How to Properly Chain Multiple Intermediate CA Certificates in Apache SSL Configuration


6 views

When working with SSL/TLS certificates in Apache, you typically receive several files:

Root CA Certificate - xxCARoot.crt
Intermediate CA Certificate - x1.crt
Intermediate CA Certificate - x2.crt
Intermediate CA Certificate - x3.crt
Your EssentialSSL Wildcard Certificate - mydomain.crt

No, you should not include the Root CA certificate in your Apache configuration. Modern browsers and operating systems already have root certificates in their trust stores. Including the root CA would unnecessarily increase the size of the SSL handshake.

For Apache versions before 2.4.8, you'll need to use SSLCertificateChainFile to specify intermediate certificates. Here's how to properly create the bundle:

# Concatenate intermediate certificates in order from leaf to root
cat x3.crt x2.crt x1.crt > intermediate-bundle.crt

For Apache 2.4.8+, you should use SSLCertificateFile for your main certificate and SSLCertificateChainFile is deprecated in favor of SSLCertificateFile with multiple directives:

SSLCertificateFile /path/to/mydomain.crt
SSLCertificateFile /path/to/x3.crt
SSLCertificateFile /path/to/x2.crt
SSLCertificateFile /path/to/x1.crt

Here's a complete configuration example for different Apache versions:

<VirtualHost *:443>
    ServerName example.com
    SSLEngine on
    
    # For Apache < 2.4.8
    SSLCertificateFile /etc/ssl/certs/mydomain.crt
    SSLCertificateKeyFile /etc/ssl/private/mydomain.key
    SSLCertificateChainFile /etc/ssl/certs/intermediate-bundle.crt
    
    # For Apache >= 2.4.8
    # SSLCertificateFile /etc/ssl/certs/mydomain.crt
    # SSLCertificateFile /etc/ssl/certs/x3.crt
    # SSLCertificateFile /etc/ssl/certs/x2.crt
    # SSLCertificateFile /etc/ssl/certs/x1.crt
    # SSLCertificateKeyFile /etc/ssl/private/mydomain.key
</VirtualHost>

After configuration, verify your setup:

# Test Apache configuration
apachectl configtest

# Check certificate chain
openssl s_client -connect example.com:443 -showcerts
  • Incorrect certificate order in the bundle (must be leaf to root)
  • Including root CA certificate unnecessarily
  • Mixing certificate versions (PEM vs DER format)
  • File permission issues (certificates should be readable by Apache process)

When working with SSL/TLS certificates, you'll typically receive multiple files:

Root CA Certificate - xxCARoot.crt
Intermediate CA Certificate - x1.crt
Intermediate CA Certificate - x2.crt
Intermediate CA Certificate - x3.crt
Your Domain Certificate - mydomain.crt

The Root CA certificate should not be included in your Apache configuration. Modern browsers and operating systems already have root certificates in their trust stores. Including it would unnecessarily increase the size of your SSL handshake.

Apache's SSLCertificateChainFile directive (or SSLCertificateFile for version 2.4.8+) requires the intermediate certificates in correct order:

# Correct way to create the bundle:
cat x1.crt x2.crt x3.crt > intermediate_bundle.crt

The order should follow the certificate chain hierarchy, starting with the immediate issuer of your domain certificate (x1) and moving up the chain.

Here's a complete SSL configuration example for Apache:

<VirtualHost *:443>
    ServerName example.com
    SSLEngine on
    
    # Your domain certificate
    SSLCertificateFile /path/to/mydomain.crt
    
    # Intermediate certificate bundle
    SSLCertificateChainFile /path/to/intermediate_bundle.crt
    
    # Private key (keep this secure!)
    SSLCertificateKeyFile /path/to/private.key
    
    # Modern SSL configuration
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384...
    SSLHonorCipherOrder on
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</VirtualHost>

After configuration, verify your setup:

  1. Restart Apache: sudo apache2ctl restart or sudo systemctl restart httpd
  2. Check for syntax errors: sudo apache2ctl configtest
  3. Verify your chain using OpenSSL: openssl s_client -connect example.com:443 -showcerts
  4. Use online tools like SSL Labs' SSL Test for comprehensive validation

Newer Apache versions support including the intermediate certificates directly in the main certificate file:

# Combine certificates
cat mydomain.crt x1.crt x2.crt x3.crt > combined.crt

# Apache configuration
SSLCertificateFile /path/to/combined.crt

This approach eliminates the need for a separate chain file and is often simpler to manage.