Published on

Multiple Block PEM File

🧾 Example: Multi-block PEM File (fullchain.pem)

This example shows three PEM blocks β€” a leaf (end-entity) certificate, an intermediate certificate, and a root certificate:

# ───────────────────────────────
# 1️⃣  Leaf / Server Certificate
# ───────────────────────────────
-----BEGIN CERTIFICATE-----
MIIDZTCCAk2gAwIBAgIUZkO4b21XlEq5w3rxh83e4W0ixmowDQYJKoZIhvcNAQEL
BQAwRzELMAkGA1UEBhMCU0cxEjAQBgNVBAoMCU1pZGRsZVJvb3QxEzARBgNVBAMM
Ck1pZGRsZSBSb290MB4XDTI1MDEwMTAwMDAwMFoXDTI2MDEwMTAwMDAwMFowRzEL
MAkGA1UEBhMCU0cxEjAQBgNVBAoMCVNlcnZlciBDb3JwMRMwEQYDVQQDDAp3d3cu
ZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvXhbT
aDz3pP1ivEZXEXAMPLEBASE64DATAz2qk4w0M5qjkaD6Jz7jA1Mbtv8gl
-----END CERTIFICATE-----

# ───────────────────────────────
# 2️⃣  Intermediate Certificate
# ───────────────────────────────
-----BEGIN CERTIFICATE-----
MIIDhTCCAm2gAwIBAgIUQ7oXEXAMPLEBASE64DATA++3QIDAQABMA0GCSqGSIb3DQEBCwUA
A4IBAQBj9qjYTmXgXr6Rw1fwK7w4kyoTn6oMx8hR6TXbEwUuBQ...
-----END CERTIFICATE-----

# ───────────────────────────────
# 3️⃣  Root Certificate
# ───────────────────────────────
-----BEGIN CERTIFICATE-----
MIIDdjCCAl6gAwIBAgIUTEXAMPLEBASE64DATA4nM5n2bD4SxQIDAQABMA0GCSqGSIb3DQEB
CwUAA4IBAQBkLkYxRCdYpZbF...
-----END CERTIFICATE-----

🧩 What These Blocks Mean

BlockTypeRoleVerified By
1️⃣ Leaf / Server certificateEnd-entityIdentifies your domain (www.example.com)The intermediate CA
2️⃣ Intermediate certificateCA (Certificate Authority)Links your leaf certificate to a trusted rootThe root CA
3️⃣ Root certificateTrusted anchorSelf-signed, pre-installed in browsers/OSβ€” (trust anchor)

Your web server usually serves the first two (leaf + intermediate) to clients; the root is already trusted on users’ systems.

🧠 Understanding β€œSubject” and β€œIssuer”

Every X.509 certificate contains two key identity fields:

FieldMeaningExample
SubjectThe entity the certificate belongs to (the owner)CN=www.example.com, O=Server Corp, C=SG
IssuerThe entity that issued and signed the certificateCN=Middle Root, O=MiddleRoot CA, C=SG

So, for our chain:

CertificateSubjectIssuer
LeafCN=www.example.comCN=MiddleRoot CA
IntermediateCN=MiddleRoot CACN=TopRoot CA
RootCN=TopRoot CACN=TopRoot CA (self-signed)

This creates a trust chain: Root β†’ Intermediate β†’ Leaf (your site)

🧩 Checking Subjects and Issuers with OpenSSL

You can inspect each block like this:

openssl x509 -in fullchain.pem -noout -subject -issuer

If you want to view all certificates inside one file:

awk 'BEGIN {c=0} /BEGIN CERT/ {c++} {print > "cert" c ".pem"}' fullchain.pem
for f in cert*.pem; do
  echo "== $f =="; openssl x509 -in "$f" -noout -subject -issuer
done

This splits the multi-block PEM into separate files (cert1.pem, cert2.pem, etc.) and prints their subjects/issuers.

πŸ“ˆ Summary

  • PEM: Text format for certificates/keys.
  • Multiple blocks: Represent the certificate chain.
  • Subject: Who the certificate is for.
  • Issuer: Who signed it.
  • The chain ensures browsers can verify trust all the way to a known root CA.