Sslmerge - Tool To Help You Build A Valid SSL Certificate Chain From The Root Certificate To The End-User Certificate

Is an open source tool to help you build a valid SSL certificate chain from the root certificate to the end-user certificate. Also can help you fix the incomplete certificate chain and download all missing CA certificates.

How To Use
It's simple:

# Clone this repository
git clone https://github.com/trimstray/sslmerge

# Go into the repository
cd sslmerge

# Install
./setup.sh install

# Run the app
sslmerge -i /data/certs -o /data/certs/chain.crt

• symlink to bin/sslmerge is placed in /usr/local/bin
• man page is placed in /usr/local/man/man8

Parameters
Provides the following options:

  Usage:
    sslmerge <option|long-option>

  Examples:
    sslmerge --in Root.crt --in Intermediate1.crt --in Server.crt --out bundle_chain_certs.crt
    sslmerge --in /tmp/certs --out bundle_chain_certs.crt --with-root
    sslmerge -i Server.crt -o bundle_chain_certs.crt

  Options:
        --help        show this message
        --debug       displays information on the screen (debug mode)
    -i, --in          add certificates to merge (certificate file, multiple files or directory with ssl certificates)
    -o, --out         saves the result (chain) to file
        --with-root   add root certificate to the certificate chain

How it works
Let's start with ssllabs certificate chain. They are delivered together with the sslmerge and can be found in the example/ssllabs.com directory which additionally contains the all directory (containing all the certificates needed to assemble the chain) and the server_certificate directory (containing only the server certificate).
The correct chain for the ssllabs.com domain (the result of the openssl command):

Certificate chain
 0 s:/C=US/ST=California/L=Redwood City/O=Qualys, Inc./CN=ssllabs.com
   i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
 1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
   i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
 2 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority

The above code presents a full chain consisting of:

• Identity Certificate (Server Certificate)
  issued for ssllabs.com by Entrust Certification Authority - L1K
  
• Intermediate Certificate
  issued for Entrust Certification Authority - L1K by Entrust Root Certification Authority - G2
  
• Intermediate Certificate
  issued for Entrust Root Certification Authority - G2 by Entrust Root Certification Authority
  
• Root Certificate (Self-Signed Certificate)
  issued for Entrust Root Certification Authority by Entrust Root Certification Authority
  

Scenario 1
In this scenario, we will chain all delivered certificates. Example of running the tool:

Scenario 2
In this scenario, we only use the server certificate and use it to retrieve the remaining required certificates. Then, as above, we will combine all the provided certificates. Example of running the tool:

Certificate chain
In order to create a valid chain, you must provide the tool with all the necessary certificates. It will be:

• Server Certificate
• Intermediate CAs and Root CAs

This is very important because without it you will not be able to determine the beginning and end of the chain.
However, if you look inside the generated chain after generating with sslmerge, you will not find the root certificate there. Why?
Because self-signed root certificates need not/should not be included in web server configuration. They serve no purpose (clients will always ignore them) and they incur a slight performance (latency) penalty because they increase the size of the SSL handshake.
If you want to add a root certificate to the certificate chain, call the utility with the --with-root parameter.

Certification Paths
Sslmerge allows use of two certification paths:

Output comments
When generating the chain of certificates, sslmerge displays comments with information about certificates, including any errors.
Here is a list of all possibilities:

not found identity (end-user, server) certificate
The message is displayed in the absence of a server certificate that is the beginning of the chain. This is a unique case because in this situation the sslmerge ends its operation displaying only this information. The server certificate is the only certificate required to correctly create a chain. Without this certificate, the correct chain will not be created.

found correct identity (end-user, server) certificate
The reverse situation here - message displayed when a valid server certificate is found.

not found first intermediate certificate
This message appears when the first of the two intermediate certificates is not found. This information does not explicitly specify the absence of a second intermediate certificate and on the other hand it allows to determine whether the intermediate certificate to which the server certificate was signed exists. Additionally, it can be displayed if the second intermediate certificate has been delivered.

not found second intermediate certificate
Similar to the above, however, it concerns the second intermediate certificate. However, it is possible to create the chain correctly using the second certification path, e.g. using the first intermediate certificate and replacing the second with the main certificate.

one or more intermediate certificate not found
This message means that one or all of the required intermediate certificates are missing and displayed in the absence of the root certificate.

found 'n' correct intermediate certificate(s)
This message indicates the number of valid intermediate certificates.

not found correct root certificate
The lack of the root certificate is treated as a warning. Of course, when configuring certificates on the server side, it is not recommended to attach a root certificate, but if you create it with the sslmerge, it treats the chain as incomplete displaying information about the incorrect creation of the chain.

an empty CN field was found in one of the certificates
This message does not inform about the error and about the lack of the CN field what can happen with some certificates (look at example/google.com). Common Name field identifies the host name associated with the certificate. There is no requirement in RFC3280 for an Issuer DN to have a CN. Most CAs do include a CN in the Issuer DN, but some don't, such as this Equifax CA.

Requirements
Sslmerge uses external utilities to be installed before running:

• openssl

Other

Contributing
See this.

Project architecture
See this.

Download Sslmerge

More information

1. Blackhat Hacker Tools
2. Hacker Tools
3. Pentest Tools Nmap
4. New Hack Tools
5. Hak5 Tools
6. Hacker Tools For Windows
7. Top Pentest Tools
8. Termux Hacking Tools 2019
9. Pentest Box Tools Download
10. Android Hack Tools Github
11. Hack And Tools
12. Easy Hack Tools
13. Hacker Tools Github
14. Hacks And Tools
15. Tools 4 Hack
16. Hack Tool Apk No Root
17. Pentest Tools Framework
18. Hacking Tools For Windows 7
19. Pentest Tools Kali Linux
20. Hacking Tools For Mac
21. Hack Tools Pc
22. Pentest Tools Tcp Port Scanner
23. Tools Used For Hacking
24. Game Hacking
25. New Hacker Tools
26. What Is Hacking Tools
27. What Are Hacking Tools
28. Tools For Hacker
29. Hack Apps
30. Best Pentesting Tools 2018
31. Pentest Tools Url Fuzzer
32. Pentest Tools Android
33. Tools For Hacker
34. Hacker Techniques Tools And Incident Handling
35. Pentest Tools Kali Linux
36. Pentest Tools For Android
37. Hacking Tools For Windows
38. Hacker Tools 2019
39. Bluetooth Hacking Tools Kali
40. Blackhat Hacker Tools
41. Pentest Tools Open Source
42. Pentest Tools Windows
43. Hacking Tools For Beginners
44. Hacker Tools Hardware
45. How To Hack
46. Hacker Tools For Pc
47. Hacking Tools
48. Hacking Tools For Windows Free Download
49. Hacking Tools For Windows 7
50. Pentest Tools Find Subdomains
51. Hacker Tools Free Download
52. Pentest Tools Port Scanner
53. Github Hacking Tools
54. Install Pentest Tools Ubuntu
55. Underground Hacker Sites
56. Pentest Tools Apk
57. Black Hat Hacker Tools
58. Pentest Tools Review
59. Easy Hack Tools
60. Hacking Tools Kit
61. Hack Tool Apk
62. Pentest Tools For Ubuntu
63. Hacking Tools For Games
64. Hack Tools Mac
65. Pentest Tools Subdomain
66. Best Hacking Tools 2019
67. Hackers Toolbox
68. Top Pentest Tools
69. Hacker Tools For Windows
70. Wifi Hacker Tools For Windows
71. Hack Tools Download
72. Pentest Tools For Mac
73. Hacking Tools Online
74. Ethical Hacker Tools
75. Pentest Tools Website Vulnerability
76. Best Pentesting Tools 2018
77. Hack Tools For Pc
78. Kik Hack Tools
79. Hacker Tools Windows
80. Nsa Hacker Tools
81. Hacking Tools For Windows Free Download
82. Hacker Tools Mac
83. Hack Tools Mac
84. Hacker Techniques Tools And Incident Handling
85. Hacking Tools 2020
86. Pentest Tools Github
87. Hack Tools
88. Pentest Tools Linux
89. Hacking Tools For Windows
90. Pentest Tools Open Source
91. Pentest Tools Free
92. Pentest Tools Online
93. Hack Tools Download
94. Pentest Tools
95. What Are Hacking Tools
96. Hacker Tools Software
97. Hacker Security Tools
98. Hacker Tools For Mac
99. Computer Hacker
100. Pentest Tools Framework
101. Hacking Tools
102. Pentest Tools Nmap
103. Usb Pentest Tools
104. How To Hack
105. Beginner Hacker Tools
106. Hacking Tools For Windows 7
107. Hacking Tools For Beginners
108. Hacking Tools Free Download
109. Ethical Hacker Tools
110. Hacker Tools Software
111. Hacks And Tools
112. Hacker
113. Hacker Tools
114. Hacking Tools For Windows 7
115. Hacking Tools Online
116. Hack Tools For Mac
117. Blackhat Hacker Tools
118. Hacker Tools Mac
119. Hack App
120. New Hack Tools
121. Hack Website Online Tool
122. Tools Used For Hacking
123. New Hack Tools
124. Hack Tools For Ubuntu
125. Hak5 Tools
126. Pentest Tools For Ubuntu