I manage an apache web server for a government site. The SSL cert will expired in a few weeks so they sent me a zip file with 3 intermediate certs and the ssl certificate (I have the private key from the csr generator and the crt file provided by gov't). I need to bundle the intermediate certs into one file for apache2.
Here are the 3 intermediate certs they sent me
Jan 1 2004 AAACertificateServices.crt
Nov 2 2018 SectigoRSADomainValidationSecureServerCA.crt
Mar 12 2019 USERTrustRSAAAACA.crt
In what order should I bundled the 3 certs because from reading from other links, the order does matter if the root is provided. Which one is the root?
I used an online ssl validator for the the 3 certs
AAACertificateServices.crt
Common Name: AAA Certificate Services
Organization: Comodo CA Limited
Locality: Salford
State: Greater Manchester
Country: GB
Valid From: December 31, 2003
Valid To: December 31, 2028
Issuer: AAA Certificate Services, Comodo CA Limited
Serial Number: 1 (0x1)
SectigoRSADomainValidationSecureServerCA.crt
Common Name: Sectigo RSA Domain Validation Secure Server CA
Organization: Sectigo Limited
Locality: Salford
State: Greater Manchester
Country: GB
Valid From: November 1, 2018
Valid To: December 31, 2030
Issuer: USERTrust RSA Certification Authority, The USERTRUST Network Write review of Sectigo
Serial Number: 7d5b5126b476ba11db74160bbc530da7
USERTrustRSAAAACA.crt
Common Name: USERTrust RSA Certification Authority
Organization: The USERTRUST Network
Locality: Jersey City
State: New Jersey
Country: US
Valid From: March 11, 2019
Valid To: December 31, 2028
Issuer: AAA Certificate Services, Comodo CA Limited Write review of Sectigo
Serial Number: 3972443af922b751d7d36c10dd313595
This has been a gray area for me since I've been using LetEncrypt and they automatically bundle the intermediate certs on to one file.
The order is supposed to be the leaf cert first (the domain's cert), and then each cert that signs the one before it until it reaches the root cert. The "issuer" field basically says which entity signed that cert. The root being AAACertificateServices because it signs itself (issuer matches subject).
In this case it would be:
For httpd before 2.4.8, make a file for 2,3,4 and use SSLCertificateChainFile. For httpd 2.4.8 or later make a single file with 1-4.
The root cert (#4 in this case) is optional to include in either case, normally recommended to leave out. Apparently including it can result in better client-side error messages for older Windows clients if the cert isn't trusted.
AAACertificateServices.crt is root certificate according to https://www.ssl.com/article/ssl-com-root-certificates/
SectigoRSAOrganizationValidationSecureServerCA is intermediate 1 or 2
USERTrustRSAAAACA is intermediate 1 or 2
leaf/domain cert is the (SSL certificate they provide for you)
The order that I used almost every time is root, intermediates and domain certificate:
Edit: Import all 3 into the already created keystore file (tomcat webserver).