This article describes how to install a Secure Socket Layer (SSL) certificate on your Apache server. There are many SSL vendors that you can choose from. Where you buy your SSL certificate is up to you.
Before installing your certificate, make sure you have the following items:
- A certificate signing request (CSR). See Generate a CSR with OpenSSL for instructions. You can also use a CSR generator and enter the necessary information for the CSR request, or the Rackspace CSR generator which you can access on the Server Details page for the server that you want to install an SSL certificate in the Cloud Control Panel.
- Apache and
mod_sslshould be installed.
- You also need to have an Internet Protocol (IP) address for your SSL cert and
a unique IP address for each SSL that you want to host. Certificate authorities
and browsers require that all SSL certs be on their own IP address.
To install your SSL certificate, you must copy the certificate files to your server and edit the Apache configuration file to add the locations of the SSL files.
A vendor-provided SSL certificate contains three components: the SSL certificate, the certificate authority (CA) file, and the SSL key. When you receive your SSL certificate from your authority, upload it to
your server by using the following steps.
Copy all the contents of the certificate, including the
END CERTIFICATElines. Save the copied text as
Copy the certificate and private key into the Apache server directory in
which you plan to store your certs (by default:
Open the Apache httpd.conf file in a text editor, and add the following
lines for the
<VirtualHost 220.127.116.11:443> ServerName www.domain.com DocumentRoot /path/to/your/document/root/htdocs SSLEngine ON SSLCertificateFile /etc/httpd/conf/ssl.crt/domain.com.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain.com.key ErrorLog logs/ssl.domain.com.error_log CustomLog logs/ssl.domain.com.access_log combined </VirtualHost>
Note: Keep in mind that you should change the paths to the certificate files
to reflect the location of your certificate.
Save the changes and exit the editor.
You might need to open a port in your firewall to allow SSL connections to
443. To verify, get a list of your firewall rules:
sudo /sbin/iptables -L
If you have iptables active but without exceptions for port
need to add some, as shown the following sample:
sudo /sbin/iptables -I INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT sudo /sbin/iptables -I OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
Remember to add the rules to your iptables config file or run the following code
on Red Hat-based distributions:
sudo /sbin/service iptables save
Run the following command to verify the configuration file syntax, ensuring that
you have no spelling errors and haven't added the wrong filenames:
# httpd -t
If the file is good, the command returns
Syntax OK. If there are errors,
the command returns the incorrect lines.
When you are making changes to Apache, you have two different options for your
changes to work: to restart the service or to reload the service. A restart
should be necessary only if you are adding or removing modules (such as
sslL_module). Because restarting a service takes some time to come back up,
we generally recommend that you use the reload option.
To reload Apache, run the following command:
CentOS 7.0 and higher
# systemctl reload httpd
CentOS 6.9 and lower
# service httpd reload
Ubuntu operating systems
# /etc/init.d/apache2 reload
To restart your Apache web server, run the following command:
# /etc/init.d/httpd restart or # /etc/init.d/apache2 restart
Test your certificate by using a browser to connect to your server. Use
the Hypertext Transfer Protocol Secure (HTTPS) protocol directive (e.g.
https://yourserver/) to indicate that you want to use secure HTTP.
Note: The padlock icon on your browser is displayed in the locked
position if your certificates are installed correctly and the server is
properly configured for SSL.
Updated 14 days ago