Install an SSL certificate

  • Last updated on: 2018-10-23
  • Authored by: Cat Lookabaugh

After you generate a certificate signing request (CSR) and purchase or renew a Secure Socket Layer (SSL) certificate, you’ll need to install it. This article shows you how to install an SSL certificate on various servers and operating systems. The following sections provide instructions for the installation process:

After you have installed your certificate, you should reload your web server service.

Prerequisites

Before you install your certificate, make sure that you have the following items:

  • A certificate from your preferred SSL vendor stored on your server. If you don’t already have a certificate, see Generate a CSR and Purchase or renew an SSL certificate for instructions.
  • The Certificate Authority (CA) bundle with the root and intermediate certificates provided by the SSL vendor.
  • The .key file that was generated when you created the CSR.
  • An installed web server such as Apache and mod_ssl.
  • An Internet Protocol (IP) address for your SSL certificate.

Copy the files into the default location on your server

A vendor-provided SSL certificate contains three components: the SSL certificate, the CA file, and the SSL key. When you receive your SSL certificate from your CA, upload it to your server by using the following steps:

  1. Copy all the contents of the certificate, including the BEGIN CERTIFICATE and END CERTIFICATE lines. Save the copied text as domain.com.crt.

  2. Copy the certificate and private key into the server directory in which you plan to store your certs. For example, the default Apache directories are: /usr/local/apache/conf/ssl.crt/ or /etc/httpd/conf/ssl.crt/.

Install certificate on Windows servers

The following sections show you how to install and bind an SSL certificate on Windows servers by using the Internet Information Services (IIS) Manager.

Install the certificate

Prerequisite: You should already have the certificate provided by your preferred SSL vendor.

If you got your CSR by using anything other than IIS, skip to Import an SSL certificate from another server.

Use the following steps if you got your CSR by using IIS, which pairs the public key from your vendor with the private key generated by IIS.

  1. In the IIS Manager, select the server and double-click Server Certificates.
  2. Under Actions, click Complete Certificate Request.
  3. In the wizard, select the location of the certificate file provided by your SSL vendor.
  4. For Windows Server® 2012 only, name the file and choose your storage location.
  5. Click OK.

Import an SSL certificate from another server

  1. In the IIS Manager, double-click Server Certificates.
  2. Under Actions, click Import.
  3. Select the location of your certificate file, enter the password (if you set one), and choose your certificate storage location (Windows Server 2012 only).
  4. Click OK.

Set up the bindings

  1. In the IIS Manager, right-click your site and select Edit Bindings.
  2. In the Site Bindings window, click Add.
  3. In the Add Site Binding dialog box, perform the following steps: a. Set the value of Type to https. b. For Windows Server 2012 only, specify the host name if necessary. c. From the SSL certificate list, select your certificate. d. Click OK.

After you set up the bindings, the Site Bindings window shows the binding for HTTPS.

Install certificate on Linux server with Apache

The following sections show you how to save your certificate on a Linux server and configure Apache to use the certificate, modify the IP tables, and verify the settings. After you have installed the certificate, reload or restart the web server.

Save the certificate and key file

Save the certificate provided by the SSL vendor and the .key file that you generated when you created the CSR in the appropriate directories. We recommend the following directories:

RPM-based distributions

  • Certificates and CA-certificates: /etc/pki/tls/certs/domain.com.crt or domain.com.ca-crt
  • Keys: /etc/pki/tls/private/domain.com.key

OpenSSL (or Debian®)

  • Certificates: /etc/ssl/certs/ssl.crt
  • Keys: /etc/ssl/private/ssl.key

Configure httpd.conf

Open the Apache httpd.conf file in a text editor, and add the following lines for the VirtualHost, changing the IP address and the paths to the certificate files to reflect the location of your certificate:

<VirtualHost 123.45.67.89:443>
ServerName www.domain.com
DocumentRoot /path/to/your/document/root/htdocs

SSLEngine ON
SSLCertificateFile /etc/httpd/conf/ssl.crt/domain.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain.com.key

ErrorLog logs/ssl.domain.com.error_log
CustomLog logs/ssl.domain.com.access_log combined
</VirtualHost>

Save the changes and exit the editor.

Note: If you want all of the IP addresses on the public interface to use the virtual host, you can put <VirtualHost *:443> in the configuration instead of specifying a specific IP address.

iptables

You might need to open a port in your firewall to allow SSL connections to port 443. To verify if you need to do this, get a list of your firewall rules by running the following command:

sudo /sbin/iptables -L

If you have iptables active but without exceptions for port 443, you’ll need to add some, as shown the following sample:

sudo /sbin/iptables -I INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo /sbin/iptables -I OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

Remember to add the rules to your iptables configuration file or run the following code on Red Hat®-based distributions:

sudo /sbin/service iptables save

Verify configuration syntax

Use the following commands to verify your configuration for various operating systems:

Most distributions:

To verify the configuration file syntax, run the following command ensuring that you have no spelling errors and haven’t added the wrong file names:

# apachectl -t

If the file is good, the command returns Syntax OK. If there are errors, the command returns the incorrect lines.

RPM-based distributions:

To verify the configuration file syntax, run the following command ensuring that you have no spelling errors and haven’t added the wrong file names:

# httpd -t

If the file is good, the command returns Syntax OK. If there are errors, the command returns the incorrect lines.

