Before You Begin
You will need these three files from your SSL certificate download:
certificate.crtYour SSL certificate
private.keyYour private key - keep this secure
ca_bundle.crtCA bundle (intermediate certificates)
Installation Steps
-
Upload certificate files
Copy the three certificate files to the server.
/etc/ssl/certs/certificate.crt
/etc/ssl/private/private.key
/etc/ssl/certs/ca_bundle.crt -
Enable SSL module
Enable the Apache SSL module if not already active.
sudo a2enmod ssl
sudo a2ensite default-ssl -
Configure VirtualHost
Edit your VirtualHost configuration file to add the SSL directives.
<VirtualHost *:443>
ServerName yourdomain.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/private.key
SSLCertificateChainFile /etc/ssl/certs/ca_bundle.crt
</VirtualHost> -
Test and restart
Test the configuration syntax and restart Apache.
sudo apache2ctl configtest
sudo systemctl restart apache2
Common Issues
- Permission denied on private.key
- The private key file must be readable only by root. Set the correct permissions:
sudo chmod 600 /etc/ssl/private/private.key && sudo chown root:root /etc/ssl/private/private.key - ssl_error_rx_record_too_long
- This error usually means the VirtualHost is listening on port 80 instead of 443. Check that your SSL VirtualHost block starts with
<VirtualHost *:443>. - Mixed content after HTTPS
- Resources are being loaded over HTTP after switching to HTTPS. Add an HTTP-to-HTTPS redirect in your
.htaccessfile:RewriteEngine On/RewriteCond %{HTTPS} off/RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Frequently Asked Questions
Yes. Run
systemctl restart apache2 (or httpd on CentOS/RHEL). A reload (reload) is sufficient for config changes but a full restart is safer when adding SSL for the first time.
It tells Apache to send the intermediate CA certificates to browsers, completing the chain of trust. Without it, some clients may show certificate errors even though your certificate is valid.
Yes. Apache supports SNI (Server Name Indication), so each VirtualHost on port 443 can have its own certificate. Simply create a separate
<VirtualHost *:443> block for each domain.
Certificate Installed? Set Up Expiry Monitoring.
Get an email reminder 14 days before your certificate expires - free, no account needed.