An SSL (Secure Sockets Layer) certificate chain must be valid for browsers and Salesforce to trust an SSL certificate. A certificate chain is considered valid when a chain of authority can be established from the end-entity certificate, through one or more intermediate certificates, up to a trusted Root Certificate stored in the browser or operating system.
This article explains how to manually validate whether an SSL intermediate certificate chain is correctly assembled. This is particularly relevant when configuring custom domains, Named Credentials, or SSL certificates in Salesforce — where an invalid or incorrect intermediate chain can cause trust errors.
$ openssl x509 -in cert.txt -issuer -noout issuer= /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K $ openssl x509 -in entrustintermediate1.txt -subject -issuer -noout subject= /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K issuer= /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2 $ openssl x509 -in entrustintermediate2.txt -subject -issuer -noout subject= /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2 issuer= /C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority $ openssl x509 -in entrustroot.txt -subject -issuer -noout subject= /C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority issuer= /C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
$ openssl x509 -in cert.txt -issuer -noout issuer= /C=US/O=thawte, Inc./CN=thawte SHA256 SSL CA $ openssl x509 -in intermediate.txt -subject -issuer -noout subject= /C=US/O=Thawte, Inc./CN=Thawte SSL CA issuer= /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA $ openssl x509 -in root.txt -subject -issuer -noout subject= /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA issuer= /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
000391704

We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.