Install Intermediate CA Certificate (Chain Cert) in Apache HTTPD Server
Digital certificates that are issued by a CA (certificate authority) are verified using a chain of trust. The trust anchor for the digital certificate is the Root Certificate Authority (CA). Common and popular root CA certs are distributed in the store with the web browsers and software such as operating systems so that the system can automatically trust the certificates issued by these root CA certs for seamless user experience.
As a certificate authority can issue multiple certificates in the form of a tree structure, sometimes the intermediate CA certs issued by a so called subordinate certification authorities are essential to maintain the “chain of trust”. It ensures that the identity verification through the public key certificate can be performed and trusted properly, especially when establishing secure connection through Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL). Otherwise, you may receive a warning that the certificate is signed by an “untrusted authority”.
Essentially, the root CA cert is used to sign and issue a certificate that in turn used to sign and issue end-entity or domain digital certificates for individual and company. Each digital certificate can have zero or more chains of CA certificates that extend back to the root CA cert.
Thus, you need to install the intermediate CA certificates in order for browsers to trust your certificate, if your certificate signing authority include an intermediate CA certificate or bundle (trust chain). In fact, most popular CAs use intermediate CA certs.
How to Get the Intermediate CA Certificate
Depending on the Certificate Authority, some CAs may email you a certificate bundles file which contains the intermediate CA certificates, or you can download the required Intermediate CA Certificate from the CAs’ repository. Some of the common CAs’ downloads repository are:
This guide assumes that you already have mod_SSL module installed and enabled in Apache HTTPD web server.
How to Install Intermediate CA Certificate (Chain Certificate)
Copy the Intermediate CA Certificate in PEM format (a base64 encoded DER certificate identifiable with not meaningful text enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“) to the server, and place in the same directory as the SSL certificate and private key files. For example, /home/techjourney/ssl/cert directory.
Locate the following SSL directives in httpd.conf or ssl.conf or Apache configuration file that declares the SSL settings. Note that if you are using name-based Virtual Host via NameVirtualHost directive, you must locate the corresponding <:VirtualHost> segment that defines your domain website, and modify the SSL directives there (thanks for Server Name Indication (SNI), now you can host multiple SSL secure websites on a single IP address, as SNI allows client to indicate which hostname it is attempting to connect to at the start of the handshaking process).
Depending on the versions of your Apache, set the values of these SSL directives to the absolute path and filename of the various SSL certificates. If you already have SSL configured, you only need to concern about SSLCertificateChainFile or SSLCACertificatePath to install the intermediate CA certs.
In Apache version 2.4.7 or older (<= 2.4.7):
SSLCertificateFile
Path to SSL certificate, e.g. /home/techjourney/ssl.cert
SSLCertificateKeyFile
Path to private key file, e.g. /home/techjourney/ssl.key
SSLCertificateChainFile
Path to intermediate CA cert or bundle, e.g. /home/techjourney/ca.bundle.pem
In Apache version 2.4.8 or newer (>= 2.4.8):
SSLCertificateFile
Path to SSL certificate, e.g. /home/techjourney/ssl.cert
SSLCertificateKeyFile
Path to private key file, e.g. /home/techjourney/ssl.key
SSLCACertificatePath
Path to intermediate CA cert or bundle, e.g. /home/techjourney/ca.bundle.pem
Note
SSLCertificateChainFile is deprecated since Apache 2.4.8. In Apache 2.4.8, SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file. It means that if the signing Certificate Authority provides you the end-entity or domain certificate that also includes the intermediate CA certificates, you can omit the SSLCACertificatePath.
Save the Apache configuration file.
Restart Apache:
service httpd restart
Or,
service apache2 restart
Or,
systemctl httpd restart
Or,
systemctl apache2 restart
Control Panel Guide
Virtualmin: Select the virtual server (website or domain) if you have to install the intermediate CA certs. Then, go to Server Configuration -> Manage SSL Certificate -> CA Certificate. Select one of the way to provide the CA’s certificates, i.e. in a file on server if you already uploaded the CA’s certs to the host, uploaded file or pasted certificate text. Click Save Certificate when done, and the CA’s certs will be loaded via SSLCACertificatePath directive.
You can also manually edit the virtual server’s directives going to Services -> Configure Website for SSL -> Edit Directives, useful if you prefer the SSLCertificateChainFile directive to provide the intermediate CA certs.
cPanel WHM: Go to List Accounts on the left menu, and click on the cPanel symbol next to the host that you want install the intermediate CA certs.
At cPanel, select the SSL/TLS Manager under “Security”. Then, click on Manage SSL sites under “Activate SSL on Your Web Site (HTTPS)“. Select the appropriate domain name from the drop-down box. Then, paste the certificate into Certificate: (CRT) text box, paste the decrypted private key into the Key: (KEY) text box and paste the content of the CA certificates into the Certificate Authority Bundle: (CABUNDLE) text box. Hit Install Certificate when done.
LK is a technology writer for Tech Journey with background of system and network administrator. He has be documenting his experiences in digital and technology world for over 15 years.Connect with LK through Tech Journey on Facebook, Twitter or Google+.
