore them) and they incur a slight performance (latency) penalty because they increase the size of the SSL handshake.
If you want to add a root certificate to the certificate chain, call the utility with the --with-root parameter.

Certification Paths
Sslmerge allows use of two certification paths:

Output comments
When generating the chain of certificates, sslmerge displays comments with information about certificates, including any errors.
Here is a list of all possibilities:

not found identity (end-user, server) certificate
The message is displayed in the absence of a server certificate that is the beginning of the chain. This is a unique case because in this situation the sslmerge ends its operation displaying only this information. The server certificate is the only certificate required to correctly create a chain. Without this certificate, the correct chain will not be created.

found correct identity (end-user, server) certificate
The reverse situation here - message displayed when a valid server certificate is found.

not found first intermediate certificate
This message appears when the first of the two intermediate certificates is not found. This information does not explicitly specify the absence of a second intermediate certificate and on the other hand it allows to determine whether the intermediate certificate to which the server certificate was signed exists. Additionally, it can be displayed if the second intermediate certificate has been delivered.

not found second intermediate certificate
Similar to the above, however, it concerns the second intermediate certificate. However, it is possible to create the chain correctly using the second certification path, e.g. using the first intermediate certificate and replacing the second with the main certificate.

one or more intermediate certificate not found
This message means that one or all of the required intermediate certificates are missing and displayed in the absence of the root certificate.

found 'n' correct intermediate certificate(s)
This message indicates the number of valid intermediate certificates.

not found correct root certificate
The lack of the root certificate is treated as a warning. Of course, when configuring certificates on the server side, it is not recommended to attach a root certificate, but if you create it with the sslmerge, it treats the chain as incomplete displaying information about the incorrect creation of the chain.

an empty CN field was found in one of the certificates
This message does not inform about the error and about the lack of the CN field what can happen with some certificates (look at example/google.com). Common Name field identifies the host name associated with the certificate. There is no requirement in RFC3280 for an Issuer DN to have a CN. Most CAs do include a CN in the Issuer DN, but some don't, such as this Equifax CA.

Requirements
Sslmerge uses external utilities to be installed before running:

• openssl

Other

Contributing
See this.

Project architecture
See this.

Download Sslmerge

More articles

1. Pentest Tools Linux
2. Hacking Tools Download
3. Pentest Reporting Tools
4. Pentest Tools Bluekeep
5. Underground Hacker Sites
6. Kik Hack Tools
7. Best Hacking Tools 2019
8. Physical Pentest Tools
9. What Are Hacking Tools
10. Nsa Hacker Tools
11. Hacking Tools Software
12. Game Hacking
13. Pentest Tools Tcp Port Scanner
14. Pentest Tools Find Subdomains
15. Hack Tools For Mac
16. Hak5 Tools
17. Hacker Tools 2020
18. Hacker Tools For Pc
19. Hackrf Tools
20. Hacker Tools Online
21. Easy Hack Tools
22. Pentest Tools Bluekeep
23. Best Pentesting Tools 2018
24. Hack Tools Online
25. What Is Hacking Tools
26. Hacking Tools For Windows Free Download
27. Growth Hacker Tools
28. Hacking Tools Hardware
29. Hacking Tools Free Download
30. Hacker Tools Free Download
31. Hacker Search Tools
32. Hackrf Tools
33. Hack Tools Github
34. Beginner Hacker Tools
35. Pentest Tools Bluekeep
36. Hack Tools Download
37. Hacker Tools For Mac
38. Tools 4 Hack
39. Hacking Tools For Windows 7
40. Hack Tool Apk No Root
41. Hacker Security Tools
42. Pentest Tools Subdomain
43. Hack Tools Online
44. Pentest Tools Port Scanner
45. Hacker Tools Apk
46. Hacking Apps
47. Tools Used For Hacking
48. Pentest Tools Download
49. Hacking Tools Github
50. Pentest Tools Bluekeep
51. Hacking Tools Github
52. Hack Tools For Windows
53. Pentest Automation Tools
54. Hack Tools For Ubuntu
55. Top Pentest Tools
56. Hackrf Tools
57. Pentest Tools Review
58. Hacking Tools Windows
59. Hack Tool Apk No Root
60. Black Hat Hacker Tools
61. Hacker
62. Hacking Tools For Games
63. Hack Tools 2019
64. Hacking Tools Software
65. How To Make Hacking Tools
66. Best Hacking Tools 2020
67. Computer Hacker
68. Hack Rom Tools
69. Hacking Tools And Software
70. Easy Hack Tools
71. Free Pentest Tools For Windows
72. Usb Pentest Tools
73. Pentest Tools Apk
74. Usb Pentest Tools
75. Hacking Tools For Mac
76. Hacker Tools Free Download
77. Hacking Tools Software
78. Pentest Tools For Mac
79. Hacker Tools
80. Best Pentesting Tools 2018
81. Install Pentest Tools Ubuntu
82. Hack Tools For Mac
83. Hacking Tools Mac
84. Hacking Tools Github
85. Hacker Tools Free
86. Computer Hacker
87. Hacking Tools And Software
88. Hacking Tools Hardware
89. Pentest Tools Free
90. Pentest Tools For Android
91. Pentest Tools Find Subdomains
92. Hacker
93. Pentest Automation Tools
94. Hacking Tools Usb
95. Hacking Tools 2020
96. Computer Hacker
97. Nsa Hack Tools
98. Pentest Tools For Ubuntu
99. Hacking Tools Github
100. Hack Rom Tools
101. Hack Tools
102. Hacker Tools Mac
103. New Hacker Tools
104. Pentest Tools Find Subdomains
105. Hacker Tools List
106. Nsa Hack Tools Download
107. World No 1 Hacker Software
108. Hacker Search Tools
109. Hack Website Online Tool
110. Hacking Tools For Beginners
111. Hacker Tools Free
112. Hacker Tools Apk Download
113. Hacker
114. Hacker Techniques Tools And Incident Handling
115. Hacker Tools Hardware
116. Best Hacking Tools 2020
117. Pentest Tools Download
118. Hacking Tools Pc
119. Pentest Tools Github
120. Hacker Tools Free
121. Hacker Tools For Mac
122. Hacker Tools For Mac
123. Tools 4 Hack
124. How To Make Hacking Tools
125. Pentest Tools Open Source
126. Hack App
127. Pentest Tools Free
128. Hacking Tools 2020
129. Pentest Tools Windows
130. Hacking Tools For Games
131. Hack Tools Pc
132. Hacker Tools For Windows
133. New Hack Tools
134. How To Make Hacking Tools
135. Hacking Tools Usb
136. Hacker
137. Hacking Tools For Mac
138. Pentest Tools Apk
139. Hacker Search Tools
140. Hacking Tools For Beginners
141. Pentest Tools Free
142. Hacking Tools Online
143. Free Pentest Tools For Windows
144. Game Hacking
145. Pentest Tools Windows
146. Hacking Tools Software
147. Hacking Tools For Kali Linux
148. Nsa Hack Tools Download
149. Pentest Tools Github
150. Github Hacking Tools
151. Pentest Tools Download
152. Hacks And Tools
153. Kik Hack Tools
154. Hack Tools For Mac
155. Hacking Tools For Windows
156. Hacker Tools Apk
157. Hack Tools
158. Install Pentest Tools Ubuntu
159. Hacks And Tools
160. Hacking App
161. Hackers Toolbox
162. Hacker Tools Windows