How to build a CA bundle for GeoTrust and RapidSSL certificates

Missing or incomplete CA bundles cause SSL installation failures on GeoTrust and RapidSSL certificates. Browsers display security warnings when the certificate chain is broken, even though your certificate itself is valid.

You will build a complete CA bundle by downloading the correct intermediate and root certificates from DigiCert, then combining them in the proper order. This creates a valid trust chain that works across all browsers and server configurations.

Before you begin

You need your SSL certificate order confirmation or certificate file to identify the type and algorithm.
Access to your server or hosting control panel is required to upload the CA bundle.
A text editor such as Notepad++ or VS Code is needed to combine certificate files.

Identify your certificate type and algorithm

The correct intermediate and root certificates depend on whether you purchased a GeoTrust or RapidSSL certificate and which cryptographic algorithm it uses. Most certificates use RSA by default, which offers the widest compatibility.

Check your order confirmation email.
Look for the certificate brand (GeoTrust or RapidSSL) and algorithm type (RSA or ECC). This information appears in the order details or certificate specifications.
Note the algorithm.
RSA certificates are the standard option. ECC certificates use elliptic curve cryptography and are less common. You need this information to download the correct files in the next steps.

With your certificate type and algorithm confirmed, you can download the matching intermediate certificate.

Download the intermediate certificate

The intermediate certificate links your SSL certificate to the trusted root. DigiCert hosts these files publicly for GeoTrust and RapidSSL certificates.

Select the correct intermediate certificate link.
Use the link that matches your certificate brand and algorithm from the list below.

GeoTrust certificates:

RapidSSL certificates:

Save the file to your computer.
Your browser downloads the file with a .crt.pem extension. Keep this file for the next step where you will combine it with the root certificate.

You now have the intermediate certificate. Next, you need the root certificate that issued it.

Download the root certificate

The root certificate sits at the top of the trust chain. All GeoTrust and RapidSSL intermediate certificates are issued by DigiCert roots.

Select the root certificate that matches your algorithm.
RSA intermediate certificates require the RSA root. ECC intermediate certificates require the ECC root.

Save the root certificate file.
Store this alongside your intermediate certificate. You will combine both files to create the complete CA bundle.

With both certificates downloaded, you can build the CA bundle file.

Combine the certificates into a CA bundle

The CA bundle must contain the intermediate certificate first, followed by the root certificate. This order establishes the correct trust chain from your SSL certificate up to the trusted root.

Open the intermediate certificate in a text editor.
Use Notepad++, VS Code or any plain text editor. The file contains a block of text starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----.
Copy the entire intermediate certificate.
Select all text from the beginning to the end, including both BEGIN and END lines.
Create a new text file.
Open a new blank document in your text editor.
Paste the intermediate certificate.
Paste the copied text into the new file. This goes at the top of your CA bundle.
Open the root certificate.
Open the root certificate file you downloaded earlier in the same text editor.
Copy and paste the root certificate below the intermediate.
Copy the entire root certificate content and paste it directly below the intermediate certificate in your new file. There should be no blank lines between the two certificates.
Save the combined file.
Save this file as ca_bundle.pem or bundle.crt, depending on what your server or control panel expects. This is your complete CA bundle.

Your CA bundle is ready to install. The next step depends on your hosting environment.

Install the CA bundle on your server

The installation method varies by control panel and web server. You will upload or paste the CA bundle contents alongside your SSL certificate and private key.

cPanel or WHM

Navigate to the SSL management interface.
In cPanel, go to SSL/TLS and click Manage SSL Sites. In WHM, go to SSL/TLS and select Install an SSL Certificate on a Domain.
Upload your certificate files.
Paste your SSL certificate into the Certificate field and your private key into the Private Key field.
Add the CA bundle.
Open your ca_bundle.pem file in a text editor, copy the entire contents and paste it into the Certificate Authority Bundle (CABUNDLE) field.
Install the certificate.
Click Install Certificate to apply the changes.

Plesk

Open the SSL certificate manager.
Go to Domains, select your domain and click SSL/TLS Certificates.
Add a new certificate.
Click Add SSL Certificate.
Upload the certificate and key.
Paste your SSL certificate and private key into their respective fields.
Add the CA bundle.
Paste the contents of your ca_bundle.pem file into the CA certificate field.
Save the certificate.
Click Upload Certificate to complete the installation.

Apache

Apache requires a full chain file that combines your certificate with the CA bundle.

Create a full chain file.
Combine your certificate and CA bundle into a single file using this command:

cat cert.pem ca_bundle.pem > fullchain.pem

Update your Apache configuration.
Edit your virtual host configuration file and add these directives:

SSLCertificateFile /path/to/fullchain.pem
SSLCertificateKeyFile /path/to/private.key

Restart Apache.
Apply the changes by restarting the web server with systemctl restart apache2 or systemctl restart httpd.

Nginx

Nginx also requires a full chain file combining your certificate and CA bundle.

Create a full chain file.
Combine your certificate and CA bundle using the same command as Apache:

cat cert.pem ca_bundle.pem > fullchain.pem

Update your Nginx configuration.
Edit your server block and add these directives:

ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/private.key;

Restart Nginx.
Apply the changes by restarting the web server with systemctl restart nginx.

Your CA bundle is now installed. Test the certificate to confirm the complete chain loads correctly.

Verify the SSL installation

Testing confirms that browsers can validate the complete certificate chain from your SSL certificate through the intermediate to the trusted root.

Visit your site with HTTPS.
Open your domain in a web browser using https://yourdomain.co.uk. Check that the padlock icon appears in the address bar with no warnings.
Run an SSL checker.
Use Qualys SSL Labs to test your certificate. Enter your domain and wait for the scan to complete. The report should show a complete certificate chain with no missing intermediates.

If the test shows errors, check that you downloaded the correct intermediate and root certificates for your certificate type and algorithm. The order in your CA bundle must be intermediate first, then root.

Wrapping up

Your GeoTrust or RapidSSL certificate now has a complete CA bundle installed. You identified your certificate type, downloaded the correct intermediate and root certificates from DigiCert, combined them in the proper order and installed the bundle on your server. Browsers can now validate the full trust chain without warnings.

If you prefer automated SSL management, install SSL certificates with certbot for Let’s Encrypt certificates that handle bundles automatically. Once your certificate is working, configure HTTPS in WordPress to ensure your site uses secure connections properly. For more server administration guidance, see our guide on how to manage your VPS.

If you run into any trouble, get in touch and our team will be happy to help.