I'm on Apache 2.4.12, so SSLCertificateChainFile is now obsolete, and any intermediate certificates are supposed to be included in the server certificate file. I cannot figure out how to do this, however--any combination of certificates other than only the site certificate inside the specified file causes an invalid key error. How do I properly include the intermediate certificate inside the file that I specify using SSLCertificateFile?
SSLCertificateChainFile is obsolete
SSLCertificateChainFile Deprecation Warning on Apache 2.4.8+ –
Marsala
Taken from the Apache 2.4 Module mod_ssl documentation:
SSLCertificateFileDirectiveThe files may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes
SSLCertificateChainFile.
What this means is that the SSLCertificateFile directive now (after 2.4.8) accepts files with a full certificate chain (from leaf to root). If you have your server certificate in domain.crt and the CA chain file in domain-ca.crt, you'd need to concatenate both files from leaf to root, i.e. starting with your server certificate, as in
cat domain.crt domain-ca.crt > bundle.crt
and use that file inside your site's conf file:
SSLCertificateFile /path/to/bundle.crt
(For example, using Ubuntu default path, these files will be stored at /etc/apache2/ssl/.)
That's indeed the correct solution: aggregate the
.crt + ca_bundle.crt, and use it as SSLCertificateFile. –
Minestrone For Apache 2.4.8, SSLCertificateChainFile has been made obsolete. However, it's just deprecated and not removed, so you may continue to use the older style. However, for Apache versions > 2.4.8, SSLCertificateChainFile will not work.
SSLCertificateChainFile is deprecated
SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file
source: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#SSLCertificateChainFile
Old Style (Valid on Apache <= 2.4.8)
#SSL Directives
SSLEngine on
SSLCertificateFile /etc/ssl/certs/<mydomain.com>.crt
SSLCertificateKeyFile /etc/ssl/private/<mydomain.com>.key
SSLCertificateChainFile /etc/ssl/certs/<full-chain-bundle>.crt
source: How to Install an SSL Certificate on Apache
New Style (Valid on Apache >= 2.4.8)
#SSL Directives
SSLEngine on
SSLCertificateFile /etc/ssl/certs/<full-chain-bundle>.crt
SSLCertificateKeyFile /etc/ssl/private/<mydomain.com>.key
source: https://codesport.io/lamp-stack-advanced/lets-encrypt-tutorial/#vhost-config
Didn't work for me. I removed the <mydomain.com>.crt and then the error messages indicated the certificate and key didn't match. –
Potassium
I think what makes this answer a little confusing is that
<full-chain-bundle>.crt appears in both the old and new configuration. If I'm not mistaken, in the old configuration only the CA chain would appear in the file called to by SSLCertificateChainFile, whereas in the new configuration the CA chain should be appended to the server certificate, into a full chain, which is called to by SSLCertificateFile. I attempted to clarify that in my answer. –
Peripeteia @JonathanY. is right: you have to merge the domain.crt + chain.crt into a bundle.crt, and then use it as
SSLCertificateFile in place. It's not sufficient to only use the <full-chain-bundle>.crt alone, which is what this answer suggests! –
Minestrone I'm running 2.4.38-3+deb10u7 and the
SSLCertificateChainFile trumped the intermediate in the SSLCertificateFile –
Nought © 2022 - 2024 — McMap. All rights reserved.