diff --git a/daemon/remote.c b/daemon/remote.c
index a9ec7bd92..300b9922c 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -243,9 +243,9 @@ daemon_remote_create(struct config_file* cfg)
 		goto setup_error;
 	}
 	verbose(VERB_ALGO, "setup SSL certificates");
-	if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM)) {
+	if (!SSL_CTX_use_certificate_chain_file(rc->ctx,s_cert)) {
 		log_err("Error for server-cert-file: %s", s_cert);
-		log_crypto_err("Error in SSL_CTX use_certificate_file");
+		log_crypto_err("Error in SSL_CTX use_certificate_chain_file");
 		goto setup_error;
 	}
 	if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) {
diff --git a/doc/Changelog b/doc/Changelog
index 37ef28aea..0b130e4a0 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+18 July 2015: Willem
+	- Allow certificate chain files to allow for intermediate certificates.
+	  (thanks Daniel Kahn Gillmor)
+
 13 July 2015: Wouter
 	- makedist produces sha1 and sha256 files for created binaries too.
 
diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index d4b147d67..571b4d0b0 100644
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -161,7 +161,7 @@ setup_ctx(struct config_file* cfg)
         if(cfg->remote_control_use_cert) {
 		if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
 			ssl_err("could not set SSL_OP_NO_SSLv3");
-		if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) ||
+		if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
 		    !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
 		    || !SSL_CTX_check_private_key(ctx))
 			ssl_err("Error setting up SSL_CTX client key and cert");
diff --git a/testcode/petal.c b/testcode/petal.c
index 964735b39..e680005a7 100644
--- a/testcode/petal.c
+++ b/testcode/petal.c
@@ -236,7 +236,7 @@ setup_ctx(char* key, char* cert)
 	if(!ctx) print_exit("out of memory");
 	(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
 	(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
-	if(!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM))
+	if(!SSL_CTX_use_certificate_chain_file(ctx, cert))
 		print_exit("cannot read cert");
 	if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM))
 		print_exit("cannot read key");
diff --git a/util/net_help.c b/util/net_help.c
index 8b39af6b3..5ad765844 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -629,9 +629,9 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
 		SSL_CTX_free(ctx);
 		return NULL;
 	}
-	if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
+	if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
 		log_err("error for cert file: %s", pem);
-		log_crypto_err("error in SSL_CTX use_certificate_file");
+		log_crypto_err("error in SSL_CTX use_certificate_chain_file");
 		SSL_CTX_free(ctx);
 		return NULL;
 	}
@@ -684,7 +684,7 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
 		return NULL;
 	}
 	if(key && key[0]) {
-		if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
+		if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
 			log_err("error in client certificate %s", pem);
 			log_crypto_err("error in certificate file");
 			SSL_CTX_free(ctx);