diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in
index 7849d6886..a2f040b2f 100644
--- a/interface-definitions/vpn_openconnect.xml.in
+++ b/interface-definitions/vpn_openconnect.xml.in
@@ -1,396 +1,396 @@
 <?xml version="1.0"?>
 <interfaceDefinition>
   <node name="vpn">
     <children>
       <node name="openconnect" owner="${vyos_conf_scripts_dir}/vpn_openconnect.py">
         <properties>
           <help>SSL VPN OpenConnect, AnyConnect compatible server</help>
           <priority>901</priority>
         </properties>
         <children>
           <node name="accounting">
             <properties>
               <help>Accounting for users OpenConnect VPN Sessions</help>
             </properties>
             <children>
               <node name="mode">
                 <properties>
                   <help>Accounting mode used by this server</help>
                 </properties>
                 <children>
                   <leafNode name="radius">
                     <properties>
                       <help>Use RADIUS server for accounting</help>
                       <valueless/>
                     </properties>
                   </leafNode>
                 </children>
               </node>
               #include <include/radius-acct-server-ipv4.xml.i>
             </children>
           </node>
           <node name="authentication">
             <properties>
               <help>Authentication for remote access SSL VPN Server</help>
             </properties>
             <children>
               <node name="mode">
                 <properties>
                   <help>Authentication mode used by this server</help>
                 </properties>
                 <children>
                   <leafNode name="local">
                     <properties>
                       <help>Use local username/password configuration (OTP supported)</help>
                       <valueHelp>
                         <format>password</format>
                         <description>Password-only local authentication</description>
                       </valueHelp>
                       <valueHelp>
                         <format>otp</format>
                         <description>OTP-only local authentication</description>
                       </valueHelp>
                       <valueHelp>
                         <format>password-otp</format>
                         <description>Password (first) + OTP local authentication</description>
                       </valueHelp>
                       <constraint>
                         <regex>(password|otp|password-otp)</regex>
                       </constraint>
                       <constraintErrorMessage>Invalid authentication mode. Must be one of: password, otp or password-otp </constraintErrorMessage>
                       <completionHelp>
                         <list>otp password password-otp</list>
                       </completionHelp>
                     </properties>
                   </leafNode>
                   <leafNode name="radius">
                     <properties>
                       <help>Use RADIUS server for user autentication</help>
                       <valueless/>
                     </properties>
                   </leafNode>
                 </children>
               </node>
               <node name="identity-based-config">
                 <properties>
                   <help>Include configuration file by username or RADIUS group attribute</help>
                 </properties>
                 <children>
                   #include <include/generic-disable-node.xml.i>
                   <leafNode name="mode">
                     <properties>
                       <help>Select per user or per group configuration file - ignored if authentication group is configured</help>
                       <completionHelp>
                         <list>user group</list>
                       </completionHelp>
                       <valueHelp>
                         <format>user</format>
                         <description>Match configuration file on username</description>
                       </valueHelp>
                       <valueHelp>
                         <format>group</format>
                         <description>Match RADIUS response class attribute as file name</description>
                       </valueHelp>
                       <constraint>
                         <regex>(user|group)</regex>
                       </constraint>
                       <constraintErrorMessage>Invalid mode, must be either user or group</constraintErrorMessage>
                     </properties>
                   </leafNode>
                   <leafNode name="directory">
                     <properties>
                       <help>Directory to containing configuration files</help>
                       <valueHelp>
                         <format>path</format>
                         <description>Path to configuration directory, must be under /config/auth</description>
                       </valueHelp>
                       <constraint>
                         <validator name="file-path" argument="--directory --parent-dir /config/auth --strict"/>
                       </constraint>
                     </properties>
                   </leafNode>
                   <leafNode name="default-config">
                     <properties>
                       <help>Default configuration if discrete config could not be found</help>
                       <valueHelp>
                         <format>filename</format>
                         <description>Default configuration filename, must be under /config/auth</description>
                       </valueHelp>
                       <constraint>
                         <validator name="file-path" argument="--file --parent-dir /config/auth --strict"/>
                       </constraint>
                     </properties>
                   </leafNode>
                 </children>
               </node>
               <leafNode name="group">
                 <properties>
                   <help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help>
                   <valueHelp>
                     <format>txt</format>
