Generating a certificate chain
When entities present certificates, the other party needs to verify the full chain from the root certificate, which it already has, to the leaf certificate. In practice, this means that the client also needs to present intermediate certificates.
Because of this, certificates are usually handled in bundles (I think that’s the term), and they seem to usually have a .crt
file extension.
As far as I can tell, cfssl provides multiple tools to do this, but I couldn’t get them to work. That’s not an issue though, because certificate bundles are simple concatenations of the certificates:
cat certs/foo.pem intermediate/intermediate-01.pem > certs/foo.crt
Including the root certificate is optional. I’m not sure if it makes a difference and couldn’t tell which way is more robust.