When working with SSL/TLS certificates in Apache, understanding the certificate chain is crucial. The typical hierarchy consists of:
- End-entity certificate (your domain certificate)
- Intermediate certificates (one or more)
- Root certificate (trusted by browsers)
The SSLCertificateFile specifies your domain's public certificate (end-entity certificate), while SSLCertificateChainFile contains the intermediate certificate(s) that complete the chain of trust to the root CA.
For GoDaddy certificates, you typically receive:
domain.crt # Your domain certificate (SSLCertificateFile)
gd_bundle.crt # Intermediate certificates (SSLCertificateChainFile)
domain.key # Private key (SSLCertificateKeyFile)
Omitting the chain file may cause "untrusted connection" warnings in browsers. While some configurations might work temporarily without it (if the client has cached intermediates), this is unreliable.
Newer Apache versions (2.4.8+) support concatenating certificates:
# Combined file approach
SSLCertificateFile /path/to/domain.crt
SSLCertificateKeyFile /path/to/domain.key
# Intermediate included in domain.crt file:
-----BEGIN CERTIFICATE-----
(domain cert)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediate cert)
-----END CERTIFICATE-----
While no canonical path exists, common conventions include:
/etc/ssl/certs/for public certificates/etc/ssl/private/for private keys- Web-accessible directories should never contain private keys
Verify your chain with OpenSSL:
openssl verify -CAfile gd_bundle.crt domain.crt
Check Apache's error log for SSL-related messages during startup.
In Apache HTTP Server SSL/TLS configuration, these directives serve distinct purposes:
SSLCertificateFile # Contains YOUR server's public certificate
SSLCertificateChainFile # Contains intermediate CA certificates
SSLCertificateKeyFile # Contains your private key
The SSLCertificateFile should contain only your domain's end-entity certificate. For example:
-----BEGIN CERTIFICATE-----
MIIE5jCCAs6gAwIBAgIBATANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzEY
... [your domain certificate] ...
-----END CERTIFICATE-----
The SSLCertificateChainFile contains intermediate certificates that complete the chain of trust to the root CA. A typical chain file might look like:
-----BEGIN CERTIFICATE-----
MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMx
... [intermediate CA 1] ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEo
... [intermediate CA 2] ...
-----END CERTIFICATE-----
Newer Apache versions (2.4.8+) prefer combining certificates using SSLCertificateFile:
SSLCertificateFile /path/to/fullchain.pem # Contains server cert + intermediates
SSLCertificateKeyFile /path/to/privkey.pem
# SSLCertificateChainFile is deprecated in this approach
Example fullchain.pem structure:
-----BEGIN CERTIFICATE-----
... your domain certificate ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... intermediate CA 1 ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... intermediate CA 2 ...
-----END CERTIFICATE-----
For GoDaddy certificates, you typically receive:
yourdomain.crt(end-entity certificate)gd_bundle.crt(intermediate certificates)
Recommended configuration:
SSLCertificateFile /etc/ssl/certs/yourdomain.crt
SSLCertificateKeyFile /etc/ssl/private/yourdomain.key
SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt
To test your configuration:
openssl s_client -connect yourdomain.com:443 -showcerts
Check for complete certificate chain in output. Common path conventions:
/etc/ssl/certs/ # Public certificates
/etc/ssl/private/ # Private keys (ensure proper permissions)
/usr/local/ssl/certs/ # Alternative location
Without proper chain configuration, browsers may show "untrusted connection" warnings. Solutions:
- Combine certificates manually
- Download intermediates from CA's website
- Use
SSLCACertificateFilefor complex chains
Example remediation for missing chain:
cat yourdomain.crt gd_bundle.crt > fullchain.crt
SSLCertificateFile /path/to/fullchain.crt