                     <description>Group string. The group may be followed by a user-friendly name in brackets: group1[First Group]</description>
                   </valueHelp>
                   <multi/>
                 </properties>
               </leafNode>
               #include <include/auth-local-users.xml.i>
               <node name="local-users">
                 <children>
                   <tagNode name="username">
                     <children>
                         <node name="otp">
                           <properties>
                             <help>2FA OTP authentication parameters</help>
                           </properties>
                           <children>
                             <leafNode name="key">
                               <properties>
                                 <help>Token Key Secret key for the token algorithm (see RFC 4226)</help>
                                 <valueHelp>
                                   <format>txt</format>
                                   <description>OTP key in hex-encoded format</description>
                                 </valueHelp>
                                 <constraint>
                                   <regex>[a-fA-F0-9]{20,10000}</regex>
                                 </constraint>
                                 <constraintErrorMessage>Key name must only include hex characters and be at least 20 characters long</constraintErrorMessage>
                               </properties>
                             </leafNode>
                             <leafNode name="otp-length">
                               <properties>
                                 <help>Number of digits in OTP code</help>
                                 <valueHelp>
                                   <format>u32:6-8</format>
                                   <description>Number of digits in OTP code</description>
                                 </valueHelp>
                                 <constraint>
                                   <validator name="numeric" argument="--range 6-8"/>
                                 </constraint>
                                 <constraintErrorMessage>Number of digits in OTP code must be between 6 and 8</constraintErrorMessage>
                               </properties>
                               <defaultValue>6</defaultValue>
                             </leafNode>
                             <leafNode name="interval">
                               <properties>
                                 <help>Time tokens interval in seconds</help>
                                 <valueHelp>
                                   <format>u32:5-86400</format>
                                   <description>Time tokens interval in seconds.</description>
                                 </valueHelp>
                                 <constraint>
                                   <validator name="numeric" argument="--range 5-86400"/>
                                 </constraint>
                                 <constraintErrorMessage>Time token interval must be between 5 and 86400 seconds</constraintErrorMessage>
                               </properties>
                               <defaultValue>30</defaultValue>
                             </leafNode>
                             <leafNode name="token-type">
                               <properties>
                                 <help>Token type</help>
                                 <valueHelp>
                                   <format>hotp-time</format>
                                   <description>Time-based OTP algorithm</description>
                                 </valueHelp>
                                 <valueHelp>
                                   <format>hotp-event</format>
                                   <description>Event-based OTP algorithm</description>
                                 </valueHelp>
                                 <constraint>
                                   <regex>(hotp-time|hotp-event)</regex>
                                 </constraint>
                                 <completionHelp>
                                   <list>hotp-time hotp-event</list>
                                 </completionHelp>
                               </properties>
                               <defaultValue>hotp-time</defaultValue>
                             </leafNode>
                           </children>
                         </node>
                     </children>
                   </tagNode>
                 </children>
               </node>
               #include <include/radius-auth-server-ipv4.xml.i>
               <node name="radius">
                 <children>
                   #include <include/radius-timeout.xml.i>
                   <leafNode name="groupconfig">
                     <properties>
                       <help>If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from RADIUS.</help>
                     </properties>
                   </leafNode>
                 </children>
               </node>
             </children>
           </node>
           #include <include/listen-address-ipv4-single.xml.i>
           <leafNode name="listen-address">
             <defaultValue>0.0.0.0</defaultValue>
           </leafNode>
           <node name="listen-ports">
             <properties>
               <help>Specify custom ports to use for client connections</help>
             </properties>
             <children>
               <leafNode name="tcp">
                 <properties>
                   <help>tcp port number to accept connections</help>
                   <valueHelp>
                     <format>u32:1-65535</format>
                     <description>Numeric IP port</description>
                   </valueHelp>
                   <constraint>
                     <validator name="numeric" argument="--range 1-65535"/>
                   </constraint>
                 </properties>
                 <defaultValue>443</defaultValue>
               </leafNode>
               <leafNode name="udp">
                 <properties>
                   <help>udp port number to accept connections</help>
                   <valueHelp>
                     <format>u32:1-65535</format>
                     <description>Numeric IP port</description>
