How to bundle intermediate certs into one file

The order is supposed to be the leaf cert first (the domain's cert), and then each cert that signs the one before it until it reaches the root cert. The "issuer" field basically says which entity signed that cert. The root being AAACertificateServices because it signs itself (issuer matches subject).

In this case it would be:

  1. leaf/domain cert
  2. SectigoRSADomainValidationSecureServerCA
  3. USERTrustRSAAAACA
  4. AAACertificateServices

For httpd before 2.4.8, make a file for 2,3,4 and use SSLCertificateChainFile. For httpd 2.4.8 or later make a single file with 1-4.

The root cert (#4 in this case) is optional to include in either case, normally recommended to leave out. Apparently including it can result in better client-side error messages for older Windows clients if the cert isn't trusted.