Step 1: Upload Certificate Files Onto Server
The Certificate Authority will email you a zip-archive with several .crt files.
Alternatively, you can download the certificate files in your Account. The zip-archive will contain the Certificate for your domain name (.crt) and the CA-Bundle (.ca-bundle) file. These are known as a chain of intermediate and root Certificates.
If you uploaded the intermediate Certificates separately onto your server, you will need to link them into a single CA-Bundle file.
For a PositiveSSL Certificate, use the following command to combine the intermediate and root certificates:
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt
Step 2: Locate Apache Configuration File
The location and the name of the Apache configuration file may differ depending on the server and OS version you’re using. The file may be called httpd.conf, apache2.conf or ssl.conf and may be located at /etc/httpd/, /etc/apache2/ or /etc/httpd/conf.d/ssl.conf.
The configuration file contains the Virtual Hosts for all domains that are hosted on the server.
Note: if you have Apache server installed on the Ubuntu operating system, each site has a separate configuration that can be found at /etc/apache2/sites-enabled/. To have your site accessible via secure and non-secure connection, you will need two separate configuration files: one for port 80 and the other for port 443.
Step 3: Configure Virtual Host Section
You’ll need to add or modify the virtual host for port 443 in the configuration file.
We recommend you backup the configuration file before making any changes to it. This way you can revert the changes if something goes wrong. Simply copy and save your current *.conf file as *.conf_backup:
cp default-ssl.conf default-ssl.conf_backup
Make sure that the Virtual Host has the following directives, with no # in front of them:
- SSLEngine on
- SSLCertificateFile pointed to the location of the Certificate issued for your domain name
- SSLCertificateKeyFile pointed to the location of your Private Key on the server.
- SSLCertificateChainFile pointed to the location of the CA-Bundle file.
The Virtual Host for 443 port should look the following way:
<VirtualHost [IP ADDRESS]:443> ServerAdmin [email protected] DocumentRoot var/www ServerName www.ssl-tutorials.com ErrorLog www/home/logs/error_log SSLEngine on SSLCertificateFile /etc/ssl/ssl-tutorials_com.crt SSLCertificateKeyFile /etc/ssl/ssl-tutorials.key SSLCertificateChainFile /etc/ssl/ssl-tutorials_com.ca-bundle </VirtualHost>
Note: starting from Apache 2.4.8, the SSLCertificateChainFile directive became obsolete. Intermediate Certificates can now be added to the SSLCertificateFile.
Step 4: Enabling OCSP Stapling
OCSP Stapling improves performance by providing the clients with up-to-date status of your certificate.
If you want to enable OCSP Stapling for the website, please add the following directive to the Virtual Host:
SSLUseStapling on
Also specify the OCSP cache response location and size outside of the Virtual Host section, using SSLStaplingCache directive:
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
Note: OCSP Stapling is only enabled for configuration from Apache HTTP server 2.3.3 and higher.
Step 5: Save & Restart
The process varies depending on the exact Apache configuration that you have:
- For Debian-based Apache, you can run this command to test if the new configuration of your Apache service has the proper syntax:
apachectl -t
If the syntax is OK, save your changes in the configuration file and restart Apache using these apachectl
commands:
apachectl restart
apachectl stop
apachectl start
- For RHEL-based distributive (CentOS, RedHat, etc.), you can check the syntax by running:
httpd -t
If it returns Syntax OK
, you can proceed with the Apache restart:
sudo service httpd restart
And this command can be used to see whether the last SSL configuration file was added to the settings (check the *.443:
line in output):
httpd -S
If the Apache service fails to restart or the SSL does not get installed, make sure the configuration file is created properly. Alternatively, you can contact our support team for assistance.
You can delete the modified configuration file and revert back to your backup configuration created in Step 3 at any time.