Apache - Install SSL Certificate

Category: All about SSL certificates

Apache SSL SSL Certificaten

This article assumes you've received your certificate from the Certificate Authority, and that you wish to install it on your Apache webserver. If you want to know how to request a certificate, please consult the « How to generate a certificate request with OpenSSL » article.

Apache - SSL certificate installation

Step 1: Building a certificate bundle (optional)

Apache uses one directive in its configuration to identify your own SSL certificate, and one to identify the Certificate Authorities' intermediate and root certificates.

Depending on the Certificate Authority you ordered your certificate from, you may receive the certificates either as distinct files, all bundled in one file, or your certificate in one file and all CA certificates in a bundle. Most commonly, you will receive your own certificate as a separate file, and another file containing intermediate and root certificates for use in Apache.

If you have received separate files from the CA, use the following command to concatenate the certificates in reverse order. If there's only one intermediate certificate, you only need to concatenate that one, of course.

cat intermediate_2.crt intermediate_1.crt CA_root.crt >> /etc/certs/bundle.crt

The order in which you concatenate the certificates is important:

  • The first certificates should be the intermediate certificates, if any - there usually is one, sometimes two
  • Then followed by the root certificate

The root certificate is not strictly needed in this list, since browsers have CA's root certificates built-in, however it may be best practice to include it.

If you received your own certificate in a separate file, and the CA certificates in a bundle, just move the files over to your certificate directory, for instance /etc/certs.

Step 2: Edit the Apache virtual hosts file

Open the SSL virtual hosts file of your Apache server. Depending on your distribution, this could be found at under one of the following directories:

  • /etc/httpd for Red Hat, CentOs, Fedora and many other distributions
  • /etc/apache2 for Debian, Ubuntu and Debian derivates

In case of doubt, try finding existing <VirtualHost> declarations by executing the following command from the /etc directory or one of those listed above:

grep -r VirtualHost *

Add a new VirtualHost block to the virtual hosts file. Note that in the example below, you should modify the paths so that they point to your website's root directory, and the SSL directives so they point to your SSL certificate and your private key. It may be easier to copy and modify an existing VirtualHost entry in your config file.

<Virtualhost :443="">
 DocumentRoot /home/www/public_html/www.mydomain.com/public/
 ServerName www.mydomain.com

<strong> SSLEngine on
 SSLCertificateFile /etc/certs/www.mydomain.com.crt
 SSLCertificateKeyFile /etc/certs/www.mydomain.com.key
 SSLCertificateChainFile /etc/certs/bundle.crt
</strong></Virtualhost>

Please note that the above is only a minimal working server configuration, and that your web server should be tuned for optimum security and performance. You may want to check out our articles on tuning and securing Apache in the Knowledge Base.

Step 3: Test your configuration

It's good practice to check your server configuration before restarting Apache. Use one of the commands below according to your distribution:

httpd -t
apachectl configtest
apache2ctl configtest

Step 4: Restart Apache

Restart Apache to apply your new configuration with one of the following:

/etc/init.d/httpd restart
service httpd restart
apachectl -k restart

Step 5: Troubleshooting

If your certificate doesn't display correctly in a browser, check if all certificates are being sent correctly to a browser with the following command, replacing www.kinamo.be with your own domain name:

openssl s_client -connect www.kinamo.be:443
...
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=BE/businessCategory=Private Organization/serialNumber=0861.077.215/C=BE/ST=Antwerpen/L=antwerpen/O=Kinamo NV/CN=www.kinamo.be
 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SSL CA - G2
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SSL CA - G2
 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority

You should see a chain of certificates starting with your own one, and going up through the different intermediate certificates.

Step 6: Security Test

Visit Qualys SSL Labs' test page to check if your web server and SSL certificate are up to par with modern-day security standards.


Related articles

How can I move (transfer) a .com, .net or .org domain name?

If you would like to move (transfer) a domain name (typically com, .net or .org) from your current registrar to...

Read more

How can I publish my website via FTP?

If you use shared web hosting at Kinamo, either Linux hosting or Windows hosting, you can use an FTP program...

Read more

As a server housing customer, do I have access to the datacenter?

Only Kinamo rack housing customers have direct access to the datacenter and can gain access to their own rented rack...

Read more

Need extra help?

Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!

Kinamo

Select your language