How to Properly Bundle SSL Certificates (GoDaddy CRT + Bundle Explained)


3 views

When you generate an SSL certificate from GoDaddy, you typically receive two files:

  • mydomain.com.crt - Your primary domain certificate
  • gd_bundle.crt - The intermediate certificate bundle

The intermediate certificates create a chain of trust between your server certificate and the root certificate. Without proper bundling, some clients might show SSL warnings.

For most servers, you need to concatenate your certificate with the intermediate bundle. Here's how to do it properly:

# Linux/Unix command
cat mydomain.com.crt gd_bundle.crt > combined.crt

Apache Configuration

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /path/to/combined.crt
    SSLCertificateKeyFile /path/to/your-private.key
</VirtualHost>

Nginx Configuration

server {
    listen 443 ssl;
    ssl_certificate /path/to/combined.crt;
    ssl_certificate_key /path/to/your-private.key;
}

Use OpenSSL to verify your configuration:

openssl verify -CAfile gd_bundle.crt mydomain.com.crt
  • Order matters: Your domain cert must come first in the bundle
  • Encoding: Ensure all files are in PEM format (Base64 ASCII)
  • Permissions: Verify your web server can read the combined file

Here's how to load the certificate bundle in Node.js:

const https = require('https');
const fs = require('fs');

const options = {
  key: fs.readFileSync('server-key.pem'),
  cert: fs.readFileSync('combined.crt')
};

https.createServer(options, (req, res) => {
  res.writeHead(200);
  res.end('Secure connection established\n');
}).listen(443);

When you generate an SSL certificate from GoDaddy, you typically receive two files:

  • mydomain.com.crt - Your domain's primary certificate
  • gd_bundle.crt - The intermediate certificate chain

The intermediate certificates in gd_bundle.crt are crucial for establishing trust between your server certificate and the root certificate. Without proper bundling, some browsers might show security warnings.

To create a proper certificate bundle, concatenate the files in this order:

cat mydomain.com.crt gd_bundle.crt > ssl-bundle.crt

Here's how to use the bundled certificate in different server environments:

Apache Configuration

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /path/to/mydomain.com.crt
    SSLCertificateKeyFile /path/to/your-private.key
    SSLCertificateChainFile /path/to/gd_bundle.crt
</VirtualHost>

Nginx Configuration

server {
    listen 443 ssl;
    ssl_certificate /path/to/ssl-bundle.crt;
    ssl_certificate_key /path/to/your-private.key;
    # Rest of your configuration...
}

Use OpenSSL to verify your certificate chain is properly formed:

openssl verify -CAfile gd_bundle.crt mydomain.com.crt
  • Never include the private key in your bundle
  • Don't include the root certificate in your bundle
  • Maintain the correct order (server cert first, then intermediates)

If you encounter issues:

  1. Check the certificate chain using SSL Labs' tester
  2. Verify file permissions (usually 644 for certs, 600 for private key)
  3. Ensure your server is configured to send the full chain