How to Install SSL on Apache Web Server?
Please complete this checklist before installing SSL Certificate on Apache Web server
- Buy/renew SSL Certificate
- Generate CSR with SHA-2 algorithm
- Save the CSR & Private key file on your server directory
- Submit SSL issuance Documents as per CA’s requirement (Only for OV & EV Certificate issuers)
Step 1: Save SSL Certificate Files
After payment and document verification process your will receive certificate files (server certificate, root certificate and intermediate certificate) via email. Store these all files on your apache server directory.
For Example — The location on SSL key file is /etc/ssl/ssl.key and the location of the Server Certificate and CA-Bundle Files is — /etc/ssl/ssl.crt)
Step 2: Download CA bundle Files
CA-bundles are required to install SSL Certificate. CA-Bundle files could be different based on the type of your SSL certificate (Either Domain, Organization or Extended Validation SSL certificate). Visit your SSL Certificate authority website for CA bundle files.
Step 3: SSL Configuration file (HTTPD.CNF) modification
- Open the cnf file using any text editor (E.G Notepad).
- In the virtual host section add following lines to add information about the domain which you wish to secure using SSL certificate.
- SSLEngine on
- SSLCertificateKeyFile /etc/ssl/ssl.key/server.key
- SSLCertificateFile /etc/ssl/ssl.crt/domain.crt
- SSLCertificateChainFile /etc/ssl/ssl.crt/domain.ca-bundle
For older apache version use SSLCACertificateFile instead of SSLCertificateChainFile.
- SSLProtocol all
- SSLHonorCipherOrder On (Ciphers use order in server)
- SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS (To set up the priority to the strong ciphers & also disabling the weak ciphers as well.)
- Save the cnf file.
- Restart your Apache Server.
You can also apply following commands to restart Apache
Your SSL Certificate is now installed on your Apache.
Note: File names such as server.key, domain.crt, and domain.ca-bundle are used for illustration purpose only. You have to use your own certificate file names.