                   </valueHelp>
                   <constraint>
                     <validator name="numeric" argument="--range 1-65535"/>
                   </constraint>
                 </properties>
                 <defaultValue>443</defaultValue>
               </leafNode>
             </children>
           </node>
           <leafNode name="http-security-headers">
             <properties>
               <help>Enable HTTP security headers</help>
               <valueless/>
             </properties>
           </leafNode>
           #include <include/tls-version-min.xml.i>
           <leafNode name="tls-version-min">
             <defaultValue>1.2</defaultValue>
           </leafNode>
           <node name="ssl">
             <properties>
               <help>SSL Certificate, SSL Key and CA</help>
             </properties>
             <children>
-              #include <include/pki/ca-certificate.xml.i>
+              #include <include/pki/ca-certificate-multi.xml.i>
               #include <include/pki/certificate-key.xml.i>
             </children>
           </node>
           <node name="network-settings">
             <properties>
               <help>Network settings</help>
             </properties>
             <children>
               <leafNode name="push-route">
                 <properties>
                   <help>Route to be pushed to the client</help>
                   <valueHelp>
                     <format>ipv4net</format>
                     <description>IPv4 network and prefix length</description>
                   </valueHelp>
                   <valueHelp>
                     <format>ipv6net</format>
                     <description>IPv6 network and prefix length</description>
                   </valueHelp>
                   <constraint>
                     <validator name="ip-prefix"/>
                   </constraint>
                   <multi/>
                 </properties>
               </leafNode>
               <node name="client-ip-settings">
                 <properties>
                   <help>Client IP pools settings</help>
                 </properties>
                 <children>
                   <leafNode name="subnet">
                     <properties>
                       <help>Client IP subnet (CIDR notation)</help>
                       <valueHelp>
                         <format>ipv4net</format>
                         <description>IPv4 address and prefix length</description>
                       </valueHelp>
                       <constraint>
                         <validator name="ipv4-prefix"/>
                       </constraint>
                       <constraintErrorMessage>Not a valid CIDR formatted prefix</constraintErrorMessage>
                     </properties>
                   </leafNode>
                 </children>
               </node>
               <node name="client-ipv6-pool">
                 <properties>
                   <help>Pool of client IPv6 addresses</help>
                 </properties>
                 <children>
                   <leafNode name="prefix">
                     <properties>
                       <help>Pool of addresses used to assign to clients</help>
                       <valueHelp>
                         <format>ipv6net</format>
                         <description>IPv6 address and prefix length</description>
                       </valueHelp>
                       <constraint>
                         <validator name="ipv6-prefix"/>
                       </constraint>
                     </properties>
                   </leafNode>
                   <leafNode name="mask">
                     <properties>
                       <help>Prefix length used for individual client</help>
                       <valueHelp>
                         <format>u32:48-128</format>
                         <description>Client prefix length</description>
                       </valueHelp>
                       <constraint>
                         <validator name="numeric" argument="--range 48-128"/>
                       </constraint>
                     </properties>
                     <defaultValue>64</defaultValue>
                   </leafNode>
                 </children>
               </node>
               #include <include/name-server-ipv4-ipv6.xml.i>
               <leafNode name="split-dns">
                 <properties>
                   <help>Domains over which the provided DNS should be used</help>
                   <valueHelp>
                     <format>txt</format>
                     <description>Client prefix length</description>
                   </valueHelp>
                   <constraint>
                     <validator name="fqdn"/>
                   </constraint>
                   <multi/>
                 </properties>
               </leafNode>
               <leafNode name="tunnel-all-dns">
                 <properties>
                   <help>If the tunnel-all-dns option is set to yes, tunnel all DNS queries via the VPN. This is the default when a default route is set.</help>
                   <completionHelp>
                     <list>yes no</list>
                   </completionHelp>
                   <valueHelp>
                     <format>yes</format>
                     <description>Enable tunneling of all DNS traffic</description>
                   </valueHelp>
                   <valueHelp>
                     <format>no</format>
                     <description>Disable tunneling of all DNS traffic</description>
                   </valueHelp>
                   <constraint>
                     <regex>(yes|no)</regex>
                   </constraint>
                 </properties>
                 <defaultValue>no</defaultValue>
               </leafNode>
             </children>
           </node>
       </children>
     </node>
   </children>
 </node>
 </interfaceDefinition>
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
index 8159fedea..42785134f 100755
--- a/src/conf_mode/vpn_openconnect.py
+++ b/src/conf_mode/vpn_openconnect.py
@@ -1,274 +1,289 @@
 #!/usr/bin/env python3
 #
 # Copyright (C) 2018-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
 # published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
 from sys import exit
 
