TLS certificate installation on an Apache server

The following instructions will show you how to create a public key on an Apache server using OpenSSL, which can be used on any server, and then install a newly issued certificate.

Generating a CSR on Apache (OpenSSL)

To generate a CSR request (public key) and private key, the OpenSSL tool is used.

In the first step, generate a key pair (private key and public key in CSR). Open the OpenSSL and use the following commands:

openssl genrsa –des3 –out 2048

Parameter -des3 ensures the use of a passphrase for the private key (encryption); if you do not use this parameter, the private key will be unprotected.

In the second step, generate the CSR request itself. You can also generate a CSR with a private key in the SSLmarket administration and save the private key for later installation.

openssl req –new –key –out

After entering the order, you will be asked to specify the data for the CSR:

  • Common Name: Common Name is the complete name of the domain for which the certificate is to be issued.
  • Company / Organization: Enter the full name of the company as it appears in the Commercial Register, including the legal form.
  • Organizational Unit: This field is optional and is used to specify the organizational unit of the organization, such as the branch or department.
  • Locality / City: City name
  • State / Province: Particular US state
  • Country Name: State code - US
Example of correctly filled information in the CSR

Do not enter additional information such as e-mail address, password or optional company name in the CSR request. OpenSSL will create a file with the CSR extension, which you will insert into the certificate order at

Installing the issued certificate on the server

Initial steps

If you are going to install the certificate on a server where the Apache configuration has not yet been modified, first enable HTTPS and the default site for TLS connections. Without these two basic steps, HTTPS will not work at all.

Type in the terminal: sudo a2enmod ssl This will enable HTTPS.
Then enable the default site for secure connections, otherwise Apache will only use the default site with HTTP: sudo a2ensite default-ssl Restart Apache and it will then be able to use both HTTP and HTTPS. systemctl restart apache2

Saving the domain and intermediate certificates

The issued TLS certificate is delivered by email. The certificate arrives in text form encoded in Base64 format. Save or copy the linux_cert+ca.pem file to the server - it was sent by us.

The linux_cert+ca.pem file contains the certificate for the domain and the intermediate certificate together. They are in one file to save you work because web servers want them together. The intermediate certificate is needed for the trustworthiness of the issued certificate on client devices, but you do not need to search for it and add it to the configuration.

Vhost configuration

To use the supplied certificate, it is necessary to modify the vhost configuration for the given domain. Open the configuration file default-ssl.conf (or domain-ssl.conf) for editing (it should be located in /etc/apache2/sites-enabled; if it is not, go back to the Initial steps paragraph) and modify in the following two directives the location of the private key file and certificate file that shall be used:

  • SSLCertificateFile /etc/ssl/private/linux_cert+ca.pem
  • SSLCertificateKeyFile /etc/ssl/private/private.key
Earlier versions of Apache supported the SSLCertificateChainFile directive (deprecated as of version 2.4.8); you can delete or comment on it. Intermediate certificate is in the certificate file as mentioned above. The SSLCACertificateFile directive is used for client certificates, so ignore it for a TLS certificate.

Save the file. Before restarting, you can test the correctness of the configuration with the command: sudo apache2ctl configtest In the end, restart Apache: sudo systemctl restart apache2

Example server configuration

On the Apache web server, enabled and used configurations are stored in the /etc2/apache2/sites-enabled. Here is a typical server configuration example in the default-ssl.conf file. SSLEngine on
SSLCertificateFile /etc/ssl/private/domain.pem
SSLCertificateKeyFile /etc/ssl/private/domain.key

If you want to simplify the web server`s configuration, use moz://a SSL Configuration Generator. The configurator will immediately recommend the correct settings for web server security.

You can check the SSL certificate is correctly installed in our verifier.

Pomoc s SSL certifikáty

Is it too much for you?

Write us
Contact form
Has this article been useful?