Apache's deprecated SSLCertificateChainFile directive (AH02559)
Given that you're using this in your apache config:
SSLCertificateFile /etc/apache2/cert/ssl.crt
SSLCertificateKeyFile /etc/apache2/cert/ssl.key
The /etc/apache2/cert/ssl.crt file should contain
- certificate of e.g. yourdomain.com
- certificate of first intermediate CA, signed by root CA (e.g.StartCom Class 1 Primary Intermediate Server CA)
- certificate of second intermediate CA, signed by first intermediate CA (if there is a second intermediate CA in your certificate chain)
You need to put all intermediate CA's certificates in the crt file. Depending on the certificate chain of your certificate there will be varying number of CAs invovled.
You don't even need to add the root CA, as it has to be in the trust store of any clients, otherwise clients will get an error page, also, if you add it to your chain, it will just be additional overhead for establishing SSL connections, as it has to be transferred for every new SSL session. Actually most clients will also have intermediate CA certificates installed, but some might not, e.g. mobile phones don't have many intermediate CA certificates, so I would definitely add those.
The /etc/apache2/cert/ssl.key file will stay the same, which is, it will contain the key for the certificate of yourdomain.com