Steps to Install Certum SSL Certificate on Apache web server
Initial Instruction Please complete this checklist before installing Certum SSL Certificate on Apache Web server.
- Buy/renew Certum SSL Certificate
- Generate CSR with SHA-2 algorithm
- Save the CSR & Private key file on your server directory
- Apply for SSL Certificate Issuance
- Submit SSL issuance Documents as per Certum’s requirement (Only for OV & EV Certificate issuers)
Step 1: Save Certum SSL Certificate Files
After payment and document verification process Certum will send you the SSL Certificate file which certificate files are server certificate, root certificate and intermediate certificate. Store these all files on your Apache server directory.
Make sure these files must keep in separate directories where only Apache have permission to read, For Example – The location on SSL key file is /etc/ssl/ssl.key and the location of the Server Certificate and CA-Bundle Files are – /etc/ssl/ssl.crt)
Above file locations and name we’ve used are just for illustration purpose, you can use your own own unique name and file locations.
Step 2: Download CA bundle Files
CA-bundles are required to install SSL Certificate. CA-Bundle files should be different based on the type of your SSL certificate (Either Domain, Organization or Extended Validation SSL certificate). Check below table to download CA-bundle file.
|SSL Certificate File Type||CA-Bundle Source|
|Domain Validation SSL – SHA-2||https://repository.certum.pl/bundles/DVSSLChain-SHA2.crt|
|Extended Validation SSL – SHA-2||https://repository.certum.pl/bundles/EVSSLChain-SHA2.crt|
|Organization Validation – SHA-2||https://repository.certum.pl/bundles/OVSSLChain-SHA2.crt|
Step 3: SSL Configuration file (HTTPD.CNF) modification
- Open the cnf file using any text editor (E.G Notepad).
- In the virtual host section add following lines to add information about the domain which you wish to secure using SSL certificate.
- SSLEngine on
- SSLCertificateKeyFile /etc/ssl/ssl.key/server.key
- SSLCertificateFile /etc/ssl/ssl.crt/domain.crt
- SSLCertificateChainFile /etc/ssl/ssl.crt/domain.ca-bundle
For older Apache version use SSLCACertificateFile instead of SSLCertificateChainFile.
- SSLProtocol all
- SSLHonorCipherOrder On (Ciphers use order in server)
- SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS (To set up the priority to the strong ciphers & also disabling the weak ciphers as well.)
- Save the httpd.cnf file.
- Restart your Apache Server.
Your SSL Certificate is now installed on your Apache Web Server.
Note: File names such as server.key, domain.crt, and domain.ca-bundle are used for illustration purpose only. You have to use your own certificate file names.