Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Install a SSL certificate on Apache 2.4.8+

You received your certificate by email with one or several intermediate certificates and a root certificate. Keep this email within reach.

Under Linux, to check the version number of your Apache server, execute the following command:
#apachectl -version
Server version: Apache/2.2.26 (Unix)
Server built:   Dec 10 2013 22:09:38

#apache2ctl -version
Server version: Apache/2.4.10 (Debian)
Server built:   Oct  9 2014 22:21:52

If you have a version of Apache older than 2.4.8, see our documentation here

1- Retrieve your certificate(s) on your server

Go back to where you generated the private key (and the CSR), for example:
cd /etc/apache2/SSL2015
or
cd /etc/apache/conf/SSL2015
or
cd /etc/httpd/conf/SSL2015
Or in a Windows environment (EasyPHP, Wamp, ...) :
C:\Program Files\Apache Software Foundation\Apache X.X\conf\SSL2015
C:\Program Files\Apache Software Foundation\EasyPHP\SSL2015
Download here the file provided in the delivery email:
From your certificate status page
click on the button "See the certificate" (or "See the last certificate")
then "See the certificate in X509 format with its chain".
You then download a pem-xxx-yyy.pem file.
It contains your SSL certificate and the certification chain in PEM format.

2- Configure Apache : /etc/apache2/sites-enabled/default-ssl.conf

In a standard installation under Linux, the SSL advanced configuration file is located here:
/etc/apache2/mods-enabled/ssl.conf
but it is not in this file that you will activate SSL for a website.
You'll have to edit the file
/etc/apache2/sites-enabled/default-ssl.conf
To install a certificate on Apache, you'll have to define 2 variables in the configuration file of your server:
  • SSLCertificateKeyFile path to the private-key.key file used for the initial generation of the CSR
  • SSLCertificateFile path to the PEM file containing the end entity certificate and the intermediates
Example:
<IfModule mod_ssl.c>
       <VirtualHost _default_:443>
        ...
       SSLEngine on
       ...
       SSLCertificateFile  /etc/apache2/SSL2015/pem-xxx-yyy.pem
       SSLCertificateKeyFile /etc/apache2/SSL2015/www.mydomain.com.rsa.key
       ...
       SSLCipherSuite !EDH:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!NULL:!aNULL:!eNULL
       SSLProtocol all -SSLv2 -SSLv3
       SSLHonorCipherOrder on
       SSLOpenSSLConfCmd ECDHParameters secp384r1 #ECDH curve selection
       ...
       </VirtualHost>
</IfModule>


Or in a Windows environment (EasyPHP, Wamp, ...):
C:/Program Files/Apache Software Foundation/Apache X.X/conf/extra/httpd-ssl.conf
C:/Program Files/Apache Software Foundation/EasyPHP/
Nota: Your Apache Set up might raises problems if:
  • is not complete or does not use anti-slash to define the arborescence:
    SSLCertificateFile  C:\Program Files\Apache Software Foundation\Apache X.X\conf\SSL2015\pem-xxx-yyy.pem
    SSLCertificateKeyFile C:\Program Files\Apache Software Foundation\Apache X.X\conf\SSL2015\www.mydomain.com.rsa.key
  • the path includes special characters such as : spaces, bracket (), accents éàèêîï, ...
  • the path is too long ( > 200 characters)
  • the private key files, certificates, and certification chain are not readable (windows rights) for the user / session which launches the Apache / httpd server.

3- Restart Apache and run a test

Make sure there is no syntax mistake:
#apachectl configtest
Syntax OK
Once setted up, restart the Apache server.
#service httpd restart
ou
#/etc/init.d/apache restart
ou
#systemctl restart httpd
ou
#systemctl restart apache2
Check the log (in case of a syntax error) and test your website access with Firefox and IE.

N.B.: if the certificate does not match the private key, Apache won't be able to restart and the HTTP service will then be out-of-order. How to make sure your certificate matches the key?

On windows platforms (Easy Php, WAMP, ...)

  • You must have in the taskbar an "administration / management" menu of the Apache server to "turn off" and "turn on" the Apache server.
  • Make sure the HTTPS port (443) is open in the Firewall rules.
  • In the event of various errors, the server may no longer start. You must then consult the error logs: error messages can also be entered in windows "event viewer".

Security recommandations

Activate OCSP Stappling

We recommand to activate OCSP Stappling to give your users the guarantee of the non-revocation of your certificate more efficiently than with the simple mecanisms provided by browsers.

Activate HSTS support

To protect your users from Man in the Middle attacks and to guarantee your site security, we advise the activation of HSTS.

Generate strong dh groups

We recommand to generate unique dh groups on your machine in order to enhance its security level. To do so, execute the following command and place its result in a file available on your web server (SSL2015 file for example).

openssl dhparam -out dhparams.pem 2048

If you use openssl 1.0.2+

Edit your configuration with the following line:

SSLOpenSSLConfCmd DHParameters "/etc/apache2/SSL2015/dhparams.pem"

If you use a previous version of openssl

Edit your certificate file (pem-xxx-yyy.pem) and add at the end of it dhparams.pem just jest generated.

Meticulous adjustment of the encypherment level

In a standard installation under Linux, the SSL advanced configuration file is located here:
/etc/apache2/mods-enabled/ssl.conf

Choose a strong elliptic curve for ECDH (openssl 1.0.2+)

We recommend choosing a strong elliptic curve for the ECDH key exchange:
SSLOpenSSLConfCmd ECDHParameters secp384r1

4 - Make sure your certificate is correctly installed with CO-PiBot

On your certificate's status page (on your certificates center) you'll see a 'Check your certificate' button. Click it to test your certificate installation.


Apache and SNI (TLS Server Name Indication)

It is used to install several SSL certificates on a single server using a unique IP address. Almost all browsers are compatible with SNI (consult the list).
  • Make sure the SSL modul install on your Apache server can handle SNI (apache/mod_ssl)
  • In the SSL configuration, forbid the use of version 2 of SSL protocol: SSLProtocol all -SSLv2 -SSLv3
  • For each VirtualHost indicate the private key, the certificate and the certification chain to be used:
    <NameVirtualHost *:443>
      
    <VirtualHost *:443>
      ServerName www.mywebsite.com
      DocumentRoot /var/www/www.mywebsite.com
      ...
      SSLEngine on
      SSLCertificateFile chemin/certificate-xxxx.pem
      SSLCertificateKeyFile path/privatekey-xxxx.key
    </Virtual Host>
      
    <VirtualHost *:443>
      ServerName www.mywebsite.com
      DocumentRoot /var/www/mywebsite.com
      ...
      SSLEngine on
      SSLProtocol all -SSLv2 -SSLv3
      SSLCertificateFile path/certificate-yyyy.pem
      SSLCertificateKeyFile path/privatekey-yyyy.key
    </Virtual Host>
      
    ...
    

External links about SNI


Useful links

Internal documentation:

External documentation