Could someone confirm for me if it is correct to include both the intermediate and root certificates in the Apache SSLCertificateChainFile? It seems to me that this should only contain the intermediate certificate, and the client should have the root certificate in their CA bundle. That way they can verify the intermediate certificate and then in turn the server certificate, making the chain of trust.
However I have some doubts as the advice given out from some certificate vendors is to include both the root and intermediate certificates on the server. I can see that would make life easier for client programs with no CA bundle but is that really how certificate verification should work? I'd be grateful if anyone could clarify this for me.