All about SSL certificates

All about SSL certificates

Apache - installing an SSL certificate

Last updated on 28 Sep 2023, 10:23:08.
Category: All about SSL certificates | SSL configuration

Apache SSL SSL Certificaten

This article assumes that you have received your certificate from the certificate issuer and wish to install it on your Apache Web server. To know how to request a certificate, you can refer to the article "How to generate a certificate request with OpenSSL?".

Apache - Install the SSL certificate

Step 1: Create a certificate bundle (optional)

Apache uses two SSL settings to check the paths of your SSL certificates, one for your own certificate, and one for the certificate issuer's intermediate and root certificates.

Depending on the Certificate Authority you ordered your certificate from, you either received a single file with all the certificates, one file for your own certificate and a bundle of certificates from the CA, or all separate files. The second scenario is the most common because it allows for quick installation into Apache.

If you received separate files from your CA, use the following command to merge them together in reverse order. Of course, if there is only one intermediate certificate, you should only add one.

cat intermediate_2.crt intermediate_1.crt CA_root.crt >> /etc/certs/bundle.crt

The order in which you put the files together is important:

  • First the intermediate certificates - usually one, sometimes two
  • Then the root certificate.

The root certificate need not be included strictly speaking, since it is already known by Web browsers, but it can be useful to build a full chain of certificates.

If you received your own certificate and a certificate bundle, simply store them in the directory where you keep your certificates and keys, e.g. /etc/certs.

Step 2: Modify the Apache virtual hosts file

Open the SSL virtual hosts file of your Apache server. Depending on your distribution you can find it in one of the following places:

  • /etc/httpd for Red Hat, CentOs, Fedora and many others
  • /etc/apache2 for Debian, Ubuntu and derivatives

If you are unsure of the exact location, you can run the following command from the /etc directory or one of the directories above to get a list of existing virtual hosts:

grep -r VirtualHost *

Add a new VirtualHost block to the virtual hosts file. Note that in the example below, you should have the paths point to your website's root directory, and the SSL parameters point to the directory where you keep your keys and certificates. It may be easier to copy and modify an existing VirtualHost block.

<Virtualhost :443="">.
 DocumentRoot /home/www/public_html/www.mydomain.com/public/
 ServerName www.mydomain.com

 SSLEngine on
 SSLCertificateFile /etc/certs/www.mydomain.com.crt
 SSLCertificateKeyFile /etc/certs/www.mydomain.com.key
 SSLCertificateChainFile /etc/certs/bundle.crt

</Virtualhost>

The above configuration is an absolutely minimal SSL configuration, and it is recommended to further configure your web server for more performance and more security. You can use the Kinamo articles on Apache performance and security for this purpose.

For apache2 ommit the SSLCertificateChainFile line and add the intermediate certificate to the .crt file of the SSL certificate!

Step 3: Test your configuration

Test your configuration before restarting the Web server, otherwise you run the risk that Apache will not want to start up due to a misconfiguration and other Web sites will be inconvenienced as a result. You test the configuration with one of the following commands:

httpd -t
apachectl configtest
apache2ctl configtest

Step 4: Restart Apache

Restart Apache to apply your new configuration with one of the following commands:

/etc/init.d/httpd restart
service httpd restart
apachectl -k restart

or

systemctl reload apache2.service

Step 5: Troubleshooting

If your certificate does not display correctly in a browser, verify that the Web server is sending the full chain of certificates to the browser, using the following command, replacing www.kinamo.be with your own domain name:

openssl s_client -connect www.kinamo.be:443
...
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=BE/businessCategory=Private Organization/serialNumber=0861.077.215/C=BE/ST=Antwerp/L=antwerp/O=Kinamo NV/CN=www.kinamo.be
 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SSL CA - G2
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SSL CA - G2
 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority

You should see a series of certificates, starting with yours, and ending with the issuer's root certificate.

Step 6: Test the security

Surf to Qualys SSL Labs' test page to verify that your Web server and your certificate are configured correctly and securely.

Related articles

Order an SSL certificate? What is an SSL certificate?

You need to order an SSL certificate? But what is an SSL certificate? And why is everyone saying that it...

Read more

SHA1, SHA2 and SHA256 SSL algorithms

SHA is a mathematical algorithm used in SSL encryption to verify the validity of the certificate's signature. Different iterations of...

Read more

Why do I see a yellow warning triangle on an HTTPS secured website?

The yellow warning triangle you may see when visiting a webpage that's secured with SSL, is an indication that Google...

Read more

Need extra help?

Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!

Select your language

All languages: