Normally with a virtual host an ssl is setup with the following directives:
Listen 443
SSLCertificateFile /home/web/certs/domain1.public.crt
SSLCertificateKeyFile /home/web/certs/domain1.private.key
SSLCertificateChainFile /home/web/certs/domain1.intermediate.crt
From: For enabling SSL for a single domain on a server with muliple vhosts, will this configuration work?
What is the difference between SSLCertificateFile and SSLCertificateChainFile ? The client has purchased a CA key from GoDaddy. It looks like GoDaddy only provides a SSLCertificateFile (.crt file), and a SSLCertificateKeyFile (.key file) and not at SSLCertificateChainFile.
Will my ssl still work without a SSLCertificateChainFile path specified ?
Also, is there a canonical path where these files should be placed?
Strictly speaking, you don't ever need the chain for SSL to function.
What you always need is an
SSLCertificateFilewith aSSLCertificateKeyFilecontaining the correct key for that certificate.The trouble is, that if all you give Apache is the certificate, then all it has to give to connecting clients is the certificate - which doesn't tell the whole story about that SSL cert. It's saying, "I'm signed by someone, but I'm not going to tell you about them".
This usually works fine, as most client systems have a large store of CA certificates (both root and intermediate) which it can check through for a matching signing relationship to establish trust. However, sometimes this doesn't work; most often the issue you'll run into is a client that doesn't hold the cert for an intermediate CA that's signed your certificate.
That's where the chain comes in; it lets Apache show the client exactly what the trust relationship looks like, which can help a client fill in the blanks between your cert, a root they trust, and the intermediate that they don't know about. The chain can be included in your configuration in one of two ways:
SSLCertificateFile, on new lines after the server certificate in order (the root should be at the bottom). If you set it up like this, you'll wantSSLCertificateChainFilepointed to the exact same file asSSLCertificateFile.SSLCertificateChainFiledirective; the CA certificate that issued the server's certificate should be first in the file, followed by any others up the the root.Check the certificate file that you have now - I'm betting that it doesn't have the chain data included. Which usually works fine, but will eventually cause an issue with some browser or other.
Here is a pretty good explanation of the differences as well as the observable impacts between choosing one vs the other:
https://stackoverflow.com/questions/1899983/difference-between-sslcacertificatefile-and-sslcertificatechainfile
Actually, GoDaddy does give you a intermediate chain:
http://support.godaddy.com/help/5238
Here's some more discussion.
http://support.godaddy.com/help/868/what-is-an-intermediate-certificate
The email from GoDaddy telling you how to download your new certificate will also have information on the intermediate certificate file. It's somewhere towards the bottom, perhaps after your eyes glaze over from the verbiage and upsell.
In terms of what will happen if you don't include the proper SSLCertificateChainFile directive: you will see a big red warning in your browser because your SSL site will not validate in browsers, as they can't follow the chain of certificates from your site's cert to one owned by a certificate authority the browser knows about.
I'd like to add to the previous good answers about the SSLCertificateChainFile that the order of the certificates in that file is important too. OpenSSL-based clients will sort out the order themselves but gnutls based clients will fail on a chain with the incorrect order.
Test the ordering with gnutls-cli, like
where /etc/ssl/certs/ca-certificates.crt is the location your distro puts the combined certificates.