<-- Back

Warning: the intermediate certificate chain is not valid for this TLS certificate, while uploading a custom domain certificate in Mendix Cloud

Issue

To set up a custom domain in Mendix Cloud, a signed Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) certificate should be uploaded to the Custom Domain tab under the Cloud Settings in Mendix Portal. While uploading this custom domain certificate in a Privacy Enhanced Mail (PEM) format, the following warning is shown.

The intermediate certificate chain is not valid for this TLS certificate

Environment

Applications hosted in Mendix Cloud

Cause

After confirming that both the TLS certificate and the intermediate certificate are in valid PEM format (beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----), this warning normally appears when the uploaded intermediate certificate does not correctly match the TLS certificate.

This can happen when:

  • The wrong intermediate certificate is used. The intermediate provided during upload is not the one that actually signed the TLS certificate.

  • The intermediate's Subject does not match the TLS certificate's Issuer. For the certificate chain to be valid, the TLS certificate's Issuer field must match the intermediate certificate's Subject field. If they do not match exactly, the platform cannot validate that the TLS certificate was signed by the provided intermediate.

Solution / Workaround

that the intermediate certificate is valid for your TLS certificate by running the following OpenSSL commands in the terminal:

  1. Check the TLS certificate's Issuer by running:
openssl x509 -in TLS_CERT_FILE_LOCATION_HERE -noout -issuer

2. Check the intermediate certificate's Subject by running

openssl x509 -in INTERMEDIATE_CERT_FILE_LOCATION_HERE -noout -subject

3. Compare the fields.

The Issuer of the TLS certificate must match the Subject of the intermediate certificate. If these fields are identical, the intermediate is the correct signer for the TLS certificate.

If the fields do not match exactly, download the correct intermediate certificate from your Certificate Authority's repository (for example, Sectigo's intermediate certificate library). Once the matching intermediate certificate is uploaded alongside the TLS certificate, the chain validation process should succeed.

It is worth mentioning that if the same warning persists after trying the steps above, Mendix Support cannot assist. Troubleshooting SSL/TLS certificate issues goes outside of the scope. For more information, refer to What we expect from you.

Internal information related

  • 265458

Additional information

Mendix documentation:

Have more questions? Submit a request

0 Comments

Article is closed for comments.

To provide feedback, please open a ticket here. Don't forget to include the article's URL along with the feedback you would like to provide.