SSLTree

Skip to Main Content »

1.866.857.3140

0

Checkout
Search Site
Welcome to SSLTree!

Category Navigation:

You're currently on:

  • Home
  • /
  • Resources - Apache Web Server SSL Certificate Installation Instructions

Purchase Security

Live Chat

Need help? Ask live!
Need help? Ask live!
Sorry! Our operators are currently offline. Please try again later.
 

Apache Web Server SSL Certificate Installation Instructions

Note in order to install any certifcate there are 3 main steps:

1) Purchase SSL Certificate from SSLTree.com - click here to compare all certificates

2) Generate CSR (Certificate Signing Request) on your server

* it is very important that you generate the CSR from the server where you will be installing the certificate because the CSR contains your web server's Public Key

3) Install The SSL Certificate

Generate CSR for Apache Web Server

To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match. You will have to order a new SSL Certificate.

Step 1: Generate a Key Pair
 
The utility "openssl" is used to generate the key and CSR. This utility comes with the OpenSSL package and is usually installed under /usr/local/ssl/bin. If you have installed them elsewhere you will need to adjust these instructions appropriately.
 
Type the following command at the prompt for a non-encrypted key:
openssl genrsa -out www.mydomain.com.key 2048 
 
For an encrypted key use the below command (Please note, windows version of openssl is not compatible with password protected keys)
openssl genrsa -des3 -out www.mydomain.com.key 2048
 
This command generates a 2048 bit RSA private key and stores it in the file www.mydomain.com.key.
Note: For Extended Validation certificates the key bit length must be 2048.
 
When prompted for a pass phrase: enter a secure password and remember it, as this pass phrase is what protects the private key. Both the private key and the certificate are required to enable SSL.
 
NOTE: To bypass the pass phrase requirement, omit the -des3 option when generating the private key. If you leave the private key unprotected, Geotrust recommends access to the server be restricted so that only authorized server administrators can access or read the private key file.

Step 2: Generate the CSR

Type the following command at the prompt:
 
openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr 
 
 This command will prompt for the following X.509 attributes of the certificate:
 
Country Name: Use the two-letter code without punctuation for country, for example: US or CA.
 
State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: California
 
Locality or City: The Locality field is the city or town name, for example: Berkeley. Do not abbreviate. For example: Saint Louis, not St. Louis
 
Company: If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corportation.
 
Organizational Unit: This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on your keyboard.
 
Common Name: The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com".
 
Geotrust certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".
 
Please do not enter your email address, challenge password or an optional company name when generating the CSR.
 
A public/private key pair has now been created. The private key (www.domain.com.key) is stored locally on the server machine and is used for decryption. The public portion, in the form of a Certificate Signing Request (certrequest.csr), will be for certificate enrollment.
 
To copy and paste the information into the enrollment form, open the file in a text editor such as Notepad or Vi and save it as a .txt file. Do not use Microsoft Word as it may insert extra hidden characters that will alter the contents of the CSR.

Copy the CSR into the clipboard and submit your CSR to SSLTree.com by logging into your My Account dashboard and clicking Issue Now link and then paste the CSR into the text box

Step 3: Backup your private key
 
SSLTree.com recommends backing up the .key file and storing of the corresponding pass phrase. A good choice is to create a copy of this file onto a diskette or other removable media. While backing up the private key is not required, having one will be helpful in the instance of server failure.

Install the SSL Certificate for Apache Web Server

Your SSL certificate will be sent imbedded in the body of the email, copy the code including the ----- BEGIN CERTIFICATE ----- & ----- END CERTIFICATE ----- and paste it into a text editor like Notepad or Vi. Do not use Microsoft Word or other word processing programs that may add characters or additional spacing. Confirm that there are no extra lines or spaces in the file.

1.  After pasting the certificate code in a text editor, save the filename with a .crt extension. For example: cert.crt
2.  Save the certificate file into a directory, for example /usr/local/ssl/crt/cert.crt - Note the path and filename the certificate file was saved in as it will need to be referenced in the next step.
 
Configure the Server
 
In order to use the key pair, the httpd.conf file will need to be updated. Open the httpd.conf configuration file and find the Virtual Host settings.
 
Verify that you have the following 2 directives within this Virtual Host and add them if they are not present: 
 
SSLCertificateFile /usr/local/ssl/crt/public.crt  

SSLCertificateKeyFile /usr/local/ssl/private/private.key  

The first directive tells Apache how to find the Certificate File and the second one where the private key is located.
 
If you are using a different location and certificate file names than the example above (which most likely you are) you will need to change the path and filename to reflect your server.
 
Note: Some instances of Apache contain both a httpd.conf and ssl.conf file. Please enter or amend the httpd.conf or the ssl.conf with the above directives. Do not enter both as there will be a conflict and Apache may not start.
 
3. Save your httpd.conf file and restart Apache. You can most likely do so by using the apachectl script:  
 
apachectl stop  

apachectl startssl
  
Check that apache has successfully started. It's recommended you check the apache error logs if apache fails to start for hints on the problem.

**

Checkout with:

© 2010 SSLTree. All Rights Reserved.

SSLTree.com is a SSL Certificate intermediary enabling Web Hosting Providers to sell digital certificates and trust products to their customers through our SSL Partner Program and SSL cPanel plugin. SSLTree.com provides a full complement of SSL Certificates, Extended Validation (EV) Certificates, WildCard Certificates and Enterprise Certificates enabling 256-bit encryption, ensuring privacy and trust for online transactions and ecommerce. SSLTree.com offers immediate issuance of domain validated certificates with dynamic Site Seals powered by SiteTrust technology.