 from vyos.base import Warning
 from vyos.config import Config
 from vyos.configverify import verify_pki_certificate
 from vyos.configverify import verify_pki_ca_certificate
-from vyos.pki import wrap_certificate
+from vyos.pki import find_chain
+from vyos.pki import encode_certificate
+from vyos.pki import load_certificate
 from vyos.pki import wrap_private_key
 from vyos.template import render
-from vyos.utils.process import call
+from vyos.utils.dict import dict_search
+from vyos.utils.file import write_file
 from vyos.utils.network import check_port_availability
-from vyos.utils.process import is_systemd_service_running
 from vyos.utils.network import is_listen_port_bind_service
-from vyos.utils.dict import dict_search
+from vyos.utils.process import call
+from vyos.utils.process import is_systemd_service_running
 from vyos import ConfigError
 from passlib.hash import sha512_crypt
 from time import sleep
 
 from vyos import airbag
 airbag.enable()
 
 cfg_dir        = '/run/ocserv'
 ocserv_conf    = cfg_dir + '/ocserv.conf'
 ocserv_passwd  = cfg_dir + '/ocpasswd'
 ocserv_otp_usr = cfg_dir + '/users.oath'
 radius_cfg     = cfg_dir + '/radiusclient.conf'
 radius_servers = cfg_dir + '/radius_servers'
 
 # Generate hash from user cleartext password
 def get_hash(password):
     return sha512_crypt.hash(password)
 
 def get_config(config=None):
     if config:
         conf = config
     else:
         conf = Config()
     base = ['vpn', 'openconnect']
     if not conf.exists(base):
         return None
 
     ocserv = conf.get_config_dict(base, key_mangling=('-', '_'),
                                   get_first_key=True,
                                   with_recursive_defaults=True,
                                   with_pki=True)
 
     return ocserv
 
 def verify(ocserv):
     if ocserv is None:
         return None
     # Check if listen-ports not binded other services
     # It can be only listen by 'ocserv-main'
     for proto, port in ocserv.get('listen_ports').items():
         if check_port_availability(ocserv['listen_address'], int(port), proto) is not True and \
                 not is_listen_port_bind_service(int(port), 'ocserv-main'):
             raise ConfigError(f'"{proto}" port "{port}" is used by another service')
 
     # Check accounting
     if "accounting" in ocserv:
         if "mode" in ocserv["accounting"] and "radius" in ocserv["accounting"]["mode"]:
             if not origin["accounting"]['radius']['server']:
                 raise ConfigError('OpenConnect accounting mode radius requires at least one RADIUS server')
             if "authentication" not in ocserv or "mode" not in ocserv["authentication"]:
                 raise ConfigError('Accounting depends on OpenConnect authentication configuration')
             elif "radius" not in ocserv["authentication"]["mode"]:
                 raise ConfigError('RADIUS accounting must be used with RADIUS authentication')
 
     # Check authentication
     if "authentication" in ocserv:
         if "mode" in ocserv["authentication"]:
             if ("local" in ocserv["authentication"]["mode"] and
                 "radius" in ocserv["authentication"]["mode"]):
                     raise ConfigError('OpenConnect authentication modes are mutually-exclusive, remove either local or radius from your configuration')
             if "radius" in ocserv["authentication"]["mode"]:
                 if not ocserv["authentication"]['radius']['server']:
                     raise ConfigError('OpenConnect authentication mode radius requires at least one RADIUS server')
             if "local" in ocserv["authentication"]["mode"]:
                 if not ocserv.get("authentication", {}).get("local_users"):
                     raise ConfigError('OpenConnect mode local required at least one user')
                 if not ocserv["authentication"]["local_users"]["username"]:
                     raise ConfigError('OpenConnect mode local required at least one user')
                 else:
                     # For OTP mode: verify that each local user has an OTP key
                     if "otp" in ocserv["authentication"]["mode"]["local"]:
                         users_wo_key = []
                         for user, user_config in ocserv["authentication"]["local_users"]["username"].items():
                             # User has no OTP key defined
                             if dict_search('otp.key', user_config) == None:
                                 users_wo_key.append(user)
                         if users_wo_key:
                             raise ConfigError(f'OTP enabled, but no OTP key is configured for these users:\n{users_wo_key}')
                     # For password (and default) mode: verify that each local user has password
                     if "password" in ocserv["authentication"]["mode"]["local"] or "otp" not in ocserv["authentication"]["mode"]["local"]:
                         users_wo_pswd = []
                         for user in ocserv["authentication"]["local_users"]["username"]:
                             if not "password" in ocserv["authentication"]["local_users"]["username"][user]:
                                 users_wo_pswd.append(user)
                         if users_wo_pswd:
                             raise ConfigError(f'password required for users:\n{users_wo_pswd}')
 
