Adding an SSL Certificate in Apache

Update April 2018: I’d suggest using Let’s Encrypt for this instead.

I do this just infrequently enough to forget the details. So here’s the process for purchasing and installing a SSL certificate for https on your Linux/Apache web server (using Ubuntu 12.04 and Apache 2.2 here):

Generate Local Key/CSR, Purchase SSL Certificate

  1. Generate your key and CSR on your server.
    $ openssl req -nodes -newkey rsa:2048 -keyout -out -subj "/C=country/ST=state/L=city/O=company/OU=my department/"
  2. Move the .key file to your .keys directory, readable only by root. e.g., /etc/ssl/keys.
    $ mv /etc/ssl/keys/.
    $ chmod 400
  3. Purchase a certificate from InCommon, GeoTrust, etc. You’ll need to send them the contents of the .csr file generated in step 1. Most likely you’re purchasing an Apache/ModSSL or Apache/OpenSSL certificate.
  4. The certificate authority will prompt you to download the certificate (a .cer or .crt file). Download it as ‘X509 certificate only’.

Install Your SSL Certificate

  1. Put the file in your certificates directory on your web server (e.g., /etc/ssl/certs), and chown/chmod to root:root 644.
  2. If your certificate is an intermediate certificate (likely), your issuer will also give you a file like that “chains” your certificate to a trusted root certificate. Put this bundle file somewhere like /etc/ssl/bundle/ and chown/chmod to root:root 644.
  3. Set up the mysite-ssl virtualhost in your Apache configuration with links to your .key and .cer/.crt files:
    <VirtualHost *:443>
            DocumentRoot /path/to/
            SSLEngine on
            SSLCertificateFile    /etc/ssl/certs/
            SSLCertificateKeyFile /etc/ssl/keys/
            # If you have a chained certificate, add this as well
            SSLCACertificateFile  /etc/ssl/bundle/
  4. Restart Apache:
    $ /etc/init.d/apache2 restart
  5. Test your site to make sure it works with SSL:
  6. If you want to force SSL on your site or certain pages, you could use mod_rewrite:
    <Location /login.php>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}


Leave a Reply

Your email address will not be published. Required fields are marked *