Securing your website with SSL encryption is an important step to protect your site and your users. SSL (Secure Sockets Layer) encrypts communications between a browser and a server to prevent snooping of sensitive information. With SSL installed, you can activate HTTPS on your site so connections use the secure https:// protocol instead of standard http://.
In this comprehensive guide, we’ll walk through the full process of installing an SSL certificate on an Apache web server.
Prerequisites
Before you can install and configure an SSL certificate, you’ll need:
- An Apache web server installed and active
- Root or admin access to the server
- A registered domain name pointed at your server
- An SSL certificate file from a certificate authority (CA)
The examples below use a CentOS 7 server with Apache, but the general instructions apply to any distro running Apache.
Step 1 – Generate an SSL Key and Certificate Signing Request (CSR)
The first step is to generate an private and public SSL key pair. The private key stays on your server while the public key is shared with the CA to generate your certificate.
Use the openssl tool on your server to generate a 2048-bit private key and CSR:
openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
- Replace domain with your registered domain name.
- The -nodes parameter saves the private key without passphrase protection.
This will prompt you to enter details like company name, domain, etc. The most important fields are Common Name which should match your domain exactly, and A challenge password you’ll need later.
Once complete, you’ll have two new files – domain.key contains the private key and domain.csr is the Certificate Signing Request text file.
Step 2 – Submit the CSR and Download the SSL Certificate
With the CSR generated, you can now purchase and generate the real SSL certificate. Use the CSR file contents to submit to the Certificate Authority (CA) of your choice like Digicert, Comodo, Symantec, GoDaddy, etc.
When the CA processes your order, you will get back the SSL certificate contents. This will be one or more files, depending on certificate type.
- For a single-domain certificate, you get a single .crt file
- For wildcards and SAN certificates, you get a .crt file and one or more intermediate .ca-bundle files.
Save the certificate file(s) somewhere safe on your server.
Step 3 – Install the SSL Certificate files on the Server
Now you need to install the certificate files you got from the CA onto your server.
Combine any individual files you received into a single .crt file like so:
cat domain.crt bundle1.crt bundle2.crt > domain.combined.crt
Then move the new combined .crt file and your original .key private key file into the Apache config directory:
sudo mv domain.combined.crt /etc/ssl/certs/domain.crt
sudo mv domain.key /etc/ssl/private/domain.key
The paths may vary based on your distro, but typically SSL certificates live in /etc/ssl/certs/ and private keys in /etc/ssl/private/.
Step 4 – Edit Apache Config to Enable SSL
Now your SSL certificate is installed, but you still need to configure Apache to use it.
Open the main Apache config file at /etc/httpd/conf/httpd.conf in a text editor with root privileges.
Uncomment the following lines by removing the # at the start:
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
This loads the ssl module and includes the ssl config file that you’ll edit next.
Save and close the file when done.
Next, edit the ssl config file at /etc/httpd/conf.d/httpd-ssl.conf.
Find the SSLCertificateFile and SSLCertificateKeyFile directives and update the paths to match where you installed the cert and key:
SSLCertificateFile /etc/ssl/certs/domain.crt
SSLCertificateKeyFile /etc/ssl/private/domain.key
Finally, restart Apache to load the new config:
sudo systemctl restart httpd
Apache is now configured for SSL!
Step 5 – Forcing HTTPS with .htaccess
To force all traffic to HTTPS, you can use URL redirects in a .htaccess file. This will redirect all HTTP requests to use HTTPS instead.
Create a new .htaccess file in your document root – usually /var/www/html:
sudo nano /var/www/html/.htaccess
Add the following redirect rules:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Save changes and any requests over HTTP should now redirect to HTTPS.
Step 6 – Change Virtual Host Configs to Use HTTPS
If you have virtual hosts configured for specific domains, you’ll also need to update those configs to activate SSL encryption.
Edit each virtual host file in /etc/httpd/conf.d/ and add the following directives somewhere in the <VirtualHost> block:
SSLEngine on
SSLCertificateFile /etc/ssl/certs/domain.crt
SSLCertificateKeyFile /etc/ssl/private/domain.key
Using the same cert and key paths you added to the main config earlier. Add this to enable SSL for each virtual host as needed.
Conclusion
Installing an SSL certificate on Apache is straightforward once you have the files from a certificate authority. By following the steps to generate a key and CSR, install the signed certificate, and update the Apache configuration, you can activate HTTPS and encrypt traffic for your websites. Proper SSL configuration keeps your site secure and protects sensitive user information from snooping.