Tags for this FAQ item:
Apache SSL SSL Certificates

Help us by rating this article!

Rated 0 stars, based on 1 votes

Apache - Install SSL Certificate

Last updated: 12/01/2016

This article assumes you've received your certificate from the Certificate Authority, and that you wish to install it on your Apache webserver. If you want to know how to request a certificate, please consult the « How to generate a certificate request with OpenSSL » article.

Apache uses one directive in its configuration to identify your own SSL certificate, and one to identify the Certificate Authorities' intermediate and root certificates.

Depending on the Certificate Authority you ordered your certificate from, you may receive the certificates either as distinct files, all bundled in one file, or your certificate in one file and all CA certificates in a bundle. Most commonly, you will receive your own certificate as a separate file, and another file containing intermediate and root certificates for use in Apache.

If you have received separate files from the CA, use the following command to concatenate the certificates in reverse order. If there's only one intermediate certificate, you only need to concatenate that one, of course.

cat intermediate_2.crt intermediate_1.crt CA_root.crt >> /etc/certs/bundle.crt

The order in which you concatenate the certificates is important:

  • The first certificates should be the intermediate certificates, if any - there usually is one, sometimes two
  • Then followed by the root certificate

The root certificate is not strictly needed in this list, since browsers have CA's root certificates built-in, however it may be best practice to include it.

If you received your own certificate in a separate file, and the CA certificates in a bundle, just move the files over to your certificate directory, for instance /etc/certs.

Open the SSL virtual hosts file of your Apache server. Depending on your distribution, this could be found at under one of the following directories:

  • /etc/httpd for Red Hat, CentOs, Fedora and many other distributions
  • /etc/apache2 for Debian, Ubuntu and Debian derivates

In case of doubt, try finding existing <VirtualHost> declarations by executing the following command from the /etc directory or one of those listed above:

grep -r VirtualHost *

Add a new VirtualHost block to the virtual hosts file. Note that in the example below, you should modify the paths so that they point to your website's root directory, and the SSL directives so they point to your SSL certificate and your private key. It may be easier to copy and modify an existing VirtualHost entry in your config file.

<Virtualhost :443="">
  DocumentRoot                   /home/www/public_html/www.mydomain.com/public/
  ServerName                     www.mydomain.com

  SSLEngine on
  SSLCertificateFile             /etc/certs/www.mydomain.com.crt
  SSLCertificateKeyFile          /etc/certs/www.mydomain.com.key
  SSLCertificateChainFile        /etc/certs/bundle.crt
</Virtualhost>

Please note that the above is only a minimal working server configuration, and that your web server should be tuned for optimum security and performance. You may want to check out our articles on tuning and securing Apache in the Knowledge Base.

It's good practice to check your server configuration before restarting Apache. Use one of the commands below according to your distribution:

httpd -t
apachectl configtest
apache2ctl configtest

Restart Apache to apply your new configuration with one of the following:

/etc/init.d/httpd restart
service httpd restart
apachectl -k restart

If your certificate doesn't display correctly in a browser, check if all certificates are being sent correctly to a browser with the following command, replacing www.kinamo.be with your own domain name:

openssl s_client -connect www.kinamo.be:443
...
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=BE/businessCategory=Private Organization/serialNumber=0861.077.215/C=BE/ST=Antwerpen/L=antwerpen/O=Kinamo NV/CN=www.kinamo.be
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SSL CA - G2
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SSL CA - G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority

You should see a chain of certificates starting with your own one, and going up through the different intermediate certificates.

Visit Qualys SSL Labs' test page to check if your web server and SSL certificate are up to par with modern-day security standards.