After your Certificate is issued by the Certificate Authority, you’re ready to begin installation on your Apache server. Follow these steps:
Step 1: Upload Certificate Files Onto Server
The Certificate Authority will email you a zip-archive with several .crt files.
Alternatively, you can download the certificate files in your Account. The zip-archive will contain the Certificate for your domain name (.crt) and the CA-Bundle (.ca-bundle) file. These are known as a chain of intermediate and root Certificates.
If you uploaded the intermediate Certificates separately onto your server, you will need to link them into a single CA-Bundle file.
For a PositiveSSL Certificate, use the following command to combine the intermediate and root certificates:
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt
You can download the complete CA-Bundle files for our Certificates here.
Step 2: Locate Apache Configuration File
The location and the name of the Apache configuration file may differ depending on the server and OS version you’re using. The file may be called httpd.conf, apache2.conf or ssl.conf and may be located at /etc/httpd/, /etc/apache2/ or /etc/httpd/conf.d/ssl.conf.
The configuration file contains the Virtual Hosts for all domains that are hosted on the server.
Note: if you have Apache server installed on the Ubuntu operating system, each site has a separate configuration that can be found at /etc/apache2/sites-enabled/. To have your site accessible via secure and non-secure connection, you will need two separate configuration files: one for port 80 and the other for port 443.
Step 3: Configure Virtual Host Section
You’ll need to add or modify the virtual host for port 443 in the configuration file.
We recommend you backup the configuration file before making any changes to it. This way you can revert the changes if something goes wrong. Simply copy and save your current *.conf file as *.conf_backup:
cp default-ssl.conf default-ssl.conf_backup
Make sure that the Virtual Host has the following directives, with no # in front of them:
- SSLEngine on
- SSLCertificateFile pointed to the location of the Certificate issued for your domain name
- SSLCertificateKeyFile pointed to the location of your Private Key on the server.
- SSLCertificateChainFile pointed to the location of the CA-Bundle file.
The Virtual Host for 443 port should look the following way:
<VirtualHost [IP ADDRESS]:443> ServerAdmin firstname.lastname@example.org DocumentRoot var/www ServerName www.ssl-tutorials.com ErrorLog www/home/logs/error_log SSLEngine on SSLCertificateFile /etc/ssl/ssl-tutorials_com.crt SSLCertificateKeyFile /etc/ssl/ssl-tutorials.key SSLCertificateChainFile /etc/ssl/ssl-tutorials_com.ca-bundle </VirtualHost>
Note: starting from Apache 2.4.8, the SSLCertificateChainFile directive became obsolete. Intermediate Certificates can now be added to the SSLCertificateFile.
Step 4: Enabling OCSP Stapling
OCSP Stapling improves performance by providing the clients with up-to-date status of your certificate.
If you want to enable OCSP Stapling for the website, please add the following directive to the Virtual Host:
Also specify the OCSP cache response location and size outside of the Virtual Host section, using SSLStaplingCache directive:
Note: OCSP Stapling is only enabled for configuration from Apache HTTP server 2.3.3 and higher.
Step 5: Save & Restart
Test if the new configuration of your Apache service has proper syntax using this command:
If the syntax is OK, save your changes in the configuration file and restart Apache.
You can restart using these apachectl commands:
apachectl restart apachectl stop apachectl start
If the Apache service fails to restart or the SSL does not get installed, make sure the configuration file is created properly. Alternatively, you can contact our support team for assistance.
You can delete the modified configuration file and revert back to your backup configuration created in Step 3 at any time.
Well done! Your SSL Certificate is installed. You can confirm this using the SSL Checker tool.