This guide explains how to install a PositiveSSL certificate chain for Node.js and verify that clients complete handshake cleanly. It is a practical troubleshooting walkthrough based on recurring production incidents where cert and chain files were valid individually but wrong in combination. We cover chain order, PEM formatting, file permissions, startup checks, and client-side verification, with companion controls in the SSL and certificates playbook.
What usually goes wrong
Most TLS incidents are not caused by bad keys. They come from chain order mistakes, mixed encoding, or incomplete deployment bundles.
Step 1: Prepare files
You typically need:
- private key file
- server certificate file
- intermediate chain file
Store with strict permissions and predictable paths.
Step 2: Confirm key and cert pairing
1 | openssl x509 -noout -modulus -in server.crt | openssl md5 |
Hashes should match.
Step 3: Load TLS options in Node.js
1 | const options = { |
If your provider gives multiple intermediates, keep order explicit.
Step 4: Test handshake and chain exposure
1 | openssl s_client -connect your-host:443 -servername your-host -showcerts |
Review chain blocks and verification result.
Troubleshooting patterns
unable to get local issuer certificatemeans intermediate chain is missing or wrong.- Browser works but CLI fails can indicate client trust-store differences.
- Intermittent failure after deploy can mean mixed old/new cert files on multi-node rollout.
Caution
Certificate updates should be deployed atomically with restart and verification. Partial rollout with mixed certificate sets can create hard-to-diagnose behavior.
FAQ
Should chain cert be concatenated into cert?
Depends on stack. In Node.js, separate ca is generally clearer for maintenance.
Do I need full service restart?
Yes, unless your process explicitly supports safe live cert reload.
What should I log during rollout?
Handshake errors by client IP and protocol version, plus startup read-path checks.