As a certificate authority can issue multiple certificates in the form of a tree structure, sometimes the intermediate CA certs issued by a so called subordinate certification authorities are essential to maintain the “chain of trust”. It ensures that the identity verification through the public key certificate can be performed and trusted properly, especially when establishing secure connection through Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL). Otherwise, you may receive a warning that the certificate is signed by an “untrusted authority”.
Essentially, the root CA cert is used to sign and issue a certificate that in turn used to sign and issue end-entity or domain digital certificates for individual and company. Each digital certificate can have zero or more chains of CA certificates that extend back to the root CA cert.
Thus, you need to install the intermediate CA certificates in order for browsers to trust your certificate, if your certificate signing authority include an intermediate CA certificate or bundle (trust chain). In fact, most popular CAs use intermediate CA certs.
How to Get the Intermediate CA Certificate
Depending on the Certificate Authority, some CAs may email you a certificate bundles file which contains the intermediate CA certificates, or you can download the required Intermediate CA Certificate from the CAs’ repository. Some of the common CAs’ downloads repository are:
Symantec Verisign: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657
StartCom StartSSL: https://www.startssl.com/certs/
How to Install Intermediate CA Certificate (Chain Certificate)
- Copy the Intermediate CA Certificate in PEM format (a base64 encoded DER certificate identifiable with not meaningful text enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“) to the server, and place in the same directory as the SSL certificate and private key files. For example, /home/techjourney/ssl/cert directory.
- Locate the following SSL directives in httpd.conf or ssl.conf or Apache configuration file that declares the SSL settings. Note that if you are using name-based Virtual Host via NameVirtualHost directive, you must locate the corresponding <:VirtualHost> segment that defines your domain website, and modify the SSL directives there (thanks for Server Name Indication (SNI), now you can host multiple SSL secure websites on a single IP address, as SNI allows client to indicate which hostname it is attempting to connect to at the start of the handshaking process).
Depending on the versions of your Apache, set the values of these SSL directives to the absolute path and filename of the various SSL certificates. If you already have SSL configured, you only need to concern about SSLCertificateChainFile or SSLCACertificatePath to install the intermediate CA certs.
In Apache version 2.4.7 or older (<= 2.4.7):
SSLCertificateFile Path to SSL certificate, e.g. /home/techjourney/ssl.cert SSLCertificateKeyFile Path to private key file, e.g. /home/techjourney/ssl.key SSLCertificateChainFile Path to intermediate CA cert or bundle, e.g. /home/techjourney/ca.bundle.pem
In Apache version 2.4.8 or newer (>= 2.4.8):
SSLCertificateFile Path to SSL certificate, e.g. /home/techjourney/ssl.cert SSLCertificateKeyFile Path to private key file, e.g. /home/techjourney/ssl.key SSLCACertificatePath Path to intermediate CA cert or bundle, e.g. /home/techjourney/ca.bundle.pem
- Save the Apache configuration file.
- Restart Apache:
service httpd restart
service apache2 restart
systemctl httpd restart
systemctl apache2 restart