             # Validate that if identity-based-config is configured all child config nodes are set
             if 'identity_based_config' in ocserv["authentication"]:
                 if 'disabled' not in ocserv["authentication"]["identity_based_config"]:
                     Warning("Identity based configuration files is a 3rd party addition. Use at your own risk, this might break the ocserv daemon!")
                     if 'mode' not in ocserv["authentication"]["identity_based_config"]:
                         raise ConfigError('OpenConnect radius identity-based-config enabled but mode not selected')
                     elif 'group' in ocserv["authentication"]["identity_based_config"]["mode"] and "radius" not in ocserv["authentication"]["mode"]:
                         raise ConfigError('OpenConnect config-per-group must be used with radius authentication')
                     if 'directory' not in ocserv["authentication"]["identity_based_config"]:
                         raise ConfigError('OpenConnect identity-based-config enabled but directory not set')
                     if 'default_config' not in ocserv["authentication"]["identity_based_config"]:
                         raise ConfigError('OpenConnect identity-based-config enabled but default-config not set')
         else:
             raise ConfigError('OpenConnect authentication mode required')
     else:
         raise ConfigError('OpenConnect authentication credentials required')
 
     # Check ssl
     if 'ssl' not in ocserv:
         raise ConfigError('SSL missing on OpenConnect config!')
 
     if 'certificate' not in ocserv['ssl']:
         raise ConfigError('SSL certificate missing on OpenConnect config!')
     verify_pki_certificate(ocserv, ocserv['ssl']['certificate'])
 
     if 'ca_certificate' in ocserv['ssl']:
-        verify_pki_ca_certificate(ocserv, ocserv['ssl']['ca_certificate'])
+        for ca_cert in ocserv['ssl']['ca_certificate']:
+            verify_pki_ca_certificate(ocserv, ca_cert)
 
     # Check network settings
     if "network_settings" in ocserv:
         if "push_route" in ocserv["network_settings"]:
             # Replace default route
             if "0.0.0.0/0" in ocserv["network_settings"]["push_route"]:
                 ocserv["network_settings"]["push_route"].remove("0.0.0.0/0")
                 ocserv["network_settings"]["push_route"].append("default")
         else:
             ocserv["network_settings"]["push_route"] = ["default"]
     else:
         raise ConfigError('OpenConnect network settings required!')
 
 def generate(ocserv):
     if not ocserv:
         return None
 
     if "radius" in ocserv["authentication"]["mode"]:
         if dict_search(ocserv, 'accounting.mode.radius'):
             # Render radius client configuration
             render(radius_cfg, 'ocserv/radius_conf.j2', ocserv)
             merged_servers = ocserv["accounting"]["radius"]["server"] | ocserv["authentication"]["radius"]["server"]
             # Render radius servers
             # Merge the accounting and authentication servers into a single dictionary
             render(radius_servers, 'ocserv/radius_servers.j2', {'server': merged_servers})
         else:
             # Render radius client configuration
             render(radius_cfg, 'ocserv/radius_conf.j2', ocserv)
             # Render radius servers
             render(radius_servers, 'ocserv/radius_servers.j2', ocserv["authentication"]["radius"])
     elif "local" in ocserv["authentication"]["mode"]:
         # if mode "OTP", generate OTP users file parameters
         if "otp" in ocserv["authentication"]["mode"]["local"]:
             if "local_users" in ocserv["authentication"]:
                 for user in ocserv["authentication"]["local_users"]["username"]:
                     # OTP token type from CLI parameters:
                     otp_interval = str(ocserv["authentication"]["local_users"]["username"][user]["otp"].get("interval"))
                     token_type = ocserv["authentication"]["local_users"]["username"][user]["otp"].get("token_type")
                     otp_length = str(ocserv["authentication"]["local_users"]["username"][user]["otp"].get("otp_length"))
                     if token_type == "hotp-time":
                         otp_type = "HOTP/T" + otp_interval
                     elif token_type == "hotp-event":
                         otp_type = "HOTP/E"
                     else:
                         otp_type = "HOTP/T" + otp_interval
                     ocserv["authentication"]["local_users"]["username"][user]["otp"]["token_tmpl"] = otp_type + "/" + otp_length
         # if there is a password, generate hash
         if "password" in ocserv["authentication"]["mode"]["local"] or not "otp" in ocserv["authentication"]["mode"]["local"]:
             if "local_users" in ocserv["authentication"]:
                 for user in ocserv["authentication"]["local_users"]["username"]:
                     ocserv["authentication"]["local_users"]["username"][user]["hash"] = get_hash(ocserv["authentication"]["local_users"]["username"][user]["password"])
 
