Installing a SSL certificate on Apache

This guide will assist you in the installation of your SSL certificate on Apache. We have used a Comodo Positive SSL as an example below. However, the steps remain the same for all SSLs.

  1. Upload the certificate files on the server where your web-site is hosted.

    In case of Comodo certificates, you should receive the zip archive with *.crt and .ca-bundle files. Geotrust/Thawte/Symantec sends certificates in plain text. Simply save the certificates as txt files. Notepad will meet this demand. For Comodo PositiveSSL the files would appear like the ones below:

    *yourdomainname*.crt
    *yourdomainname*.ca-bundle

    or you may receive the CA bundle in separate files as provided below:

    COMODORSADomainValidationSecureServerCA.crt

    COMODORSAAddTrustCA.crt

    AddTrustExternalCARoot.crt

  2. Combine CA certificates in the single file.

    If you received several CA certificates in separate files, you should combine them in the single file to make the CA bundle. You can also download a completed Bundle file here .

    For Comodo PositiveSSL CA certificates these are: AddTrustExternalCARoot.crt, COMODORSAAddTrustCA.crt and COMODORSADomainValidationSecureServerCA.crt

    To combine them, run the following command in terminal:

    $ cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt

  3. Edit your Apache VirtualHost file. If you do not have a record for port 443 in your VirtualHost, you should add it manually.

    Location of the Configuration file depends on the the server and OS version, some possible examples are listed bellow:

    Fedora/CentOS/RHEL: /etc/httpd/conf/httpd.conf

    Debian and Debian based: /etc/apache2/apache2.conf

    Name of the file may also vary:

    httpd-ssl.conf

    ssl.conf

    default-ssl.conf

    The situation for ubuntu on Apache differs, as the configurations for 443 and 80 ports for each site are located in separate files. You can find it at /etc/apache2/sites-enabled/ Edit or create the file with the VirtualHost for 443 port to set up the secure connection.

    Actually you can duplicate the record for port 80 (should be in your VirtulHost file by default) and change port 80 to port 443. Simply add it below non-secure module. In addition to the port change, you also need to add the special lines in the record:

    SSLEngine on

    # SSLCertificateFile should be pointed to the certificate file that is issued for your domain name.

    SSLCertificateFile "/ssl/*yourdomainname*.crt"

    # SSLCertificateKeyFile should be pointed to the Private Key, which has been generated with the CSR code that you have used for the activation of the certificate.

    SSLCertificateKeyFile "/ssl/*your_private_key*.key"

    # SSLCACertificateFile should be pointed to the file with combined CA certificates. In the example we have combined CA certificates in the file bundle.crt In the older Apache versions, the directive might be called SSLCertificateChainFile instead.

    Note! Starting from Apache 2.4.8 'SSLCertificateChainFile' directive became obsolete. The chain of intermediate certificates can be added to the file with the domain certificate.

    SSLCACertificateFile "/ssl/bundle.crt"

    Complete VirtualHost record for port 443 may look like the one below:

    Listen 443

    <VirtualHost _default_:443>

    DocumentRoot "/var/www"

    ServerName *your_domain_name*

    SSLEngine on

    SSLCertificateFile "/ssl/*your_domain_name*.crt"

    SSLCertificateKeyFile "/ssl/*your_private_key*.key"

    SSLCACertificateFile "/ssl/bundle.crt"

    </VirtualHost>

Note! If you are using a multi-domain or wildcard certificates, it is necessary to modify the configuration files for each domain/subdomain hosted on the server. You would need to specify the domain/subdomain you need to secure and refer to the same certificate files in the VirtualHost record the way described above.

Once you have modified the VirtualHost file, it is required to restart apache in order to apply the changes.

You can restart Apache with the following command:

sudo service apache2 reload

Comments

We welcome your comments, questions, corrections and additional information relating to this article. Your comments may take some time to appear. Please be aware that off-topic comments will be deleted.

If you need specific help with your account, feel free to contact our Support Team. Thank you.

Need help? We're always here for you.

× Close