Name
SSLCertificateChainFile
Synopsis
SSLCertificateChainFile filename Server config, virtual host Apache v2 only
This directive sets the optional all-in-one file where you can assemble the certificates of CAs, which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate. Such a file is simply the concatenation of the various PEM-encoded CA certificate files, usually in certificate chain order.
This should be used alternatively and/or additionally to
SSLCACertificatePath
for explicitly constructing
the server certificate chain that is sent to the browser in addition
to the server certificate. It is especially useful to avoid conflicts
with CA certificates when using client authentication. Although
placing a CA certificate of the server certificate chain into
SSLCACertificatePath
has the same effect for the
certificate chain construction, it has the side effect that client
certificates issued by this same CA certificate are also accepted on
client authentication. That is usually not what one expects.
Note
The certificate chain only works if you are using a single (either RSA- or DSA-based) server certificate. If you are using a coupled RSA+DSA certificate pair, it will only work if both certificates use the same certificate chain. If not, the browsers will get confused.
Example
SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/ca.crt
Get Apache: The Definitive Guide, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.