To configure SSL with Apache you must have an SSL certificate in install. The instructions provided in this article will provide guidance for web server administrators, system administrators, web developers, or any other IT folks who may need to configure SSL in an Apache Installation. Read further to learn how to install an SSL certificate in Apache.
I. Create a CSR with OpenSSL
To create a CSR with openssl, run the following command:
openssl req -newkey rsa:4096 -keyout key.pem -out req.pem -nodes
This is a basic example that you can use in most cases for creating your CSR. For more details on a CSR (Certificate Signing Request) and other ways to generate it, visit our post titled Certificate Signing Request. This post will go into more details on what a CSR is and more advanced options when using OpenSSL to create it.
Note that you MUST save your private key as it will be used when installing your SSL certificate in a later step. The CSR can be thrown away after submitting it to the CA you choose. If you would like, you may keep and reuse the CSR when renewing your certificate later, but we recommend always generating a new one.
After creating your CSR, you will then submit it to the CA (Certificate Authority) you will be buying your certificate from. The SSL Store is the company we recommend buying your certificate from and gives you a multitude of CAs and certificates to choose from. After submitting your CSR to them, they should issue your certificate quickly. Then you will be ready to proceed with installing your certificate in Apache.
II. Install the issued certificate in Apache
Apache install SSL – To install your newly purchased SSL certificate, make sure that the end entity certificate issued to you is in a separate file from the intermediate certificates. Note that each type of web server does this differently, and in the case of Apache the end entity server certificate is in a separate file from the intermediate certificates. The root certificate does not need to be installed in your Apache configuration. If it does contain the root, the configuration will continue to work but it is not a recommended practice since the clients visiting your site should already have the root in their trust store.
You will need to copy the end entity certificate file, the intermediate certificates files, and the private key to your Apache instance. The files should be read only by the root user or the user which is running Apache.
The location of the SSL configuration is dependent on the version of the Apache installation you are configuring SSL for. The easiest way to find the configuration may be to grep for it by running the following command, replacing /etc/httpd with the location of your apache installation:
grep -i -r "SSLCertificateFile" /etc/httpd/
You will need to create a new <VirtualHost> block for the SSL configuration on your site. The easiest thing to do is simply copy the configuration for the http <VirtualHost> block and then modify it for your SSL configuration. The following is an example of an SSL configuration for localhost.
<VirtualHost 192.168.0.1:443> DocumentRoot /var/www/html2 ServerName www.yourdomain.com SSLEngine on SSLCertificateFile /path/to/your_domain_name.crt SSLCertificateKeyFile /path/to/your_private.key SSLCertificateChainFile /path/to/DigiCertCA.crt </VirtualHost>
An alternate approach as done in the docker example below is to enable the SSL module and modify the httpd-ssl.conf file. Make sure to uncomment the following modules in the httpd.conf file:
- LoadModule ssl_module modules/mod_ssl.so
- LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
The filenames and paths should be adjusted for the name of your files.
DocumentRoot – The location of the web pages being served by your instance of Apache.
ServerName – The name of your server, in this case localhost but will most likely be in the form of www.example.com, a fully qualified domain name.
SSLCertificateFile: The path to your end entity server SSL certificate
SSLCertificateKeyFile: The path to the private key matching your SSL certificate
SSLCertificateChainFile: The path to the intermediate chain file. Again, this SHOULD NOT include the root certificate. Depending on your version of Apache, you may need to name this property SSLCACertificateFile instead.
III. Test the configuration and restart Apache after installing your SSL certificate
Unlike other web servers, Apache includes a configuration test utility to test your changes before restarting. It is a best practice to do this, and because Apache will not start back up in the event of any configuration errors, will save you possible downtime. To test your Apache configuration, run the following command:
Depending on your version of Apache, the command may be:
On success, go ahead and restart Apache with the following commands:
IV. Verification and Troubleshooting Apache SSL
To verify your SSL configuration on your Apache web server you can do a couple of things.
Visit your website from a browser and check the installed SSL certificate, as well as whether or not the website is served from https. If there is an SSL error or misconfiguration, your browser will deliver that error to you.
Check your SSL configuration with our SSL Tools. Our tools include an SSL Certificate Decoder as well as an SSL checker to troubleshoot your SSL details.
Most configuration problems come down to the certificate chain not being installed correctly. Again, make sure to include the end entity server certificate and the intermediate chain in separate files.
Apache SSL configuration with docker
To provide a simple example of configuring SSL and SSL certificates with Apache, let’s spin up a quick docker instance to demonstrate how to do so. This is meant simply for an educational exercise and is by no means a complete production ready example, but will cover the basics to get you started.
- Create a new directory:
mkdir apache-docker; cd apache-docker
- Create new files named httpd-ssl.conf and httpd.conf. The files can be copied from the apache instance installed in your docker container.
- Create a directory named ssl and move your cert.pem and key.pem files into it. Note that cert.pem should be formatted as described earlier in this article. If your SSL certificate and private key files are named differently, then make sure to update the httpd-ssl.conf file accordingly.
- You may encounter the following error when running the next command, so make sure to uncomment the mod_socache_shmcb module:
apache_1 | SSLSessionCache: ‘shmcb’ session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
- Create the docker-compose.yml file. It’s contents should be as follows:
version: '3.8' services: apache: image: httpd ports: - "8080:80" - "8443:443" volumes: - /home/misterpki/apache-docker/web:/usr/local/apache2/htdocs - /home/misterpki/apache-docker/httpd.conf:/usr/local/apache2/conf/httpd.conf - /home/misterpki/apache-docker/ssl:/usr/local/apache2/conf/ssl - /home/misterpki/apache-docker/httpd-ssl.conf:/usr/local/apache2/conf/extra/httpd-ssl.conf
- Run docker-compose to spin up the Apache instance with your SSL certificate installed and configured.
docker-compose up --build
After running your apache instance, the logs should show SSL working.
Note that in this example, a self-signed certificate is being used that has a CN different than localhost, so you will see browser warnings. For one, the certificate is not trusted by the OS (Operating System) certificate store. Secondly, the CN does not match the host name. When using a publicly trusted certificate issued to your domain, you should not see any SSL Certificate errors.
For the full example, visit our GitHub repo containing the files to run the docker example of Apache and SSL certificates.
We hope to have covered in full how to successfully install an SSL certificate on an Apache web server. If you have any questions suggestions on how to improve this article please leave us a comment. If you need assistance on troubleshooting your SSL installation or need help finishing, send us an email at firstname.lastname@example.org.