To determine TLS certificate order:
You should see output like OpenSSL 1.0.2l 25 May 2017.
In your command prompt, go to the directory where you placed the certificates.
You will need to determine which certificate is the one issued to your site(s).
Run the following command in your command prompt window where certificate1.pem is the file name of a certificate you are testing:
If the certificate is the site certificate, you will see the domain of your site in the output. e.g.
subject= /CN=www.yoursite.com
If your domain is listed as a Subject Alternate Name(SAN) on a certificate you won’t see it under subject using the above method. You will need to examine the rest of the certificate.
For linux/mac based command prompt, run:
For windows based command prompt, run:
You should see a list of SAN domains on that certificate. If that list contains your domain name, then this certificate is your domain certificate.
Each certificate contains information about its issuer. The issuer is the next link in the SSL chain. The SSL chain will be domain certificate ‑> intermediate certificate(s) ‑> root certificate
Determine the intermediate certificate of your domain certificate by examining the issuer of your domain cert with the following command.
You should see output such as issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3.
Then you can compare this against the subject of the other certificate files to find one that matches the issuer above.
If this is the correct intermediate certificate, you will see a matching subject to the issuer of the domain certificate. subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3. This is your first intermediate certificate. So the certificate chain so far is certificate1.pem ‑> certificate2.pem.
Now look at the issuer of certificate2.pem.
If this is the only intermediate certificate in the chain, the issuer will result in a Root issuer (e.g., issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3). If you don’t see an issuer that contains “Root CA” then there is likely another intermediate certificate. Examine the issuer of each certificate you have and match it with the subject of the next intermediate certificate until you see the issuer is a Root CA. This resulting order is your SSL chain.