Difference between SSLCertificateFile and SSLCertificateChainFile?

Solution 1:

Strictly speaking, you don't ever need the chain for SSL to function.

What you always need is an SSLCertificateFile with a SSLCertificateKeyFile containing the correct key for that certificate.

The trouble is, that if all you give Apache is the certificate, then all it has to give to connecting clients is the certificate - which doesn't tell the whole story about that SSL cert. It's saying, "I'm signed by someone, but I'm not going to tell you about them".

This usually works fine, as most client systems have a large store of CA certificates (both root and intermediate) which it can check through for a matching signing relationship to establish trust. However, sometimes this doesn't work; most often the issue you'll run into is a client that doesn't hold the cert for an intermediate CA that's signed your certificate.

That's where the chain comes in; it lets Apache show the client exactly what the trust relationship looks like, which can help a client fill in the blanks between your cert, a root they trust, and the intermediate that they don't know about. The chain can be included in your configuration in one of two ways:

  • Embedded in the same file as you've set for your SSLCertificateFile, on new lines after the server certificate in order (the root should be at the bottom). If you set it up like this, you'll want SSLCertificateChainFile pointed to the exact same file as SSLCertificateFile.
  • In a separate file configured in the SSLCertificateChainFile directive; the CA certificate that issued the server's certificate should be first in the file, followed by any others up the the root.

Check the certificate file that you have now - I'm betting that it doesn't have the chain data included. Which usually works fine, but will eventually cause an issue with some browser or other.

Solution 2:

Here is a pretty good explanation of the differences as well as the observable impacts between choosing one vs the other:

https://stackoverflow.com/questions/1899983/difference-between-sslcacertificatefile-and-sslcertificatechainfile