SSLCertificateChainFile is obsolete
I'm on Apache 2.4.12, so SSLCertificateChainFile is now obsolete, and any intermediate certificates are supposed to be included in the server certificate file. I cannot figure out how to do this, however--any combination of certificates other than only the site certificate inside the specified file causes an invalid key error. How do I properly include the intermediate certificate inside the file that I specify using SSLCertificateFile?
Answer
Taken from the Apache 2.4 Module mod_ssl documentation:
SSLCertificateFileDirectiveThe files may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes
SSLCertificateChainFile.
What this means is that the SSLCertificateFile directive now (after 2.4.8) accepts files with a full certificate chain (from leaf to root). If you have your server certificate in domain.crt and the CA chain file in domain-ca.crt, you'd need to concatenate both files from leaf to root, i.e. starting with your server certificate, as in
cat domain.crt domain-ca.crt > bundle.crt
and use that file inside your site's conf file:
SSLCertificateFile /path/to/bundle.crt
(For example, using Ubuntu default path, these files will be stored at /etc/apache2/ssl/.)