diff --git a/configs/sip.conf.sample b/configs/sip.conf.sample
index 6c7bad92a468ef2112ead13ea6a7e3a1e72da8ab..46af790434c6bea82712d6a695aee18eab5b9ed8 100644
--- a/configs/sip.conf.sample
+++ b/configs/sip.conf.sample
@@ -539,8 +539,10 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
 
 ;
 ;------------------------ TLS settings ------------------------------------------------------------
-;tlscertfile=</path/to/certificate.pem> ; Certificate file (*.pem format only) to use for TLS connections
-                                        ; default is to look for "asterisk.pem" in current directory
+;tlscertfile=</path/to/certificate.pem> ; Certificate chain (*.pem format only) to use for TLS connections
+                                        ; The certificates must be sorted starting with the subject's certificate
+                                        ; and followed by intermediate CA certificates if applicable.
+                                        ; Default is to look for "asterisk.pem" in current directory
 
 ;tlsprivatekey=</path/to/private.pem> ; Private key file (*.pem format only) for TLS connections.
                                       ; If no tlsprivatekey is specified, tlscertfile is searched for
diff --git a/main/tcptls.c b/main/tcptls.c
index bfa3559859c072a02a4ebda994d61ded0f13f5eb..e07f1f1a05e94e966980914083efab3cbe82afa3 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -393,7 +393,7 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
 
 	if (!ast_strlen_zero(cfg->certfile)) {
 		char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile;
-		if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0) {
+		if (SSL_CTX_use_certificate_chain_file(cfg->ssl_ctx, cfg->certfile) == 0) {
 			if (!client) {
 				/* Clients don't need a certificate, but if its setup we can use it */
 				ast_verb(0, "SSL error loading cert file. <%s>\n", cfg->certfile);