diff --git a/conf/aphlict/aphlict.default.json b/conf/aphlict/aphlict.default.json
--- a/conf/aphlict/aphlict.default.json
+++ b/conf/aphlict/aphlict.default.json
@@ -5,14 +5,16 @@
       "port": 22280,
       "listen": "0.0.0.0",
       "ssl.key": null,
-      "ssl.cert": null
+      "ssl.cert": null,
+      "ssl.chain": null
     },
     {
       "type": "admin",
       "port": 22281,
       "listen": "127.0.0.1",
       "ssl.key": null,
-      "ssl.cert": null
+      "ssl.cert": null,
+      "ssl.chain": null
     }
   ],
   "logs": [
diff --git a/src/applications/aphlict/management/PhabricatorAphlictManagementWorkflow.php b/src/applications/aphlict/management/PhabricatorAphlictManagementWorkflow.php
--- a/src/applications/aphlict/management/PhabricatorAphlictManagementWorkflow.php
+++ b/src/applications/aphlict/management/PhabricatorAphlictManagementWorkflow.php
@@ -99,6 +99,7 @@
           'listen' => 'optional string|null',
           'ssl.key' => 'optional string|null',
           'ssl.cert' => 'optional string|null',
+          'ssl.chain' => 'optional string|null',
         ));
 
       $port = $server['port'];
@@ -145,6 +146,21 @@
             'ssl.key',
             'ssl.cert'));
       }
+
+      $ssl_chain = idx($server, 'ssl.chain');
+      if ($ssl_chain && (!$ssl_key && !$ssl_cert)) {
+        throw new PhutilArgumentUsageException(
+          pht(
+            'A specified server (at index "%s", on port "%s") specifies '.
+            'a value for "%s", but no value for "%s" or "%s". Servers '.
+            'should only provide an SSL chain if they also provide an SSL '.
+            'key and SSL certificate.',
+            $index,
+            $port,
+            'ssl.chain',
+            'ssl.key',
+            'ssl.cert'));
+      }
     }
 
     if (!$servers) {
diff --git a/src/docs/user/configuration/notifications.diviner b/src/docs/user/configuration/notifications.diviner
--- a/src/docs/user/configuration/notifications.diviner
+++ b/src/docs/user/configuration/notifications.diviner
@@ -85,13 +85,15 @@
     `admin` or `client`. Normally, you should run one of each.
   - `port`: //Required int.// The port this server should listen on.
   - `listen`: //Optional string.// Which interface to bind to. By default,
-    the `admin` server is bound to localhost (so only other services on the
+    the `admin` server is bound to `127.0.0.1` (so only other services on the
     local machine can connect to it), while the `client` server is bound
-    to `0.0.0.0` (so any client can connect.
+    to `0.0.0.0` (so any client can connect).
   - `ssl.key`: //Optional string.// If you want to use SSL on this port,
     the path to an SSL key.
   - `ssl.cert`: //Optional string.// If you want to use SSL on this port,
     the path to an SSL certificate.
+  - `ssl.chain`: //Optional string.// If you have configured SSL on this
+    port, an optional path to a certificate chain file.
 
 Each log in the `logs` list should be an object with these keys:
 
diff --git a/support/aphlict/server/aphlict_server.js b/support/aphlict/server/aphlict_server.js
--- a/support/aphlict/server/aphlict_server.js
+++ b/support/aphlict/server/aphlict_server.js
@@ -104,6 +104,10 @@
     spec['ssl.cert'] = fs.readFileSync(spec['ssl.cert']);
   }
 
+  if (spec['ssl.chain']){
+    spec['ssl.chain'] = fs.readFileSync(spec['ssl.chain']);
+  }
+
   servers.push(spec);
 }
 
@@ -132,9 +136,13 @@
   if (server['ssl.key']) {
     var https_config = {
       key: server['ssl.key'],
-      cert: server['ssl.cert']
+      cert: server['ssl.cert'],
     };
 
+    if (server['ssl.chain']) {
+      https_config.ca = server['ssl.chain'];
+    }
+
     http_server = https.createServer(https_config);
   } else {
     http_server = http.createServer();