SIGNIFLOW

Discover our signature platform: sign and request signature for your PDFs in a fex clicks!

JOIN OUR AFFILIATE NETWORK

Join our affiliate network
and become a local SSL expert
Learn more about our program

PRODUCTS TO DISCOVER

SSL certificates Invoice signature eIDAS certificates Signature software

Menu
picture of tbs certificates
picture of tbs certificates
Certificates
ALL CERTIFICATES
SSL Extended Validation SSL Standard RGS certificates eIDAS certificates SSL ECC SSL wildcard SSL Multiple sites / SAN Quick and Dirty SSL
Specific certificates
E-signature Strong authentication S/MIME certificates
Test certificates PKI Solutions Trust Seals
SigniFlow: the platform to sign and request signature for your documents
Signature software
Our products range
TBS X509 DigiCert Thawte Sectigo GlobalSign GeoTrust Certigna ChamberSign SigniFlow Harica
Partners
Client login Customer accounts Open an account
Support
FAQ SHA256: Browsers' compatibility ECC: Browsers' compatibility
Focus
Invoices dematerialization
We now provide solutions compliant with RGS** and eIDAS qualified standards for invoices signature and time stamping. Further information


Install a X509 SSL certificate on Apache (Linux, Debian, Unbuntu, windows wamp, Mac OS X, ...)

If you are using an Apache version superior or equal to 2.4.8, refer directly to its documentation.

You received your certificate by email with one or several intermediate certificates and a root certificate. Keep this email within reach.

1- Retrieve your certificate(s) on your server

Go back where the private key has been generated, for example: 
cd /etc/httpd/conf
ou
cd /etc/apache/conf
ou
cd /etc/apache2/
In the delivery email you'll find several links. Click on them and download the associated files:
(from your certificate's status page, click on "See the certificate" or "See the last certificate")
  • A: your server certificate (.cer or .crt file)
  • B: the certification chain (.txt file)

2- Set up Apache

To install a cert on Apache, you'll have to define 3 variables in the configuration file of your server:
  • SSLCertificateKeyFile path to the private-key.key file used for the initial generation of the CSR
  • SSLCertificateFile path to the certificate.cer
  • SSLCertificateChainFile (or SSLCACertificateFile) path to the chain.txt. file. This file contains the certificate(s) forming the certification chain of your certificate (it can be updated anytime, so after each renewal or reissuance, reinstall the latest certification chain).

If you are using Apache 1.3 with mod_ssl or Apache 2 and similar others (Mac OS X, WAMP, EasyPHP)

Find the setup file of your apache. It is often: 
/etc/httpd/conf/httpd.conf
you can also find the SSL setup in an other file. For example: 
/etc/httpd/conf/ssl/default-vhost.conf
/etc/httpd/conf/ssl.conf

Or in a Windows environment (EasyPHP, Wamp, ...) : 
C:/Program Files/Apache Software Foundation/Apache X.X/conf/extra/httpd-ssl.conf
C:/Program Files/Apache Software Foundation/EasyPHP/
Nota: Your Apache Set up might raises problems if:
  • the path includes special characters such as : spaces, bracket (), accents éàèêîï, ...
  • the path is too long ( > 200 characters)
  • the private key, certificate or certification chain files can't be read by the user/session that runs the Apache/httpd server.

    • If you only have one certificate on this machine, spot the section beginning by: 
    <VirtualHost _default_:443>
    and edit the following instructions to make them point at your files: 
    # your server certificate (A)
SSLCertificateFile    /etc/httpd/conf/cert-0000000000-1234.cer
# your private key (generated previously)
SSLCertificateKeyFile /etc/httpd/conf/www.virtualhost.com.key
# configuration du SSL
SSLCipherSuite !EDH:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!NULL:!aNULL:!eNULL

SSLCompression off #Apache 2.4.3+              
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on  # apache 2.1+
    Warning: SSLHonorCipherOrder is not available on every version of Apache, see our documentation.
    And for your certification chain (B), add: 
    SSLCertificateChainFile /etc/httpd/conf/chain-0000000000-1234.txt
    For very old versions of Apache, see SSLCACertificateFile

    Disable SSLv2 and SSLv3 on your Apache server

    In your Apache configuration, for example:
    • General configuration of the server: /etc/apache2/conf/httpd.conf
    • SSL Module / SSL configuration : /etc/apache2/conf/sites-enable/ssl.conf
    • Your site configuration : <VirtualHost *:443>

    Retrieve the parameter SSLProtocol to disable SSLv2 and SSLv3, for example: 
      <VirtualHost *:443>
  ServerName www.mysite.com
  DocumentRoot /var/www/www.mysite.com
  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
  SSLCertificateFile chemin/certificate-xxxx.cer
  SSLCertificateKeyFile chemin/privatekey-xxxw.key
  SSLCertificateChainFile chemin/chain-xxx.txt
  </Virtual Host>

    What are the risks linked to obsolete protocols?

