How to Fix SSLCertificateChainFile Deprecation Warning in Apache 2.4.8+ with Correct Certificate Chain Configuration


3 views

Since Apache 2.4.8, the SSLCertificateChainFile directive has been deprecated in favor of using SSLCertificateFile to handle both server certificates and intermediate CA certificates. This change was made to simplify SSL configuration while maintaining backward compatibility.

The attempted solution of simply replacing SSLCertificateChainFile with a second SSLCertificateFile directive is incorrect because:

  • Apache expects the certificate chain to be contained within the primary certificate file
  • Multiple SSLCertificateFile directives will conflict with each other
  • The chain order in the combined file matters significantly

You need to create a single file that contains both your server certificate and intermediate certificates in the correct order:

-----BEGIN CERTIFICATE-----
[Your primary certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate CA 1]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate CA 2]
-----END CERTIFICATE-----

Here's how to properly migrate your configuration:

  1. Concatenate your certificates in the correct order: 
    cat STAR.EXAMPLE.COM.crt Apache_Plesk_Install.txt > combined.crt
  2. Update your ssl.conf: 
    SSLCertificateFile /etc/ssl/combined.crt
SSLCertificateKeyFile /etc/ssl/server.key
  3. Remove the SSLCertificateChainFile directive completely

After making these changes:

  • Run apachectl configtest to check configuration syntax
  • Restart Apache: systemctl restart httpd
  • Verify with OpenSSL: openssl s_client -connect yourdomain.com:443 -showcerts
  • Check with SSL labs: SSL Server Test

Watch out for these issues:

  • Incorrect certificate order (server cert must come first)
  • Extra blank lines between certificates
  • Certificate files in wrong encoding (must be PEM format)
  • Missing intermediate certificates

If you need to maintain separate files for any reason, you can use:

SSLCertificateFile /etc/ssl/STAR.EXAMPLE.COM.crt
SSLCACertificateFile /etc/ssl/Apache_Plesk_Install.txt

But this is not recommended unless you have specific requirements.

After upgrading to Apache 2.4.9+, many administrators encounter this warning:

AH02559: The SSLCertificateChainFile directive is deprecated, SSLCertificateFile should be used instead

This change was introduced in Apache 2.4.8 to simplify SSL configuration by combining certificate and chain files into a single SSLCertificateFile directive.

The proper solution isn't simply replacing SSLCertificateChainFile with another SSLCertificateFile directive. Instead, you need to concatenate your certificate files in the correct order:

# Correct way (single SSLCertificateFile containing both cert and chain)
SSLCertificateFile /etc/ssl/combined.crt
SSLCertificateKeyFile /etc/ssl/server.key

Here's how to properly create the combined certificate file:

# Create combined certificate file
cat /etc/ssl/STAR.EXAMPLE.COM.crt /etc/ssl/Apache_Plesk_Install.txt > /etc/ssl/combined.crt

# Verify the certificate chain
openssl x509 -in /etc/ssl/combined.crt -text -noout

Here's a full working configuration for Apache 2.4.8+:

<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/html
    
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/combined.crt
    SSLCertificateKeyFile /etc/ssl/private/server.key
    
    # Modern SSL configuration
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
    SSLHonorCipherOrder on
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</VirtualHost>

Problem: Apache fails to start after changes
Solution: Verify certificate file permissions (should be readable by Apache user) and file integrity:

sudo chmod 644 /etc/ssl/certs/combined.crt
sudo chown root:root /etc/ssl/certs/combined.crt

Problem: Browser shows certificate warnings
Solution: Verify your certificate chain is complete and in correct order (server cert first, then intermediates):

openssl verify -CAfile /etc/ssl/certs/combined.crt /etc/ssl/certs/combined.crt

For better security and compatibility:

  • Use full chain certificates (including root CA when necessary)
  • Consider using Let's Encrypt with auto-renewal
  • Regularly test your SSL configuration using SSL Labs' test tool