On a tangent, this file format (and order) was actually finally standardized as "application/pem-certificate-chain" by RFC 8555 section 9.1 (the Automatic Certificate Management Environment protocol, or ACME). On Wed, May 6, 2020 at 2:59 PM Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx> wrote: > Get rid of the call to use_certificate_file and put everything the server should be sending into the chain file, in the order described in the OpenSSL documentation: entity certificate, certificate for its issuer, and so on up to and including the root. (I've just noticed the docs don't say whether use_certificate_chain_file specifies SSL_BUILD_CHAIN_FLAG_NO_ROOT when it calls add1_chain_cert, so offhand I don't know whether this will cause the root to be included in the chain the server sends. But that shouldn't really matter.)