Apr 24, 2012

Difference between SSLCertificateFile and SSLCertificateChainFile?


Normally with a virtual host an ssl is setup with the following directives:

Listen 443 SSLCertificateFile /home/web/certs/domain1.public.crt
SSLCertificateKeyFile /home/web/certs/domain1.private.key
SSLCertificateChainFile /home/web/certs/domain1.intermediate.crt

From: For enabling SSL for a single domain on a server with muliple vhosts, will this configuration work?

What is the difference between SSLCertificateFile and SSLCertificateChainFile ? The client has purchased a CA key from GoDaddy. It looks like GoDaddy only provides a SSLCertificateFile (.crt file), and a SSLCertificateKeyFile (.key file) and not at SSLCertificateChainFile.

Will my ssl still work without a SSLCertificateChainFile path specified ?

Also, is there a canonical path where these files should be placed?

Asked by chrisjlee


Strictly speaking, you don’t ever need the chain for SSL to function.

What you always need is an SSLCertificateFile with a SSLCertificateKeyFile containing the correct key for that certificate.

The trouble is, that if all you give Apache is the certificate, then all it has to give to connecting clients is the certificate – which doesn’t tell the whole story about that SSL cert. It’s saying, “I’m signed by someone, but I’m not going to tell you about them”.

This usually works fine, as most client systems have a large store of CA certificates (both root and intermediate) which it can check through for a matching signing relationship to establish trust. However, sometimes this doesn’t work; most often the issue you’ll run into is a client that doesn’t hold the cert for an intermediate CA that’s signed your certificate.

That’s where the chain comes in; it lets Apache show the client exactly what the trust relationship looks like, which can help a client fill in the blanks between your cert, a root they trust, and the intermediate that they don’t know about. The chain can be provided in two places:

  • Embedded in the SSLCertificateFile, on new lines after the server certificate in order (the root should be at the bottom).
  • In a separate file configured in the SSLCertificateChainFile directive.

Check the certificate file that you have now – I’m betting that it doesn’t have the chain data included. Which usually works fine, but will eventually cause an issue with some browser or other.

Answered by Shane Madden

Related posts:

  1. When using Apache with SSL, does the entire certificate specified with “SSLCertificateFile” directive get handed to the client?
  2. Can I use a single SSLCertificateFile for all my VirtualHosts instead of creating one of it for each VirtualHost?
  3. SSL certificate paths in a virtual host
  4. Failed to configure CA certificate chain
  5. Apache Client Certificate Authentication

Leave a comment