SSL/TLS (Secure Socket Layers/Transport Layers Security) are digital security certificates that secure your website with encryption. When these certificates are installed on the web server, they secure all the browser-server data-in-transit with strong 256-bit encryption.
Apache is a free and open-source web server that provides web content via the internet. In this blog, we will discuss how to install an SSL certificate on an Apache server.
Lastly, we will share some tips on the best SSL certificate provider to be approached for purchasing an SSL certificate to secure your Apache.
Steps to Install an SSL Certificate on Apache
1. Generation of CSR Code on Apache:
Before installing the SSL certificate, CSR generation is a must. The CSR (Certificate Signing Request) is a file that has your details about your domain name, company name, locality, etc. The CSR also contains the public key as well as the server.
The private key will be generated and linked with this public key.
Note: The CSR can be generated automatically using the CSR Generator or on a manual basis from the server.
2. Order your SSL Certificate:
After the generation of the CSR, you need to order the SSL certificate (Here we took Comodo SSL Certificate) from a ClickSSL, by providing them with the CSR. The CA will verify the domain ownership or the organization’s legitimacy and after positive verification, an applicant has to complete the configuration process to get the SSL certificate. Once the domain ownership is confirmed, the applicant has to submit the required documents in case of organization and an extended validation certificate. The certificate authority will verify the documents and issue the certificate. The certificate will be sent to the applicant’s registered email address.
3. Installation of SSL certificate on Apache:
Once the applicant receives the certificate, it should be downloaded on the desktop and start the installation process. The installation process on the Apache server is mentioned below.
Steps for Installation of SSL:
Download the Certificate Files:
Your Certificate Authority will send you a zipped folder comprising varied .crt files on your email id. Download it and extract all the folder files. The zip-archive files are:
- The SSL certificate (which has your domain name) is the .crt file.
- The root and intermediate certificates are located inside the .ca-bundle file. These certificates are essential for authentication and browsers since they ensure that your site is not flagged as “Not Secure”.
Note: In case your .ca-bundle files are more than one, i.e., your root and intermediate certificates are present in different .ca-bundle files, you need to link them to a single .ca-bundle file and later upload them to your server.
Use the below-stated command (for PositiveSSL certificates) to generate one single .ca-bundle file.
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt
4. Locate the Apache Configuration File:
Depending on your server and OS (operating system) version, the location and the name of the Apache configuration file may vary.
The file may be named httpd.conf, apache2.conf, or ssl.conf and may reside at /etc/httpd/, /etc/apache2/ or /etc/httpd/conf.d/ssl.conf directories.
The configuration file carries the virtual hosts for all domains that are hosted on the server.
Note: If your Apache server is installed on the Ubuntu OS, each site has a separate configuration that can be found at /etc/apache2/sites-enabled/.
To have users access your site via secured or non-secured connections, you will require two separate configuration files, i.e., one for port 80 and the other for port 443.
Recommended: How to Install SSL Certificate on Apache2 Ubuntu Server
5. Configure Virtual Host Section:
In the Apache configuration file, you will have to add/modify the virtual host for port 443.
It’s vital to take a backup of the configuration file (*.conf file) before making any modifications. This is essential in case you want to reverse your modifications.
Tip: Copy and save your current *.conf file and rename it to *.conf_backup
cp default-ssl.conf default-ssl.conf_backup
After the backup is done, the modification of the Virtual Host commences. A Virtual Host looks like this:
ServerAdmin webmaster@abc.com
DocumentRoot /var/www/
ServerName www.abc.com
ErrorLog /www/home/logs/error_log
SSLEngine on
SSLCertificateFile /etc/ssl/abc_com.crt
SSLCertificateKeyFile /etc/ssl/abc.key
SSLCertificateChainFile /etc/ssl/abc_com.ca-bundle
The bold part needs to be replaced with the necessary details, i.e., modify the file names according to the certificate names and their locations on the server.
- SSLCertificateFile – This is your main SSL certificate file
- SSLCertificateKeyFile – This is your private key file which is generated by you along with the CSR code
- SSLCertificateChainFile – This is your CA Bundle file
Note: Ensure that the attributes in bold don’t have a “#” (comment) in front of them. If “#” exists, then kindly uncomment them.
This is how your Virtual Host for port 443 should look.
ServerAdmin webmaster@abc.com
DocumentRoot var/www
ServerName www.abc.com
ErrorLog www/home/logs/error_log
SSLEngine on
SSLCertificateFile /etc/ssl/abc_com.crt
SSLCertificateKeyFile /etc/ssl/abc.key
SSLCertificateChainFile /etc/ssl/abc_com.ca-bundle
Note:
It’s advisable to configure a new virtual host for different sites and sub-domains.
Commencing from Apache 2.4.8, the SSLCertificateChainFile directive has become outdated and hence now intermediate certificates are added to the SSLCertificateFile.
6. Save your Apache Configuration File & Restart Apache:
As a routine practice, it’s advisable to check your Apache configuration file for any errors before restarting your Apache since your server won’t start if your configuration files have syntax errors.
Run the following command to test the configuration file (whether it has proper syntax or not) before restarting Apache
apachectl configtest
Restart Apache.
You can use apachectl commands to stop and start Apache with SSL support (to activate SSL certificate installation charges).
apachectl stop
apachectl start
Note: If your Apache fails to start with SSL support, you can use the below-stated commands.
/usr/local/apache/bin/apachectl startssl
/usr/local/apache/bin/apachectl restart
In case of any unwanted circumstances, your Apache fails to restart, there’s no need to worry since you already have a backup configuration file. You just need to delete the newly modified configuration file and move to the old file and repeat the installation process.
Congrats on the successful installation of the SSL certificate on Apache!!
Test your SSL Installation:
Testing is essential after every major change is done in the configuration file. The same stands true for the SSL installation process too.
After the successful installation of the SSL certificate on your Apache server, test the status of the SSL certificate installation by using the SSL certificate checker tool.
This will help in finding potential threats or errors that may adversely affect the functioning of the SSL certificate.
Where to Buy an SSL Certificate for Apache?
Multiple SSL certificate providers offer various brands of SSL certificates. Choose a reliable one for your Apache server and secure it with encryption to prevent it from intruder attacks.