How to install an SSL Certificate on Apache

  SSL Installation instructions

Take the stress out of SSL installation and let our tech experts take care of it!

After your Certificate is issued by the Certificate Authority, you’re ready to begin installation on your Apache server.

Note: Sometimes, the “Permission Denied” error may occur when running the commands. We suggest adding “sudo” in front of the command to enable additional permissions. If a password is asked to enable the sudo user, you may contact your hosting provider or system administrator to get access.

Follow the below steps to install your certificate:

Step 1: Upload Certificate Files Onto Server

The Certificate Authority will email you a zip-archive with several .crt files.

Alternatively, you can download the certificate files in your Account. The zip-archive will contain the Certificate for your domain name (.crt) and the CA-Bundle (.ca-bundle) file. These are known as a chain of intermediate and root Certificates.

If you uploaded the intermediate Certificates separately onto your server, you will need to link them into a single CA-Bundle file. 

For a PositiveSSL Certificate, use the following command to combine the intermediate and root certificates:

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt

You can download the complete CA-Bundle files for our Certificates here.

Step 2: Locate Apache Configuration File 

The location and the name of the Apache configuration file may differ depending on the server and OS version you’re using. The file may be called httpd.conf, apache2.conf or ssl.conf and may be located at /etc/httpd/, /etc/apache2/ or /etc/httpd/conf.d/ssl.conf.

The configuration file contains the Virtual Hosts for all domains that are hosted on the server.

Note: if you have Apache server installed on the Ubuntu operating system, each site has a separate configuration that can be found at /etc/apache2/sites-enabled/. To have your site accessible via secure and non-secure connection, you will need two separate configuration files: one for port 80 and the other for port 443.

Step 3: Configure Virtual Host Section

You’ll need to add or modify the virtual host for port 443 in the configuration file. 

We recommend you backup the configuration file before making any changes to it. This way you can revert the changes if something goes wrong. Simply copy and save your current *.conf file as *.conf_backup:

cp default-ssl.conf default-ssl.conf_backup

Make sure that the Virtual Host has the following directives, with no # in front of them:

  1. SSLEngine on
  2. SSLCertificateFile pointed to the location of the Certificate issued for your domain name
  3. SSLCertificateKeyFile pointed to the location of your Private Key on the server.
  4. SSLCertificateChainFile pointed to the location of the CA-Bundle file.

The Virtual Host for 443 port should look the following way:

<VirtualHost [IP ADDRESS]:443>
DocumentRoot var/www
ErrorLog www/home/logs/error_log
SSLEngine on
SSLCertificateFile /etc/ssl/ssl-tutorials_com.crt
SSLCertificateKeyFile /etc/ssl/ssl-tutorials.key
SSLCertificateChainFile /etc/ssl/

Note: starting from Apache 2.4.8, the SSLCertificateChainFile directive became obsolete. Intermediate Certificates can now be added to the SSLCertificateFile.

Step 4: Enabling OCSP Stapling

OCSP Stapling improves performance by providing the clients with up-to-date status of your certificate.

If you want to enable OCSP Stapling for the website, please add the following directive to the Virtual Host:

SSLUseStapling on

Also specify the OCSP cache response location and size outside of the Virtual Host section, using SSLStaplingCache directive:

SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

Note: OCSP Stapling is only enabled for configuration from Apache HTTP server 2.3.3 and higher.

Step 5: Save & Restart

The process varies depending on the exact Apache configuration that you have:

  • For Debian-based Apache, you can run this command to test if the new configuration of your Apache service has the proper syntax:

apachectl -t

If the syntax is OK, save your changes in the configuration file and restart Apache using these apachectl commands:

apachectl restart

apachectl stop

apachectl start

  • For RHEL-based distributive (CentOS, RedHat, etc.), you can check the syntax by running:

httpd -t

If it returns Syntax OK, you can proceed with the Apache restart:

sudo service httpd restart

And this command can be used to see whether the last SSL configuration file was added to the settings (check the *.443: line in output):

httpd -S

If the Apache service fails to restart or the SSL does not get installed, make sure the configuration file is created properly. Alternatively, you can contact our support team for assistance.

You can delete the modified configuration file and revert back to your backup configuration created in Step 3 at any time.

Well done! Your SSL Certificate is installed. You can confirm this using the SSL Checker tool.