As promised, here a quick article on how to implement a certificate with chained trust into an Apache https server. You will need your server certificate and key and additionally the certificates of every intermediary Certificate Authority. Once you have those together move them to your web server. The key file should be kept in a directory with only root access. If you happen to have more than one intermediary Certificate Authority in your chain of trust you will have to put all the certificates into one file. The easiest way to do this is the following:
cat intermediate_intermediatecert_that_signed_the_server.pem intermediatecert2.pem intermediatecer3.pem > certchainfile_for_apache.pem
Once these preparations are finished, you need to open the config file of the virtual host. You need to adapt the following to lines to match the paths of your Certificates:
SSLCertificateFile /path/to/your_server_cert.crt
SSLCertificateKeyFile /path/to/your_server_key.key
They should be in the example SSL file provided by Apache. And in order to display your chain of trust you will need to add following line, tho show of the intermediary CA certificate(s):
SSLCertificateChainFile /path/to/Intermediary_CA_cert.crt
Restart Apache after this and you are finished. And while we are at it lets do Dovecot as well. Copy all the needed Certificates to your mail server. Dovecot does not seem to have a separate option for the trust chain. So just do the following:
cat cert_mail_server.pem cert_intermediate_ca.pem > chained_cert.pem
After this change the config file of dovecot “/etc/dovecot/dovecot.conf”:
ssl_cert_file = /path/to/chained_cert.pem ssl_key_file = /path/to/server_key.pem
And since we are on the mail server any, lets also change postfix. If your postfix is one the same Server as your Dovecot, you can simply use the files from dovecot. If not repeat the steps as shown for dovecot and then edit “/etc/postfix/main.cf”:
smtpd_tls_cert_file = /path/to/chained_cert.pem
smtpd_tls_key_file = /path/to/server_key.pem
Restart Dovecot and Postfix and your are done.
I used this Article as reference: Geeklab How to use chained SSL certificates