Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
picture of tbs certificates
picture of tbs certificates
Our products range

Install a SSL certificate on Apache 2.4.8+

You received your certificate by email with one or several intermediate certificates and a root certificate. Keep this email within reach.

Under Linux, to check the version number of your Apache server, execute the following command:
#apachectl -version
Server version: Apache/2.2.26 (Unix)
Server built:   Dec 10 2013 22:09:38

#apache2ctl -version
Server version: Apache/2.4.10 (Debian)
Server built:   Oct  9 2014 22:21:52

If you have a version of Apache older than 2.4.8, see our documentation here

1- Retrieve your certificate(s) on your server

Go back to where you generated the private key (and the CSR), for example:
cd /etc/apache2/SSL2015
cd /etc/apache/conf/SSL2015
cd /etc/httpd/conf/SSL2015
Or in a Windows environment (EasyPHP, Wamp, ...) :
C:\Program Files\Apache Software Foundation\Apache X.X\conf\SSL2015
C:\Program Files\Apache Software Foundation\EasyPHP\SSL2015
Download here the file provided in the delivery email:
From your certificatestatus page
click on the button "See the certificate" (or "See the last certificate")
then "See the certificate in X509 format with its chain".
You then download a pem-xxx-yyy.pem file.
It contains your SSL certificate and the certification chain in PEM format.

2- Configure Apache : /etc/apache2/sites-enabled/default-ssl.conf

In a standard installation under Linux, the SSL advanced configuration file is located here:
but it is not in this file that you will activate SSL for a website.
You'll have to edit the file
To install a certificate on Apache, you'll have to define 2 variables in the configuration file of your server:
  • SSLCertificateKeyFile path to the private-key.key file used for the initial generation of the CSR
  • SSLCertificateFile path to the PEM file containing the end entity certificate and the intermediates
<IfModule mod_ssl.c>
       <VirtualHost _default_:443>
       SSLEngine on
       SSLCertificateFile  /etc/apache2/SSL2015/pem-xxx-yyy.pem
       SSLCertificateKeyFile /etc/apache2/SSL2015/
       SSLCipherSuite !EDH:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!NULL:!aNULL:!eNULL
       SSLProtocol all -SSLv2 -SSLv3
       SSLHonorCipherOrder on
       SSLOpenSSLConfCmd ECDHParameters secp384r1 #ECDH curve selection

Or in a Windows environment (EasyPHP, Wamp, ...):
C:/Program Files/Apache Software Foundation/Apache X.X/conf/extra/httpd-ssl.conf
C:/Program Files/Apache Software Foundation/EasyPHP/
Nota: Your Apache Set up might raises problems if:
  • is not complete or does not use anti-slash to define the arborescence:
    SSLCertificateFile  C:\Program Files\Apache Software Foundation\Apache X.X\conf\SSL2015\pem-xxx-yyy.pem
    SSLCertificateKeyFile C:\Program Files\Apache Software Foundation\Apache X.X\conf\SSL2015\
  • the path includes special characters such as : spaces, bracket (), accents éàèêîï, ...
  • the path is too long ( > 200 characters)
  • the private key, certificate or certification chain files can't be read by the user/session that runs the Apache/httpd server.

  • 3- Restart Apache and run a test

    Make sure there is no syntax mistake:
    #apachectl configtest
    Syntax OK
    Once setted up, restart the Apache server.
    #service httpd restart
    #/etc/init.d/apache restart
    #systemctl restart httpd
    #systemctl restart apache2
    Check the log (in case of a syntax error) and test your website access with Firefox and IE.

    N.B.: if the certificate does not match the private key, Apache won't be able to restart and the HTTP service will then be out-of-order. How to make sure your certificate matches the key?

    On windows platforms (Easy Php, WAMP, ...)

    • You must see an administration/management menu in the task bar of your Apache server to start and stop it.
    • Make sure the HTTPS port (443) is open in the Firewall rules.
    • If an error occurs the server might not start. You'll then need to consult the error logs: the error messages can also appear in the Widows "Events Logs".

    Security recommandations

    Activate OCSP Stappling

    We recommand to activate OCSP Stappling to give your users the guarantee of the non-revocation of your certificate more efficiently than with the simple mecanisms provided by browsers.

    Activate HSTS support

    To protect your users from Man in the Middle attacks and to guarantee your site security, we advise the activation of HSTS.

    Generate strong dh groups

    We recommand to generate unique dh groups on your machine in order to enhance its security level. To do so, execute the following command and place its result in a file available on your web server (SSL2015 file for example).

    openssl dhparam -out dhparams.pem 2048

    If you use openssl 1.0.2+

    Edit your configuration with the following line:

    SSLOpenSSLConfCmd DHParameters "/etc/apache2/SSL2015/dhparams.pem"

    If you use a previous version of openssl

    Edit your certificate file (pem-xxx-yyy.pem) and add at the end of it dhparams.pem just jest generated.

    Meticulous adjustment of the encypherment level

    In a standard installation under Linux, the SSL advanced configuration file is located here:

    Choose a strong elliptic curve for ECDH (openssl 1.0.2+)

    We recommend choosing a strong elliptic curve for the ECDH key exchange:
    SSLOpenSSLConfCmd ECDHParameters secp384r1

    4 - Make sure your certificate is correctly installed with CO-PiBot

    On your certificate's status page (on your tbs-certificates' center) you'll see a 'Check your certificate' button. Click it to test your certificate installation.

    Apache and SNI (TLS Server Name Indication)

    It is used to install several SSL certificates on a single server using a unique IP address. Warning: there can be compatibility issues with some old versions of browsers that do not understand this SSL V3 protocol functionnaility.
    • Make sure the SSL modul install on your Apache server can handle SNI (apache/mod_ssl)
    • In the SSL configuration, forbid the use of version 2 of SSL protocol: SSLProtocol all -SSLv2 -SSLv3
    • For each VirtualHost indicate the private key, the certificate and the certification chain to be used:
      <NameVirtualHost *:443>
      <VirtualHost *:443>
        DocumentRoot /var/www/
        SSLEngine on
        SSLCertificateFile chemin/certificate-xxxx.pem
        SSLCertificateKeyFile path/privatekey-xxxx.key
      </Virtual Host>
      <VirtualHost *:443>
        DocumentRoot /var/www/
        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3
        SSLCertificateFile path/certificate-yyyy.pem
        SSLCertificateKeyFile path/privatekey-yyyy.key
      </Virtual Host>

    External links about SNI

    APACHE.ORG external documentation

    Similar Documentation:

    Useful links