picture of tbs certificates
picture of tbs certificates
Our products range

Archive - Install a X509 SSL certificate on Apache-SSL (Ben-SSL)

You received your certificate by email with one or several intermediate certificates and a root certificate. Keep this email within reach.

1- Retrieve your certificate(s) on your server

Go back where the private key has been generated, for example:
cd /etc/httpd/conf
cd /etc/apache/conf
cd /etc/apache2/
In the delivery email you'll find several links. Click on them and download the associated files:
(from your certificate's status page, click on "See the certificate" or "See the last certificate")
  • A: your server certificate (.cer or .crt file)
  • B: the certification chain (.txt file)

2- Set up Apache

To install a cert on Apache, you'll have to define 3 variables in the configuration file of your server:
  • SSLCertificateKeyFile path to the private-key.key file use for the initial generation of the CSR
  • SSLCertificateFile path to the certificate.cer
  • SSLCertificateChainFile (or SSLCACertificateFile) path to the chain.txt. file. This file contains the certificate(s) forming the certification chain of your certificate (it can be updated anytime, so after each renewal or reissuance, reinstall the latest certification chain).
Find the setup file of your Apache. It is often:
and edit the following instructions to make them point at your files:
# your server certificate (A)
SSLCertificateFile    /etc/httpd/conf/cert-0000000000-1234.cer
# your private key (generated previously)
SSLCertificateKeyFile /etc/httpd/conf/

# suitable Ciphers configuration
# 128-bit mini
# forbidden Ciphers configuration

# if you are using a version apache_1.3.29+ssl_1.53 or higher
# add the SSLNoV2 line (advised for security)
If you have to install a certification chain file (B), add:
SSLCACertificateFile /etc/httpd/conf/chain-0000000000-1234.txt 

3- Restart Apache and run a test

Once setted up, restart the Apache server.
service httpd restart
/etc/init.d/apache restart
Verify the log (for any syntax error) and check the access of your website's secured pages with IE 6 and Firefox.

N.B.: if the certificate does not match the private key, Apache won't be able to restart and the HTTP service will then be out-of-order. How to make sure your certificate matches the key?

Meticulous adjustment of the encypherment level

Apache and SNI (TLS Server Name Indication)

It is used to install several SSL certificates on a single server using a unique IP address. Almost all browsers are compatible with SNI (consult the list).
  • Make sure the SSL modul install on your Apache server can handle SNI (apache/mod_ssl)
  • In the SSL configuration, forbid the use of version 2 of SSL protocol:SSLProtocol all -SSLv2 -SSLv3
  • For eachVirtualHost indicate the private key, the certificate and the certification chain to be used:
      <NameVirtualHost *:443>
      <VirtualHost *:443>
      DocumentRoot /var/www/
      SSLEngine on
      SSLProtocol all -SSLv2 -SSLv3
      SSLCertificateFile path/certificate-xxxx.cer
      SSLCertificateKeyFile path/privatekey-xxxw.key
      SSLCertificateChainFile path/chain-xxx.txt
      </Virtual Host>
      <VirtualHost *:443>
      DocumentRoot /var/www/
      SSLEngine on
      SSLProtocol all -SSLv2 -SSLv3
      SSLCertificateFile path/certificate-yyyy.cer
      SSLCertificateKeyFile path/privatekey-yyyy.key
      SSLCertificateChainFile path/chain-yyyy.txt
      </Virtual Host>

External links about SNI

External links

Similar Documentation:

Useful links

Check your certificate installation with Co-Pibot:

In your Certificate center, on your certificate status page you'll see a "check your certificate" button. Click it to make sure your certificate has correctly been installed.