michael orlitzky

New Gandi certificates in Apache 2.4

posted 2015-03-14; updated 2016-05-05

Update 2016-05-05

It looks like the “intermediate certificate” that Gandi gives you now contains the Comodo cross-signed certificate (in the correct order). That means you don't need this article anymore. The original Certificate Chains in Apache 2.4 has you covered. The executive summary is,

user $ cat www.example.com.crt GandiStandardSSLCA2.pem > combined.crt

Now use combined.crt for your site.


In Apache 2.4, you're supposed to chain your SSL certificates together manually (see Certificate Chains in Apache 2.4). The new Gandi SHA-2 certificates need not only the intermediate chain, but also the Comodo cross-signed certificate for this to work reliably in all browsers.

Note: before January 1st 2016, you may have to explicitly use sha256 when generating your CSR. Otherwise you'll get a SHA-1 certificate and this article won't make much sense. My vhost-ssl-request script does this for you.


First, make sure you have your site's certificate saved as www.example.com.crt.

Next, download the Comodo cross-signed certificate as comodo-cross.pem. This can be found on the Gandi wiki page Retrieving the Gandi Intermediate Certificate (but the file they provide is binary).

Now, download the Gandi intermediate chain, GandiStandardSSLCA2.pem.

Finally, concatenate all three together:

user $ cat www.example.com.crt GandiStandardSSLCA2.pem comodo-cross.pem > combined.crt

Configure Apache to use combined.crt and reload it.

do it work

SSL Shopper has a tool that will check to make sure everything is working correctly. You should get all green check marks.