Install SSL on Apache

Configure mod_ssl on Apache with VirtualHost directives to serve your site over HTTPS.

Before You Begin

You will need these three files from your SSL certificate download:

certificate.crtYour SSL certificate
private.keyYour private key - keep this secure
ca_bundle.crtCA bundle (intermediate certificates)

Installation Steps

  1. Upload certificate files

    Copy the three certificate files to the server.

    /etc/ssl/certs/certificate.crt
    /etc/ssl/private/private.key
    /etc/ssl/certs/ca_bundle.crt
  2. Enable SSL module

    Enable the Apache SSL module if not already active.

    sudo a2enmod ssl
    sudo a2ensite default-ssl
  3. Configure VirtualHost

    Edit your VirtualHost configuration file to add the SSL directives.

    <VirtualHost *:443>
    ServerName yourdomain.com
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/certificate.crt
    SSLCertificateKeyFile /etc/ssl/private/private.key
    SSLCertificateChainFile /etc/ssl/certs/ca_bundle.crt
    </VirtualHost>
  4. Test and restart

    Test the configuration syntax and restart Apache.

    sudo apache2ctl configtest
    sudo systemctl restart apache2

Common Issues

Permission denied on private.key
The private key file must be readable only by root. Set the correct permissions: sudo chmod 600 /etc/ssl/private/private.key && sudo chown root:root /etc/ssl/private/private.key
ssl_error_rx_record_too_long
This error usually means the VirtualHost is listening on port 80 instead of 443. Check that your SSL VirtualHost block starts with <VirtualHost *:443>.
Mixed content after HTTPS
Resources are being loaded over HTTP after switching to HTTPS. Add an HTTP-to-HTTPS redirect in your .htaccess file: RewriteEngine On / RewriteCond %{HTTPS} off / RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Frequently Asked Questions

Yes. Run systemctl restart apache2 (or httpd on CentOS/RHEL). A reload (reload) is sufficient for config changes but a full restart is safer when adding SSL for the first time.

It tells Apache to send the intermediate CA certificates to browsers, completing the chain of trust. Without it, some clients may show certificate errors even though your certificate is valid.

Yes. Apache supports SNI (Server Name Indication), so each VirtualHost on port 443 can have its own certificate. Simply create a separate <VirtualHost *:443> block for each domain.

Certificate Installed? Set Up Expiry Monitoring.

Get an email reminder 14 days before your certificate expires - free, no account needed.