Why store Apache SSL certificate and private key in separate files?

The SSL Certificate File is a lock.
The SSL Certificate Key File is its key.

Storing the two together is the equivalent of taping your key to the lock on your front door.
If an attacker compromises the single file they have everything they need to successfully impersonate your website (the certificate, and the private key).

This is especially true if you do not have a passphrase on your SSL key (many web servers don't, to allow them to automatically start up in the event of a crash).


What you're defending against by separating the files is an Apache bug that causes it to dump the contents of the SSLCertificateFile (something that should be publicly available) to a web client.
(To my knowledge no such bug exists, or has ever existed, but Apache is a large, complex piece of software. It's entirely possible.)

If Apache dumps this file and all it contains is the SSL Certificate (the lock) there's no problem: Everyone gets a copy of that certificate when they make an SSL request to the server anyway.
If the file contains the key as well you've blown any chance at security - your entire encryption model is compromised, and you need to change keys.


Old versions of OpenSSL required two separate files (public and private). Old versions of other crypto engines required a single file (both in the same file). In the "spirit" of compatibility (aka "Admin's whinging about the inconsistency and having to maintain two sets of certificates), most now support both.

Storing both certificates (also the key chain) in a single file is discouraged as the different certificates have different scopes. It's more of a consistency issue than a technical one, where the public certificate should have publicly readable file permissions, and vice versa for the private. There's no danger in keeping your public certificate under lock and key on your systems, it's just inconsistent with its purpose.