Created attachment 950725 [details]
Example certs which demonstrate the issue.

Description of problem:
The "SSL certificate chain" field in the "edit alias" management console is apparently ignored. After uploading a valid SSL certificate and corresponding private key and SSL certificate chain, the certificate chain is not recognized as valid when browsing to my app.

Version-Release number of selected component (if applicable):
Unknown

How reproducible:
100%

Let's say I have a valid SSL certificate foo.com.pem for foo.com signed by CA bar, and I have a valid SSL certificate chain CA-cert.pem validating CA's authority (terminating in a root certificate). If I use the management console to "edit alias" and attach an ssl certificate, the "SSL certificate chain"

Steps to Reproduce:
1. Create a valid certificate foo.com.pem for foo.com, and take the CA's signing certificate CA-cert.pem
2. Go into the "edit alias" management console, enter foo.com.pem in the "SSL Certificate:field, and CA-cert.pem in the "SSL Certificate Chain" field, along with the certificate private key and pass phrase.
3. Navigate to https://www.foo.com

Actual results:
SSL error (e.g. sec_error_unknown_issuer in Firefox) do to lack of valid path from root CA to provided cert.

Expected results:
No error.

Additional info:
This has happened before:
https://bugzilla.redhat.com/show_bug.cgi?id=1063470
https://bugzilla.redhat.com/show_bug.cgi?id=1147868
The workaround suggested, simply concatenating the files before uploading, seems to work.

Those bugs are marked fixed, but I'm still having an issue. Not sure if it's the particular coding being used, but it seems like whatever the web console is doing isn't working, and people keep having to use the workaround. Maybe the web console should just concatenate the files?