11

I'm on Apache 2.4.12, so SSLCertificateChainFile is now obsolete, and any intermediate certificates are supposed to be included in the server certificate file. I cannot figure out how to do this, however--any combination of certificates other than only the site certificate inside the specified file causes an invalid key error. How do I properly include the intermediate certificate inside the file that I specify using SSLCertificateFile?

vaindil
  • 7,536
  • 21
  • 68
  • 127
  • 1
    [SSLCertificateChainFile Deprecation Warning on Apache 2.4.8+](http://serverfault.com/q/588986/217116) – sebix Jul 12 '15 at 18:13

2 Answers2

12

Taken from the Apache 2.4 Module mod_ssl documentation:

SSLCertificateFile Directive

The files may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes SSLCertificateChainFile.

What this means is that the SSLCertificateFile directive now (after 2.4.8) accepts files with a full certificate chain (from leaf to root). If you have your server certificate in domain.crt and the CA chain file in domain-ca.crt, you'd need to concatenate both files from leaf to root, i.e. starting with your server certificate, as in

cat domain.crt domain-ca.crt > bundle.crt

and use that file inside your site's conf file:

SSLCertificateFile      /path/to/bundle.crt

(For example, using Ubuntu default path, these files will be stored at /etc/apache2/ssl/.)

Community
  • 1
  • 1
Jonathan Y.
  • 526
  • 1
  • 5
  • 13
  • That's indeed the correct solution: aggregate the `.crt` + `ca_bundle.crt`, and use it as `SSLCertificateFile`. – membersound Jan 26 '22 at 08:13
6

For Apache 2.4.8, SSLCertificateChainFile has been made obsolete. However, it's just deprecated and not removed, so you may continue to use the older style. However, for Apache versions > 2.4.8, SSLCertificateChainFile will not work.

SSLCertificateChainFile is deprecated

SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file

source: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#SSLCertificateChainFile

Old Style (Valid on Apache <= 2.4.8)

#SSL Directives
SSLEngine on
SSLCertificateFile /etc/ssl/certs/<mydomain.com>.crt
SSLCertificateKeyFile /etc/ssl/private/<mydomain.com>.key
SSLCertificateChainFile /etc/ssl/certs/<full-chain-bundle>.crt

source: How to Install an SSL Certificate on Apache

New Style (Valid on Apache >= 2.4.8)

#SSL Directives
SSLEngine on
SSLCertificateFile /etc/ssl/certs/<full-chain-bundle>.crt
SSLCertificateKeyFile /etc/ssl/private/<mydomain.com>.key

source: https://codesport.io/lamp-stack-advanced/lets-encrypt-tutorial/#vhost-config

Christian
  • 332
  • 1
  • 7
  • 19
  • Didn't work for me. I removed the .crt and then the error messages indicated the certificate and key didn't match. – muz the axe Oct 01 '16 at 16:09
  • I think what makes this answer a little confusing is that `.crt` appears in both the old and new configuration. If I'm not mistaken, in the old configuration only the *CA chain* would appear in the file called to by `SSLCertificateChainFile`, whereas in the new configuration the CA chain should be appended to the server certificate, into a *full chain*, which is called to by `SSLCertificateFile`. I attempted to clarify that in my answer. – Jonathan Y. Apr 17 '17 at 11:15
  • @JonathanY. is right: you have to merge the domain.crt + chain.crt into a bundle.crt, and then use it as `SSLCertificateFile` in place. It's not sufficient to only use the `.crt` alone, which is what this answer suggests! – membersound Jan 26 '22 at 08:15
  • I'm running 2.4.38-3+deb10u7 and the `SSLCertificateChainFile` trumped the intermediate in the `SSLCertificateFile` – Martin Dorey Nov 11 '22 at 00:37