Debian-based distributions:

To verify the configuration file syntax, run the following command ensuring that you have no spelling errors and haven’t added the wrong file names:

# apache2 -t

If the file is good, the command returns Syntax OK. If there are errors, the command returns the incorrect lines.

Install certificate on Linux server with Nginx

The following sections show you how to save your certificate on a Linux server with Nginx™ and configure the virtual hosts file. After you have installed the certificate, reload or restart the web server.

Save the certificates and key file

Save the primary and intermediate certificates, which should be in the domain_name.pem file that you received from the SSL vendor, to the server, along with the .key file that you generated when you created the CSR.

If you don’t already have a certificate bundle file, combine the primary certificate (for example, my_domain.crt) and the intermediate certificate (for example, intermediate.crt) into a single file by running the following command:

cat my_domain.crt intermediate.crt >> bundle.crt

Configure the Nginx virtual hosts file

Use the following instructions to edit the Nginx virtual hosts file:

  1. Edit the Nginx virtual host file on your server.

  2. Copy the existing, non-secure server module (from the server { line through the closing curly brace for the server section) and paste the code immediately below the server module.

  3. In the pasted section, add the following lines between the server { line and the server name line:

     listen   443;
    
     ssl    on;
     ssl_certificate    /etc/ssl/your_domain_name.pem; (or bundle.crt)
     ssl_certificate_key    /etc/ssl/your_domain_name.key;
    
  4. Make sure that the ssl_certificate file matches your bundle file and that the ssl_certificate_key file matches your key file.

Install certificate on Managed Hosting solutions

If you have requested an SSL certificate for your Rackspace Managed Hosting server by submitting a Rackspace ticket, Rackspace installs the certificate for you. You should provide details including where you want the certificate installed and your private key file.

Install certificate on a custom Microsoft Azure domain

By default, Azure secures the .azurewebsites.net wildcard domain with a single SSL certificate, so you can already access your application by using the https://<appname>.azurewebsites.net URL.

However, the default Azure SSL certificate does not work if you use a custom domain for your application. A custom domain with its own SSL certificate is more secure than the default. The following sections describe how to add an SSL certificate to an application with a custom domain.

Prerequisite

You need your login credentials for the Azure portal. For information about how to log in to the Azure portal, see Sitecore Cloud portals and account management.

Get an SSL certificate

If you do not already have SSL certificate, you need to get one from a trusted CA. The certificate must meet all of the following requirements:

  • Signed by a trusted CA (no private CA servers).

  • Contains a private key.

  • Created for key exchange and exported to a .pfx file.

  • Uses a minimum of 2048-bit encryption.

  • Has a subject name that matches the custom domain it needs to secure. To secure multiple domains with one certificate, you need to use a wildcard name (for example, .contoso.com) or specify the subjectAltName values.

  • Merged with all intermediate certificates used by your CA. Otherwise, you might experience irreproducible interoperability problems on some clients.

For more information on getting a certificate, see generate a certificate signing request (CSR) and purchase or renew a Secure Socket Layer (SSL certificate.

Add the SSL certificate to Microsoft Azure

  1. Log in to the Azure portal.

  2. In the left-side navigation pane, click App services.

  3. Select the application to which you want to assign the certificate.

  4. Navigate to Settings and then click SSL certificate.

  5. Click Upload Certificate.

  6. Select the .pfx file that contains your SSL certificate and enter the password that you want to use for this certification.

  7. Click Upload.

    You can now navigate to the SSL certificate through the application pane.

  8. In the SSL bindings section of the SSL certificate pane, click Add bindings.

    A new pane labeled SSL Bindings appears.

  9. Use the drop-down menus to select the custom domain URL you want to secure by using SSL, followed by the name of SSL certificate. You can also select whether to use Server Name Indication (SNI) SSL or IP-based SSL.

  10. Click Add binding.

    SSL is now enabled for your custom domain.

Reload or restart the web server

After you have installed the SSL certificate, you should reload the web server service. This section describes the steps to restart Apache and Nginx.

When you are making changes to Apache, you have two different options for your changes to work: to restart the service or to reload the service. A restart should be necessary only if you are adding or removing modules (such as the ssl_module). Because restarting a service takes some time to come back up, we recommend that you use the reload option.

Reload Apache

To reload Apache, run the following command:

CentOS 7.x and later

# systemctl reload httpd

CentOS 6.x and earlier

# service httpd reload

Ubuntu

# /etc/init.d/apache2 reload

Restart Apache

To restart your Apache web server, run the following command:

# /etc/init.d/httpd restart
or
# /etc/init.d/apache2 restart

Restart Nginx

To restart Nginx, run the following command:

    sudo /etc/init.d/nginx restart

Test the certificate

The best way to test a certificate is to use a third-party tool like the Qualys® SSLLabs scanner. If you need assistance in improving the security configuration of your certificate, contact Rackspace Support.

Note: If you browse to your website by using the Hypertext Transfer Protocol Secure (HTTPS) protocol directive, the padlock icon on your browser is displayed in the locked position if your certificates are installed correctly and the server is properly configured for SSL.

Another way to test the certificate is to go to whynopadlock.com. Enter your URL in Secure Address, and it shows any discrepancies that could cause the site to be unsecure, such as mixed content issues.

Continue the conversation in the Rackspace Community.