How can I manually create a CA Bundle

Customers installing GeoTrust or RapidSSL SSL certificates often encounter installation issues due to missing or incomplete CA bundles. This guide explains how to manually build the correct CA bundle file for your SSL certificate using publicly available intermediate and root certificates from DigiCert. By following these steps, you’ll ensure a complete trust chain is installed, improving compatibility across web browsers and servers.

The process involves identifying the correct intermediate certificate, locating its issuing root, and combining both into a properly ordered PEM file. This CA bundle can then be used in WHM/cPanel, Plesk, Apache, or Nginx installations.

1. Determine Your Certificate Type and Algorithm

Check your SSL certificate details or your order confirmation to determine:

• Whether you purchased a GeoTrust or RapidSSL certificate
• If your certificate uses RSA or ECC cryptography

Most customers will be using RSA certificates by default, as these offer the widest compatibility.

2. Download the Intermediate Certificate

Use the appropriate DigiCert-hosted link below based on your certificate brand and algorithm:

GeoTrust:

• GeoTrust G5 TLS RSA4096 SHA384 2022 CA1 (PEM)
• GeoTrust G5 TLS ECC P-384 SHA384 2022 CA1 (PEM)

RapidSSL:

• RapidSSL G5 TLS RSA4096 SHA384 2022 CA1 (PEM)
• RapidSSL G5 TLS ECC P-384 SHA384 2022 CA1 (PEM)

Save the correct file based on your certificate type.

3. Download the Matching Root Certificate

Each intermediate certificate is issued by a DigiCert root. Download the corresponding root certificate using the links below:

• DigiCert TLS RSA4096 Root G5 (PEM)
• DigiCert TLS ECC P384 Root G5 (PEM)

Choose the root that matches your intermediate (RSA or ECC).

4. Combine Intermediate and Root into a CA Bundle

Open both the intermediate and root .crt or .pem files in a text editor such as Notepad++ or VS Code. Copy and paste the entire contents of both files into a new text file in the following order:

1. Intermediate certificate (top)
2. Root certificate (bottom)

Save this file as ca_bundle.pem or bundle.crt, depending on your server requirements.

5. Upload or Install the CA Bundle on Your Server

Depending on your hosting environment, use one of the following methods:

cPanel / WHM

• Navigate to SSL/TLS > Manage SSL Sites
• Upload your certificate, private key, and CA bundle
• Ensure the Certificate Authority Bundle (CABUNDLE) field is filled with the contents of your new file

Plesk

• Go to Domains > SSL/TLS Certificates
• Choose Add SSL Certificate
• Upload certificate, private key, and paste the CA bundle into the appropriate field

Apache / Nginx

Ensure your configuration references the CA bundle:

Apache

cat cert.pem ca_bundle.pem > fullchain.pem

Then

SSLCertificateFile /path/to/fullchain.pem
SSLCertificateKeyFile /path/to/private.key

Nginx

ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/private.key;  

6. Restart Your Web Server & Test the SSL.

After uploading the CA bundle, restart your web server or apply the changes via your control panel to ensure the SSL installation is recognised correctly.