Install an SSL certificate on Apache
This article describes how to install a Secure Socket Layer (SSL) certificate on your Apache server. There are many SSL vendors that you can choose from. Where you buy your SSL certificate is up to you.
Before installing your certificate, make sure you have the following items:
- A certificate signing request (CSR) should be installed on the server. See Generate a CSR for instructions.
- Apache and
mod_sslshould be installed.
- You also need to have an Internet Protocol (IP) address for your SSL cert and a unique IP address for each SSL that you want to host. Certificate authorities and browsers require that all SSL certs be on their own IP address.
Installing your SSL Certificate
To install your SSL certificate, you must copy the certificate files to your server and edit the Apache configuration file to add the locations of the SSL files.
Copy the files into the default locale
A vendor-provided SSL certificate contains three components: the SSL certificate, the certificate authority (CA) file, and the SSL key. When you receive your SSL certificate from your authority, upload it to your server by using the following steps.
Copy all the contents of the certificate, including the
END CERTIFICATElines. Save the copied text as
Copy the certificate and private key into the Apache server directory in which you plan to store your certs (by default:
Edit the httpd.conf file
Open the Apache httpd.conf file in a text editor, and add the following
lines for the
<VirtualHost 18.104.22.168:443> ServerName www.domain.com DocumentRoot /path/to/your/document/root/htdocs SSLEngine ON SSLCertificateFile /etc/httpd/conf/ssl.crt/domain.com.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain.com.key ErrorLog logs/ssl.domain.com.error_log CustomLog logs/ssl.domain.com.access_log combined </VirtualHost>
Note: Keep in mind that you should change the paths to the certificate files to reflect the location of your certificate.
Save the changes and exit the editor.
You might need to open a port in your firewall to allow SSL connections to
443. To verify, get a list of your firewall rules:
sudo /sbin/iptables -L
If you have iptables active but without exceptions for port
need to add some, as shown the following sample:
sudo /sbin/iptables -I INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT sudo /sbin/iptables -I OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
Remember to add the rules to your iptables config file or run the following code on Red Hat-based distributions:
sudo /sbin/service iptables save
Verify configuration syntax
Run the following command to verify the configuration file syntax, ensuring that you have no spelling errors and haven’t added the wrong filenames:
# httpd -t
If the file is good, the command returns
Syntax OK. If there are errors,
the command returns the incorrect lines.
Reload or restart Apache
When you are making changes to Apache, you have two different options for your
changes to work: to restart the service or to reload the service. A restart
should be necessary only if you are adding or removing modules (such as
sslL_module). Because restarting a service takes some time to come back up,
we generally recommend that you use the reload option.
To reload Apache, run the following command:
CentOS 7.0 and higher
# systemctl reload httpd
CentOS 6.9 and lower
# service httpd reload
# /etc/init.d/apache2 reload
To restart your Apache web server, run the following command:
# /etc/init.d/httpd restart or # /etc/init.d/apache2 restart
Test the certificate
Test your certificate by using a browser to connect to your server. Use the Hypertext Transfer Protocol Secure (HTTPS) protocol directive (e.g. https://yourserver/) to indicate that you want to use secure HTTP.
Note: The padlock icon on your browser is displayed in the locked position if your certificates are installed correctly and the server is properly configured for SSL.
Continue the conversation in the Rackspace Community.
©2018 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License