Lumen help

Determine TLS certificate order

To determine TLS certificate order:

                openssl version

You should see output like OpenSSL 1.0.2l 25 May 2017.

                openssl x509 -noout -subject -in certificate1.pem

If the certificate is the site certificate, you will see the domain of your site in the output. e.g.

subject= /


If your domain is listed as a Subject Alternate Name(SAN) on a certificate you won’t see it under subject using the above method. You will need to examine the rest of the certificate.


For linux/mac based command prompt, run:

                openssl x509 -text -noout -in certificate1.pem | grep "DNS"

For windows based command prompt, run:

                openssl x509 -text -noout -in certificate1.pem | findstr "DNS"

You should see a list of SAN domains on that certificate. If that list contains your domain name, then this certificate is your domain certificate.

Determine intermediate certificate order

Each certificate contains information about its issuer. The issuer is the next link in the SSL chain. The SSL chain will be domain certificate ‑> intermediate certificate(s) ‑> root certificate

Determine the intermediate certificate of your domain certificate by examining the issuer of your domain cert with the following command.

                openssl x509 -noout -issuer -in certificate1.pem

You should see output such as issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3.


Then you can compare this against the subject of the other certificate files to find one that matches the issuer above.

                openssl x509 -noout -subject -in certificate2.pem

If this is the correct intermediate certificate, you will see a matching subject to the issuer of the domain certificate. subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3. This is your first intermediate certificate. So the certificate chain so far is certificate1.pem ‑> certificate2.pem.


Now look at the issuer of certificate2.pem.

                openssl x509 -noout -issuer -in certificate2.pem

If this is the only intermediate certificate in the chain, the issuer will result in a Root issuer (e.g., issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3). If you don’t see an issuer that contains “Root CA” then there is likely another intermediate certificate. Examine the issuer of each certificate you have and match it with the subject of the next intermediate certificate until you see the issuer is a Root CA. This resulting order is your SSL chain.