This article assumes that you have received your certificate from the certificate issuer and wish to install it on your Apache Web server. To know how to request a certificate, you can refer to the article "How to generate a certificate request with OpenSSL?".
Apache uses two SSL settings to check the paths of your SSL certificates, one for your own certificate, and one for the certificate issuer's intermediate and root certificates.
Depending on the Certificate Authority you ordered your certificate from, you either received a single file with all the certificates, one file for your own certificate and a bundle of certificates from the CA, or all separate files. The second scenario is the most common because it allows for quick installation into Apache.
If you received separate files from your CA, use the following command to merge them together in reverse order. Of course, if there is only one intermediate certificate, you should only add one.
cat intermediate_2.crt intermediate_1.crt CA_root.crt >> /etc/certs/bundle.crt
The order in which you put the files together is important:
The root certificate need not be included strictly speaking, since it is already known by Web browsers, but it can be useful to build a full chain of certificates.
If you received your own certificate and a certificate bundle, simply store them in the directory where you keep your certificates and keys, e.g. /etc/certs.
Open the SSL virtual hosts file of your Apache server. Depending on your distribution you can find it in one of the following places:
If you are unsure of the exact location, you can run the following command from the /etc directory or one of the directories above to get a list of existing virtual hosts:
grep -r VirtualHost *
Add a new VirtualHost block to the virtual hosts file. Note that in the example below, you should have the paths point to your website's root directory, and the SSL parameters point to the directory where you keep your keys and certificates. It may be easier to copy and modify an existing VirtualHost block.
<Virtualhost :443="">. DocumentRoot /home/www/public_html/www.mydomain.com/public/ ServerName www.mydomain.com SSLEngine on SSLCertificateFile /etc/certs/www.mydomain.com.crt SSLCertificateKeyFile /etc/certs/www.mydomain.com.key SSLCertificateChainFile /etc/certs/bundle.crt </Virtualhost>
The above configuration is an absolutely minimal SSL configuration, and it is recommended to further configure your web server for more performance and more security. You can use the Kinamo articles on Apache performance and security for this purpose.
For apache2 ommit the SSLCertificateChainFile line and add the intermediate certificate to the .crt file of the SSL certificate!
Test your configuration before restarting the Web server, otherwise you run the risk that Apache will not want to start up due to a misconfiguration and other Web sites will be inconvenienced as a result. You test the configuration with one of the following commands:
httpd -t apachectl configtest apache2ctl configtest
Restart Apache to apply your new configuration with one of the following commands:
/etc/init.d/httpd restart service httpd restart apachectl -k restart
systemctl reload apache2.service
If your certificate does not display correctly in a browser, verify that the Web server is sending the full chain of certificates to the browser, using the following command, replacing www.kinamo.be with your own domain name:
openssl s_client -connect www.kinamo.be:443 ... Certificate chain 0 s:/126.96.36.199.4.1.3188.8.131.52.3=BE/businessCategory=Private Organization/serialNumber=0861.077.215/C=BE/ST=Antwerp/L=antwerp/O=Kinamo NV/CN=www.kinamo.be i:/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SSL CA - G2 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SSL CA - G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority
You should see a series of certificates, starting with yours, and ending with the issuer's root certificate.
Surf to Qualys SSL Labs' test page to verify that your Web server and your certificate are configured correctly and securely.
Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!