I just bought a SSL certificate, and here are all the certificate files i got:
Root CA Certificate - xxCARoot.crt
Intermediate CA Certificate - x1.crt
Intermediate CA Certificate - x2.crt
Intermediate CA Certificate - x3.crt
Your EssentialSSL Wildcard Certificate - mydomain.crt
Now to install my certificates on apache:
- Do I need to expose the Root CA Certificate at all?
- Since apache only allows 1
SSLCertificateChainFile
directive, am I supposed to create a bundle file of the intermediate CA's? If so. will the order of certificates in the bundle file be reversed like this:
cat x3.crt x2.crt x1.crt > myca.bunndle
If the root certificate does have to be added, does it come in last (after z1) or first (before x3) in the bundle (assuming the order is correct in the first place)?
No, you don't need to share the root. Your visitors that have it trusted already (likely from the company who provided their OS) will already have it.
Yes, using your command should be correct, assuming they're all PEM encoded.
Per the University of Wisconsin here, order does matter, but only if you provide the root.