         if "password-otp" in ocserv["authentication"]["mode"]["local"]:
             # Render local users ocpasswd
             render(ocserv_passwd, 'ocserv/ocserv_passwd.j2', ocserv["authentication"]["local_users"])
             # Render local users OTP keys
             render(ocserv_otp_usr, 'ocserv/ocserv_otp_usr.j2', ocserv["authentication"]["local_users"])
         elif "password" in ocserv["authentication"]["mode"]["local"]:
             # Render local users ocpasswd
             render(ocserv_passwd, 'ocserv/ocserv_passwd.j2', ocserv["authentication"]["local_users"])
         elif "otp" in ocserv["authentication"]["mode"]["local"]:
             # Render local users OTP keys
             render(ocserv_otp_usr, 'ocserv/ocserv_otp_usr.j2', ocserv["authentication"]["local_users"])
         else:
             # Render local users ocpasswd
             render(ocserv_passwd, 'ocserv/ocserv_passwd.j2', ocserv["authentication"]["local_users"])
     else:
         if "local_users" in ocserv["authentication"]:
             for user in ocserv["authentication"]["local_users"]["username"]:
                 ocserv["authentication"]["local_users"]["username"][user]["hash"] = get_hash(ocserv["authentication"]["local_users"]["username"][user]["password"])
             # Render local users
             render(ocserv_passwd, 'ocserv/ocserv_passwd.j2', ocserv["authentication"]["local_users"])
 
     if "ssl" in ocserv:
         cert_file_path = os.path.join(cfg_dir, 'cert.pem')
         cert_key_path = os.path.join(cfg_dir, 'cert.key')
-        ca_cert_file_path = os.path.join(cfg_dir, 'ca.pem')
+
 
         if 'certificate' in ocserv['ssl']:
             cert_name = ocserv['ssl']['certificate']
             pki_cert = ocserv['pki']['certificate'][cert_name]
 
-            with open(cert_file_path, 'w') as f:
-                f.write(wrap_certificate(pki_cert['certificate']))
+            loaded_pki_cert = load_certificate(pki_cert['certificate'])
+            loaded_ca_certs = {load_certificate(c['certificate'])
+                for c in ocserv['pki']['ca'].values()} if 'ca' in ocserv['pki'] else {}
+
+            cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs)
+
+            write_file(cert_file_path,
+                '\n'.join(encode_certificate(c) for c in cert_full_chain))
 
             if 'private' in pki_cert and 'key' in pki_cert['private']:
-                with open(cert_key_path, 'w') as f:
-                    f.write(wrap_private_key(pki_cert['private']['key']))
+                write_file(cert_key_path, wrap_private_key(pki_cert['private']['key']))
 
         if 'ca_certificate' in ocserv['ssl']:
-            ca_name = ocserv['ssl']['ca_certificate']
-            pki_ca_cert = ocserv['pki']['ca'][ca_name]
+            ca_cert_file_path = os.path.join(cfg_dir, 'ca.pem')
+            ca_chains = []
+
+            for ca_name in ocserv['ssl']['ca_certificate']:
+                pki_ca_cert = ocserv['pki']['ca'][ca_name]
+                loaded_ca_cert = load_certificate(pki_ca_cert['certificate'])
+                ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
+                ca_chains.append(
+                    '\n'.join(encode_certificate(c) for c in ca_full_chain))
 
-            with open(ca_cert_file_path, 'w') as f:
-                f.write(wrap_certificate(pki_ca_cert['certificate']))
+            write_file(ca_cert_file_path, '\n'.join(ca_chains))
 
     # Render config
     render(ocserv_conf, 'ocserv/ocserv_config.j2', ocserv)
 
 
 def apply(ocserv):
     if not ocserv:
         call('systemctl stop ocserv.service')
         for file in [ocserv_conf, ocserv_passwd, ocserv_otp_usr]:
             if os.path.exists(file):
                 os.unlink(file)
     else:
         call('systemctl reload-or-restart ocserv.service')
         counter = 0
         while True:
             # exit early when service runs
             if is_systemd_service_running("ocserv.service"):
                 break
             sleep(0.250)
             if counter > 5:
                 raise ConfigError('OpenConnect failed to start, check the logs for details')
                 break
             counter += 1
 
 
 if __name__ == '__main__':
     try:
         c = get_config()
         verify(c)
         generate(c)
         apply(c)
     except ConfigError as e:
         print(e)
         exit(1)