Given a certificate filename as input, mkchain will attempt to build the
intermediate certificate chain, and print it to stdout. This replaces the
need to copy/edit cert-vendor provided chain files and deal with certificate
order.
$ rake install
$ mkchain site.example.com.crt > site.example.com.chain
$ mkchain -c 2025-05-30 site.example.com.crt > site.example.com.chain
$ mkchain -lr site.example.com.crt > site.example.com.fullchain
You can also invoke mkchain from Ruby code:
require 'mkchain'
chain_str = MkChain.new(include_root: true).chain(File.read(cert_filename))
This method returns a string containing the contents of the intermediate
chain in PEM format. If no chain can be built from the certificate, a
MkChain::NoChainFoundException will be raised. If no chain is necessary
(ie, if the certificate was signed directly by the root CA), then an empty
string will be returned.
This method of building an intermediate chain depends on the signing
certificate being in the authorityInfoAccess X.509 extension field under
CA Issuers. That's a common but not universal pattern.