Ben's Pro Tips

Tech Tips Made Easy

April 12, 2014 Apache Tips, Linux Server Tips

Apache: The SSLCertificateChainFile directive is deprecated, SSLCertificateFile should be used instead

Getting the above warning message when starting your Apache service?

The SSLCertificateChainFile directive (/etc/apache2/sites-enabled/xxx.conf:42) is deprecated, SSLCertificateFile should be used instead

Fortunately it’s an easy fix. First back up your existing Apache config and certificate files. Edit the specified conf file, and find the line:

SSLCertificateChainFile /etc/apache2/ssl/comodo.intermediate.crt

And delete or comment it out. Next, edit your crt file (Specified by the SSLCertificateFile directive in your ). You can place ALL of your certificates in this file. The root cert, the chain certs, AND the cert for your website. For example:

-----BEGIN CERTIFICATE-----
qUCAwEAAaOCAWUwggFhqUCAwEAAaOCAWUwggFhqUC
qUCAwEAAaOCAWUwggFhqUCAwEAAaOCAWUwggFhqUC
qUCAwEAAaOCAWUwggFhqUCAwEAAaOCAWUwggFhqUC
qUCAwEAAaOCAWUwggFhqUCAwEAAaOCAWUwggFhqUC
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
qUCAwEAAaOCAWUwggFhqUCAwEAAaOCAWUwggFhqUC
qUCAwEAAaOCAWUwggFhqUCAwEAAaOCAWUwggFhqUC
qUCAwEAAaOCAWUwggFhqUCAwEAAaOCAWUwggFhqUC
qUCAwEAAaOCAWUwggFhqUCAwEAAaOCAWUwggFhqUC
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
qUCAwEAAaOCAWUwggFhqUCAwEAAaOCAWUwggFhqUC
qUCAwEAAaOCAWUwggFhqUCAwEAAaOCAWUwggFhqUC
qUCAwEAAaOCAWUwggFhqUCAwEAAaOCAWUwggFhqUC
qUCAwEAAaOCAWUwggFhqUCAwEAAaOCAWUwggFhqUC
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
qUCAwEAAaOCAWUwggFhqUCAwEAAaOCAWUwggFhqUC
qUCAwEAAaOCAWUwggFhqUCAwEAAaOCAWUwggFhqUC
qUCAwEAAaOCAWUwggFhqUCAwEAAaOCAWUwggFhqUC
qUCAwEAAaOCAWUwggFhqUCAwEAAaOCAWUwggFhqUC
-----END CERTIFICATE-----

(note these aren’t real certs, your server will catch on fire if you try this at home)

VERY IMPORTANT:

The order of the certificates is important. Your apache WILL NOT start or your cert will not be valid if the order is wrong. According to the official Apache documentation, the order is FIRST your domain certificate, then the intermediate, THEN the root. Backwards of how one might expect.

Because I’m using a Comodo PositiveSSL certificate, the order I copy/paste into my domain’s CRT file is:

1) mydomain.crt
2) COMODORSADomainValidationSecureServerCA.crt
3) COMODORSAAddTrustCA.crt
4) AddTrustExternalCARoot.crt

Update: This order has been corrected, thanks Todd!

As always, once done, restart apache, then test your cert with an SSL checker such asĀ http://www.sslshopper.com/ssl-checker.html

Hope this helps.

6 to “Apache: The SSLCertificateChainFile directive is deprecated, SSLCertificateFile should be used instead”

  1. Rain Wilber says...

    another work-around:
    “If the SSLCertificateChainFile directive does not work,
    try using the SSLCACertificateFile directive instead.”

    found from here: http://www.digicert.com/ssl-certificate-installation-apache.htm

  2. Todd Eddy says...

    I actually came across this page trying to figure out the ordering of the ssl certs for the PostiveSSL I just bought. This order isn’t right but somehow actually works.

    The correct order:
    – your cert
    – COMODORSADomainValidationSecureServerCA
    – COMODORSAAddTrustCA
    – AddTrustExternalCARoot

    You can figure out the order by running `openssl x509 -noout -text -in your_cert_filename.crt` on each one and make sure the issuer of the certificate is the next in chain.

    For verification https://www.ssllabs.com/ssltest/. Using the original order the test shows it the order that exists in file but then for the actual trust chain it reordered them.

    Also worth noting that you must still use SSLCertificateChainFile in apache 2.2. Tried combining it (which I’m used to doing for nginx installs) and it only ever sees the server certificate. Nice to know in 2.4 that’s been updated

  3. ben says...

    Thanks Todd for the correction!

  4. Arda says...

    This was quite helpful, I was struggling with CentOS for hours, thanks a ton!

  5. Johnny says...

    I found your blog while trying to figure out what the chain was for PositiveSSL. I just wanted to say thank you because my SSL certificate now fully works! I was working on this for a good half of my day and now I can finally move on.

  6. Ali Raza says...

    Thanks Ben quite useful, just looking for source and found it. thanks again.

Leave a comment

Time limit is exhausted. Please reload the CAPTCHA.