Creating a single SSL certificate bundle from CA root and intermediate certificates

When you purchase an SSL certificate for a domain, e.g. to secure HTTPS usage with your web server, your certificate download may provide you several files like this: : this is your domain certificate

Files that look this are the root and intermediate certificates:



Depending how your SSL vendor supplies these files, the second two files may be provided already bundled in one file or two separate files.

To combine them together into one bundle file, use cat to concat the files:

cat yourdomain_com.crt USERTrustRSAAddTrustCA.crt AddTrustExternalCARoot.crt >

Open the file and check that each start and end comment for each cert are on their own line and not on the same line (see here).

http-server with self-signed certs and enabling support in Chrome

To test loading a site locally with http-server you need to generate self-signed certs:

openssl req -newkey rsa:2048 -new -nodes -x509 -days 365 -keyout key.pem -out cert.pem

Now start up http-server using the new cert:

http-server -S -C cert.pem -o .

If you attempt to browse https://localhost:8080 though, Chrome will block self-signed certs by default. To allow self-signed certs, enter in your Chrome address bar:


And then enable the highlighted setting:

SSLProtocolException in SE7 & SE8: “handshake alert: unrecognized_name”

Caused by: com.sun.jersey.api.client.ClientHandlerException: handshake alert:  
unrecognized_name at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle ( 
at com.sun.jersey.api.client.Client.handle( 
at com.sun.jersey.api.client.WebResource.handle( 
at com.sun.jersey.api.client.WebResource.access$200( 
at com.sun.jersey.api.client.WebResource$ 68) 

This exception is from an SSL check in SE7 and above that checks that your SSL certificate matches your domain name. For development, if you’re using a self-signed SSL certificate for testing which does not match your domain name, you can turn off the check and ignore the error with: