Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
picture of tbs certificates
picture of tbs certificates
Our products range
Other activities

Install a X509 SSL certificate on Apache (Linux, Debian, Unbuntu, windows wamp, Mac OS X, ...)

If you are using an Apache version superior or equal to 2.4.8, refer directly to its documentation.

You received your certificate by email with one or several intermediate certificates and a root certificate. Keep this email within reach.

1- Retrieve your certificate(s) on your server

Go back where the private key has been generated, for example:
cd /etc/httpd/conf
cd /etc/apache/conf
cd /etc/apache2/
In the delivery email you'll find several links. Click on them and download the associated files:
(from your certificate's status page, click on "See the certificate" or "See the last certificate")
  • A: your server certificate (.cer or .crt file)
  • B: the certification chain (.txt file)

2- Set up Apache

To install a cert on Apache, you'll have to define 3 variables in the configuration file of your server:
  • SSLCertificateKeyFile path to the private-key.key file used for the initial generation of the CSR
  • SSLCertificateFile path to the certificate.cer
  • SSLCertificateChainFile (or SSLCACertificateFile) path to the chain.txt. file. This file contains the certificate(s) forming the certification chain of your certificate (it can be updated anytime, so after each renewal or reissuance, reinstall the latest certification chain).

If you are using Apache 1.3 with mod_ssl or Apache 2 and similar others (Mac OS X, WAMP, EasyPHP)

Find the setup file of your apache. It is often:
you can also find the SSL setup in an other file. For example:

Or in a Windows environment (EasyPHP, Wamp, ...) :
C:/Program Files/Apache Software Foundation/Apache X.X/conf/extra/httpd-ssl.conf
C:/Program Files/Apache Software Foundation/EasyPHP/
Nota: Your Apache Set up might raises problems if:
  • the path includes special characters such as : spaces, bracket (), accents éàèêîï, ...
  • the path is too long ( > 200 characters)
  • the private key, certificate or certification chain files can't be read by the user/session that runs the Apache/httpd server.

  • If you only have one certificate on this machine, spot the section beginning by:
    <VirtualHost _default_:443>
    and edit the following instructions to make them point at your files:
    # your server certificate (A)
    SSLCertificateFile    /etc/httpd/conf/cert-0000000000-1234.cer
    # your private key (generated previously)
    SSLCertificateKeyFile /etc/httpd/conf/
    # SSL configuration
    SSLCipherSuite !EDH:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES
    SSLCompression off #Apache 2.4.3+              
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on  # apache 2.1+
    Warning: SSLHonorCipherOrder is not available on every version of Apache, see our documentation.
    And for your certification chain (B), add:
    SSLCertificateChainFile /etc/httpd/conf/chain-0000000000-1234.txt 
    For very old versions of Apache, see SSLCACertificateFile

    Disable SSLv2 and SSLv3 on your Apache server

    In your Apache configuration, for example:
    • General configuration of the server: /etc/apache2/conf/httpd.conf
    • SSL Module / SSL configuration : /etc/apache2/conf/sites-enable/ssl.conf
    • Your site configuration : <VirtualHost *:443>

    Retrieve the parameter SSLProtocol to disable SSLv2 and SSLv3, for example:
      <VirtualHost *:443>
      DocumentRoot /var/www/
      SSLEngine on
      SSLProtocol all -SSLv2 -SSLv3
      SSLCertificateFile chemin/certificate-xxxx.cer
      SSLCertificateKeyFile chemin/privatekey-xxxw.key
      SSLCertificateChainFile chemin/chain-xxx.txt
      </Virtual Host>

    What are the risks linked to obsolete protocols?

    N.B.: In this configuration, we also recommend the following configuration for the protocols/ key excahngeand cipherment algorithms:
    SSLCipherSuite !EDH:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES 

    TOMCAT under apache APR

    <Connector port="443" maxHttpHeaderSize="8192"

    3- Restart Apache and run a test

    Once setted up, restart the Apache server.
    httpd restart service
    /etc/init.d/apache restart
    Verify the log (for any syntax error) and check the access of your website's secured pages with IE 6 and Firefox.

    N.B.: if the certificate does not match the private key, Apache won't be able to restart and the HTTP service will then be out-of-order. How to make sure your certificate matches the key?

    On windows platforms (Easy Php, WAMP, ...)

    • You must see an administration/management menu in the task bar of your Apache server to start and stop it.
    • Make sure the HTTPS port (443) is open in the Firewall rules.
    • If an error occurs the server might not start. You'll then need to consult the error logs: the error messages can also appear in the Widows "Events Logs".

    Security recommandations

    Activate OCSP Stappling

    We recommand to activate OCSP Stappling to give your users the guarantee of the non-revocation of your certificate more efficiently than with the simple mecanisms provided by browsers.

    Activate HSTS support

    To protect your users from Man in the Middle attacks and to guarantee your site security, we advise the activation of HSTS.

    Generate stron dh groups

    We recommand to generate unique dh groups on your machine in order to enhance its security level. To do so, execute the following command and place its result in a file available on your web server (SSL2015 file for example).

    openssl dhparam -out dhparams.pem 2048

    If you use OpenSSL 1.0.2+

    Add the following line to your configuration:

    SSLOpenSSLConfCmd DHParameters "/etc/apache2/SSL2015/dhparams.pem"

    If you use an older version of OpenSSL

    Edit your certificate file (pem-xxx-yyy.pem) and add at the end of it the content of the dhparams.pem file you just generated.

    Meticulous adjustment of the encypherment level

    Apache and SNI (TLS Server Name Indication)

    It is used to install several SSL certificates on a single server using a unique IP address. Warning: there can be compatibility issues with some old versions of browsers that do not understand this SSL V3 protocol functionnaility.
    • Make sure the SSL modul install on your Apache server can handle SNI (apache/mod_ssl)
    • In the SSL configuration, forbid the use of version 2 of SSL protocol: SSLProtocol all -SSLv2 -SSLv3
    • For each VirtualHost indicate the private key, the certificate and the certification chain to be used:
        <NameVirtualHost *:443>
        <VirtualHost *:443>
        DocumentRoot /var/www/
        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3
        SSLCertificateFile path/certificate-xxxx.cer
        SSLCertificateKeyFile path/privatekey-xxxw.key
        SSLCertificateChainFile path/chain-xxx.txt
        </Virtual Host>
        <VirtualHost *:443>
        DocumentRoot /var/www/
        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3
        SSLCertificateFile path/certificate-yyyy.cer
        SSLCertificateKeyFile path/privatekey-yyyy.key
        SSLCertificateChainFile path/chain-yyyy.txt
        </Virtual Host>

    Disable TLS compression

    If your TLS compression is enabled, we recommend you to disble it to mitigate the CRIME attack. If your Apache version is superior or equal to 2.4.3 then add the following directive to your virtualhost configuration:

    SSLCompression off

    If your version is inferior, you have to export the following environment variable: OPENSSL_NO_DEFAULT_ZLIB=1 in a webserver-visible manner. For instance, in the case of a Redhat/Centos version, you have to add export OPENSSL_NO_DEFAULT_ZLIB=1 to the file /etc/sysconfig/httpd. More information is available on the bugtracker Redhat.

    External links about SNI

    External links

    Similar Documentation:

    Useful links

    Check your certificate installation with Co-Pibot:

    On your certificate's status page (on your tbs-certificates' center) you'll see a 'Check your certificate' button. Click it to test your certificate installation.