    N.B.: In this configuration, we also recommend the following configuration for the protocols/ key excahngeand cipherment algorithms:
    SSLCipherSuite !EDH:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!NULL:!aNULL:!eNULL

    TOMCAT under apache APR

    <Connector port="443" maxHttpHeaderSize="8192"
...
                 SSLEnabled="true"
                 SSLCertificateFile="${SERVICE_HOME}/conf/certificate.cer"
                 SSLCertificateKeyFile="${SERVICE_HOME}/conf/privatekey.key"
                 SSLCertificateChainFile="${SERVICE_HOME}/conf/chain-certificats.txt"
...

    3- Restart Apache and run a test

    Once setted up, restart the Apache server. 
    httpd restart service
or
/etc/init.d/apache restart
    Verify the log (for any syntax error) and check the access of your website's secured pages with IE 6 and Firefox.

    N.B.: if the certificate does not match the private key, Apache won't be able to restart and the HTTP service will then be out-of-order. How to make sure your certificate matches the key?

    On windows platforms (Easy Php, WAMP, ...)

    • You must see an administration/management menu in the task bar of your Apache server to start and stop it.
    • Make sure the HTTPS port (443) is open in the Firewall rules.
    • If an error occurs the server might not start. You'll then need to consult the error logs: the error messages can also appear in the Widows "Events Logs".

    Security recommandations

    Activate OCSP Stappling

    We recommand to activate OCSP Stappling to give your users the guarantee of the non-revocation of your certificate more efficiently than with the simple mecanisms provided by browsers.

    Activate HSTS support

    To protect your users from Man in the Middle attacks and to guarantee your site security, we advise the activation of HSTS.

    Generate stron dh groups

    We recommand to generate unique dh groups on your machine in order to enhance its security level. To do so, execute the following command and place its result in a file available on your web server (SSL2015 file for example).

    openssl dhparam -out dhparams.pem 2048

    If you use OpenSSL 1.0.2+

    Add the following line to your configuration:

    SSLOpenSSLConfCmd DHParameters "/etc/apache2/SSL2015/dhparams.pem"

    If you use an older version of OpenSSL

    Edit your certificate file (pem-xxx-yyy.pem) and add at the end of it the content of the dhparams.pem file you just generated.

    Meticulous adjustment of the encypherment level

    In a standard installation under linux, the advanced SSL configuration file is located 
    /etc/apache2/mods-enabled/ssl.conf

    Choose a strong elliptical curve for ECDH (openssl 1.0.2+)

    We recommend that you choose a strong elliptical curve for the ECDH key exchange: 
    SSLOpenSSLConfCmd ECDHParameters secp384r1

    4 - Check the installation of your certificate using CO-PiBot:

    On your certificate status page, in your customer area at TBS INTERNET, you will find a "Test the installation" button to test the correct installation of your of your certificate.

    Apache and SNI (TLS Server Name Indication)

    It is used to install several SSL certificates on a single server using a unique IP address. Almost all browsers are compatible with SNI (consult the list).
    • Make sure the SSL modul install on your Apache server can handle SNI (apache/mod_ssl)
    • In the SSL configuration, forbid the use of version 2 of SSL protocol: SSLProtocol all -SSLv2 -SSLv3
    • For each VirtualHost indicate the private key, the certificate and the certification chain to be used: 
      <NameVirtualHost *:443>
  
<VirtualHost *:443>
  ServerName www.monsite.fr
  DocumentRoot /var/www/www.monsite.fr
  ...
  SSLEngine on
  SSLCertificateFile chemin/certificat-xxxx.pem
  SSLCertificateKeyFile chemin/clefprivee-xxxx.key
</Virtual Host>
  
<VirtualHost *:443>
  ServerName www.mywebsite.com
  DocumentRoot /var/www/mywebsite.com
  ...
  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
  SSLCertificateFile chemin/certificat-yyyy.pem
  SSLCertificateKeyFile chemin/clefprivee-yyyy.key
</Virtual Host>
  
...

    External links about SNI

    Useful links

    Internal documentation

    External links