The browser will try to make a connection to your web socket enabled router. Let's use my self-hosted ziti/zrok/browzer for an example
My controller reports:
cat /dev/null | \
openssl s_client -connect ec2-3-142-245-63.us-east-2.compute.amazonaws.com:8441 2>&1 | \
openssl x509 -text | grep 'DNS:'
DNS:ec2-3-142-245-63.us-east-2.compute.amazonaws.com, DNS:ip-172-31-11-231, DNS:localhost, IP Address:127.0.0.1
But when I connect to the websocket enabled router (note I need to send ALPN here):
cat /dev/null | \
openssl s_client -connect wss.clint.demo.openziti.org:8505 -alpn http/1.1 2>&1 | \
openssl x509 -text | grep 'DNS:'
DNS:*.clint.demo.openziti.org
So the connection that your browser needs to think is valid is to your router. For me that's this url -- you can hit this too: https://wss.clint.demo.openziti.org:8505/
Notice I get back a 404 and the certificate is valid. So THAT cert is the chain that your browser/OS needs to trust.Also recall that this is the same as the 'address' in the config under listener->binding(edge)->wss section...
In my case, I used LetsEncrypt. My edge router's identity section has an "alt_server_certs" section. Yours might too, I don't think it's strictly necessary in this case since you'll be instructing your OS/browser to trust YOUR ca...
Whatever cert chain comes back from your local wss router port is the chain you need to trust. hope that helps...