Ssl – Difference between SSLCertificateFile and SSLCertificateChainFile

apache-2.2ssl

Normally with a virtual host an ssl is setup with the following directives:

Listen 443 

SSLCertificateFile /home/web/certs/domain1.public.crt
SSLCertificateKeyFile /home/web/certs/domain1.private.key
SSLCertificateChainFile /home/web/certs/domain1.intermediate.crt

From: For enabling SSL for a single domain on a server with muliple vhosts, will this configuration work?

What is the difference between SSLCertificateFile and SSLCertificateChainFile ? The client has purchased a CA key from GoDaddy. It looks like GoDaddy only provides a SSLCertificateFile (.crt file), and a SSLCertificateKeyFile (.key file) and not at SSLCertificateChainFile.

Will my ssl still work without a SSLCertificateChainFile path specified ?

Also, is there a canonical path where these files should be placed?

Best Answer

Strictly speaking, you don't ever need the chain for SSL to function.

What you always need is an SSLCertificateFile with a SSLCertificateKeyFile containing the correct key for that certificate.

The trouble is, that if all you give Apache is the certificate, then all it has to give to connecting clients is the certificate - which doesn't tell the whole story about that SSL cert. It's saying, "I'm signed by someone, but I'm not going to tell you about them".

This usually works fine, as most client systems have a large store of CA certificates (both root and intermediate) which it can check through for a matching signing relationship to establish trust. However, sometimes this doesn't work; most often the issue you'll run into is a client that doesn't hold the cert for an intermediate CA that's signed your certificate.

That's where the chain comes in; it lets Apache show the client exactly what the trust relationship looks like, which can help a client fill in the blanks between your cert, a root they trust, and the intermediate that they don't know about. The chain can be included in your configuration in one of two ways:

Embedded in the same file as you've set for your SSLCertificateFile, on new lines after the server certificate in order (the root should be at the bottom). If you set it up like this, you'll want SSLCertificateChainFile pointed to the exact same file as SSLCertificateFile.
In a separate file configured in the SSLCertificateChainFile directive; the CA certificate that issued the server's certificate should be first in the file, followed by any others up the the root.

Check the certificate file that you have now - I'm betting that it doesn't have the chain data included. Which usually works fine, but will eventually cause an issue with some browser or other.

Verify the intermediate chain

As the error seems to indicate, there is something off about your intermediate certificate chain. You should check where you got your certificate from and that you got the correct intermediate bundle.

You should verify the "hash" and "issuer's hash" of every certificate in the chain with the openssl x509 -noout -hash and openssl x509 -noout -issuer_hash commands. Try this to get the issuer hash of your certificate:

cat /path/to/cert/mysite.com.cert | openssl x509 -noout -issuer_hash

Then try to find a certificate with this hash in the sf_bundle.crt file that you specified as SSLCertificateChainFile. You may have to extract the certificates (or just copy paste them to the command):

cat first_cert_from_sf_bundle.crt | openssl x509 -noout -hash

Check all of them. If none have this hash, then something is wrong right there. Keep doing these checks until you find a certificate which has the same -hash and -issuer_hash. This is your root certificate.

If something is missing, you can check the other intermediate files here https://certs.starfieldtech.com/anonymous/repository.seam. Download these and compare their -hash against the -issuer_hash where you got stuck.

If everything is okay, then ....

Clean up the intermediate chain

I have seen this also help when you get odd validation errors. Make sure that your intermediate chain lists only the required certificates and in the correct order (it is easier if it is in PEM format). In other words, if your chain is Your cert -> cert A -> cert B -> Starfield Root cert. Try appending these in this order (you can skip the first and last) so your intermediate chain looks something like this:

-----BEGIN CERTIFICATE-----
cert A
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
cert B
-----END CERTIFICATE-----

I personally like to keep all these certificates (personal certificate, followed by intermediate ones, followed by the root certificate) in the same file. Then I just specify this file as both the SSLCertificateFile and SSLCertificateChainFile.

Best Answer

Related Solutions

SSL certificate proxy redirect to port mongrel rails app help

Ssl – Starfield Wildcard SSL Certificate Not Trusted in All Browsers

Verify the intermediate chain

Clean up the intermediate chain

Related Topic