Hard to tell for sure, but your chain indeed seems broken somehow. So make sure that Intermediate.pem is coming from a trusted source before relying on the command above. 6 min read. Verify Certificate Chain. I will here show 2 ways to check a certificate chain: Manually check the cert using keytool; Check the chain using openSSL; 1. The key pair is used to secure network communications and establish […] In most cases, you will be asked to provide the certificate and the chain in one PEM certificate file. —–BEGIN CERTIFICATE—–If you are including the server cert in the chain, it goes here—–END CERTIFICATE—–—–BEGIN CERTIFICATE—–The last CA in the chain goes here—–END CERTIFICATE—– —–BEGIN CERTIFICATE—–Intermediate / Subordinate CA’s go here, one after the other, ascending order—–END CERTIFICATE—– —–BEGIN CERTIFICATE—– The Root CA Certificate goes here—–END CERTIFICATE—–. SSLv2 should be disabled on any web server you control. More Information Certificates are used to establish a level of trust between servers and clients. This section provides a tutorial example on how to use 'OpenSSL' to view certificates in DER and PEM formats generated by the 'keytool -exportcert' command. In this blog post, we show you how to import PFX-formatted certificates into AWS Certificate Manager (ACM) using OpenSSL tools. I may show examples of using OpenSSL, but documenting it’s use is out of scope for this article. For simplicity, let’s assume that you may have an easier method to get YOUR chain but I’ll show how to build the chain by hand. Use -showcerts flag to show full certificate chain, and manually save all intermediate certificates to chain.pem file: openssl s_client -showcerts -host example.com -port 443