Normally with a virtual host an ssl is setup with the following directives:
Listen 443 SSLCertificateFile /home/web/certs/domain1.public.crt SSLCertificateKeyFile /home/web/certs/domain1.private.key SSLCertificateChainFile /home/web/certs/domain1.intermediate.crt
What is the difference between
SSLCertificateChainFile ? The client has purchased a CA key from GoDaddy. It looks like GoDaddy only provides a
SSLCertificateFile (.crt file), and a SSLCertificateKeyFile (.key file) and not at
Will my ssl still work without a
SSLCertificateChainFile path specified ?
Also, is there a canonical path where these files should be placed?
Strictly speaking, you don’t ever need the chain for SSL to function.
What you always need is an
SSLCertificateFile with a
SSLCertificateKeyFile containing the correct key for that certificate.
The trouble is, that if all you give Apache is the certificate, then all it has to give to connecting clients is the certificate – which doesn’t tell the whole story about that SSL cert. It’s saying, “I’m signed by someone, but I’m not going to tell you about them”.
This usually works fine, as most client systems have a large store of CA certificates (both root and intermediate) which it can check through for a matching signing relationship to establish trust. However, sometimes this doesn’t work; most often the issue you’ll run into is a client that doesn’t hold the cert for an intermediate CA that’s signed your certificate.
That’s where the chain comes in; it lets Apache show the client exactly what the trust relationship looks like, which can help a client fill in the blanks between your cert, a root they trust, and the intermediate that they don’t know about. The chain can be provided in two places:
- Embedded in the
SSLCertificateFile, on new lines after the server certificate in order (the root should be at the bottom).
- In a separate file configured in the
Check the certificate file that you have now – I’m betting that it doesn’t have the chain data included. Which usually works fine, but will eventually cause an issue with some browser or other.
- When using Apache with SSL, does the entire certificate specified with “SSLCertificateFile” directive get handed to the client?
- Can I use a single SSLCertificateFile for all my VirtualHosts instead of creating one of it for each VirtualHost?
- SSL certificate paths in a virtual host
- Failed to configure CA certificate chain
- Apache Client Certificate Authentication