How to Install SSL Certificate on Apache Web Server
Steps to Install SSL on Apache Web Server
Please complete this checklist before installing SSL Certificate on Apache Web server
- Buy/renew SSL Certificate
- Generate CSR with SHA-2 algorithm
- Save the CSR & Private key file on your server directory
- Submit SSL issuance Documents as per CA’s requirement (Only for OV & EV Certificate issuers)
Step 1: Save SSL Certificate Files
After payment and document verification process you will receive certificate files (server certificate, root certificate
For Example – The location on SSL key file is /etc/
Step 2: Download CA bundle Files
CA-bundles are required to install SSL Certificate. CA-Bundle files could be different based on the type of your SSL certificate (Either Domain, Organization or Extended Validation SSL certificate). Visit your SSL Certificate authority website for CA bundle files.
Step 3: SSL Configuration file (HTTPD.CNF) modification
- Open the cnf file using any text editor (E.G Notepad).
- In the virtual host section add following lines to add information about the domain which you wish to secure using SSL certificate.
- SSLEngine on
- SSLCertificateKeyFile /etc/ssl/ssl.key/server.key
- SSLCertificateFile /etc/ssl/ssl.crt/domain.crt
- SSLCertificateChainFile /etc/ssl/ssl.crt/domain.ca-bundle
For older apache version use SSLCACertificateFile instead of SSLCertificateChainFile.
- SSLProtocol all
- SSLHonorCipherOrder On (Ciphers use order in server)
- SSLCipherSuiteECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS (To set up the priority to the strong ciphers & also disabling the weak ciphers as well.)
- Save the cnf file.
- Restart your Apache Server.
You can also apply following commands to restart Apache
/usr/local/apache/bin/apachectl startssl /usr/local/apache/bin/apachectl restart
Your SSL Certificate is now installed on your Apache.
Note: File names such as server.key, domain.crt, and domain.ca-bundle are used for illustration purpose only. You have to use your own certificate file names.