rancher-docs/layouts/shortcodes/ssl_faq.html

<h3>How do I know if my certificates are in PEM format?</h3>

<p>You can recognize the PEM format by the following traits:</p>
<ul>
	<li>The file begins with the following header:<br/> <code>-----BEGIN CERTIFICATE-----</code></li>
	<li>The header is followed by a long string of characters. Like, really long.</li>
	<li>The file ends with a footer:<br/> <code>-----END CERTIFICATE-----</code></li>
</ul>

<p><strong>PEM Certificate Example:</strong></p>

<pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
----BEGIN CERTIFICATE-----
MIIGVDCCBDygAwIBAgIJAMiIrEm29kRLMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNV
... more lines
VWQqljhfacYPgp8KJUJENQ9h5hZ2nSCrI+W00Jcw4QcEdCI8HL5wmg==
-----END CERTIFICATE-----
</pre>

<h3>What is the order of certificates if I want to add my intermediate(s)?</h3>

<p>The order of adding certificates is as follows:</p>

<pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
-----BEGIN CERTIFICATE-----
%YOUR_CERTIFICATE%
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
%YOUR_INTERMEDIATE_CERTIFICATE%
-----END CERTIFICATE-----
</pre>

<h3>How do I validate my certificate chain?</h3>

<p>You can validate the certificate chain by using the <code>openssl</code> binary. If the output of the command (see the command example below) ends with <code>Verify return code: 0 (ok)</code>, your certificate chain is valid. The <code>ca.pem</code> file must be the same as you added to the <code>rancher/rancher</code> container. When using a certificate signed by a recognized Certificate Authority, you can omit the <code>-CAfile</code> parameter.</p>

<p><strong>Command</strong></p>
<pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
openssl s_client -CAfile ca.pem -connect rancher.yourdomain.com:443
...
    Verify return code: 0 (ok)
</pre>