After the certificate is issued and sent to you by the Certificate Authority, you can proceed with the certificate installation on your Apache server following these steps.
- Upload the certificate files on your server.
For COMODO (now Sectigo) certificates you should receive a zip-archive with several .crt files.
Also, you can download the needed certificate files in your account with us. The downloaded zip-archive will contain the certificate for your domain name (.crt) and the CA bundle (.ca-bundle) file, also known as a chain of intermediate and root certificates.
If you uploaded the intermediate certificates separately on your server, you will need to concatenate them into a single CA bundle file. For instance, for COMODO (now Sectigo) PositiveSSL certificate you can use the following command to combine the intermediate and root certificates:
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt
All the completed CA Bundle files for our certificates can be downloaded here.
- Locate Apache Configuration file to edit.
The location and the name of the Apache configuration file may differ depending on the server and OS version. As a rule, the file may be called httpd.conf, apache2.conf or ssl.conf and may be located at /etc/httpd/, /etc/apache2/ or /etc/httpd/conf.d/ssl.conf.
The configuration file contains the Virtual Hosts for all domains that are hosted on the server.
Important! If you have Apache server installed on Ubuntu operating system, each site has a separate configuration that can be found at /etc/apache2/sites-enabled/. To have your site accessible via secure and non-secure connection, you will need two separate configuration files: one for port 80 and the other for port 443.
- Configure Virtual Host section for your site.
You need to add or modify the virtual host for port 443 in the configuration file. We recommend you back up the configuration file before making any changes to it. This way you will have the opportunity to revert the changes if something goes wrong. You can simply copy your current *.conf file and rename it as *.conf_backup.
Make sure it has the following lines and the lines are not commented with a ‘#’ in front of them:
SSLCertificateFile that is pointed to the location of the certificate issued for your domain name;
SSLCertificateKeyFile that is pointed to the location of your private key on the server.
SSLCertificateChainFile that is pointed to the location of the CA bundle file.
The Virtual Host for 443 port should look the following way:
<VirtualHost [IP ADDRESS]:443> ServerAdmin email@example.com DocumentRoot var/www ServerName www.ssl-tutorials.com ErrorLog www/home/logs/error_log SSLEngine on SSLCertificateFile /etc/ssl/ssl-tutorials_com.crt SSLCertificateKeyFile /etc/ssl/ssl-tutorials.key SSLCertificateChainFile /etc/ssl/ssl-tutorials_com.ca-bundle </VirtualHost>
Starting from Apache 2.4.8 ‘SSLCertificateChainFile’ directive became obsolete and intermediate certificates can be added to the ‘SSLCertificateFile’ below your certificate issued for the domain name.
If you want to enable OCSP Stapling for the website, please add the following directive to the Virtual Host section:
- SSLUseStapling on
Also specify OCSP cache response location and size outside of the Virtual Host section using SSLStaplingCache directive:
- SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
Note: OSCP Stapling can be configured starting from Apache HTTP server 2.3.3 and later.
- Save the changes in the configuration file and restart Apache.
Most likely you will be able to restart Apache using the apachectl script:
- apachectl stop
- apachectl start
- apachectl restart
If during the process something went wrong or Apache service failed to restart, you can delete the modified configuration file and revert back to your backup configuration created in step #3
Congratulations! The certificate is installed. You can use this online tool to check the certificate installation: https://decoder.link.