TLS certificate installation on an Apache server
The following instructions will show you how to create a public key on an Apache server using OpenSSL, which can be used on any server, and then install a newly issued certificate.
Generating a CSR on Apache (OpenSSL)
To generate a CSR request (public key) and private key, the OpenSSL tool is used.
In the first step, generate a key pair (private key and public key in CSR). Open the OpenSSL and use the following commands:
openssl genrsa –des3 –out www.mydomain.com.key 2048
Parameter -des3 ensures the use of a passphrase for the private key (encryption); if you do not use this parameter, the private key will be unprotected.
In the second step, generate the CSR request itself. You can also generate a CSR with a private key in the SSLmarket administration and save the private key for later installation.
openssl req –new –key www.mydomain.com.key –out www.mydomain.com.csr
After entering the order, you will be asked to specify the data for the CSR:
- Common Name: Common Name is the complete name of the domain for which the certificate is to be issued.
- Company / Organization: Enter the full name of the company as it appears in the Commercial Register, including the legal form.
- Organizational Unit: This field is optional and is used to specify the organizational unit of the organization, such as the branch or department.
- Locality / City: City name
- State / Province: Particular US state
- Country Name: State code - US
- CN: www.sslmarket.com
- OU: Software
- O: ZONER
- ST: FL
- C: US
- L: Tampa
Do not enter additional information such as e-mail address, password or optional company name in the CSR request. OpenSSL will create a file with the CSR extension, which you will insert into the certificate order at sslmarket.com.
Installing the issued certificate on the server
If you are going to install the certificate on a server where the Apache configuration has not yet been modified, first enable HTTPS and the default site for TLS connections. Without these two basic steps, HTTPS will not work at all.
Type in the terminal:
sudo a2enmod ssl
This will enable HTTPS.
Then enable the default site for secure connections, otherwise Apache will only use the default site with HTTP:
sudo a2ensite default-ssl
Restart Apache and it will then be able to use both HTTP and HTTPS.
systemctl restart apache2
Saving the domain and intermediate certificates
The issued TLS certificate is delivered by email. The certificate arrives in text form encoded in Base64 format. Save or copy the linux_cert+ca.pem file to the server - it was sent by us.
The linux_cert+ca.pem file contains the certificate for the domain and the intermediate certificate together. They are in one file to save you work because web servers want them together. The intermediate certificate is needed for the trustworthiness of the issued certificate on client devices, but you do not need to search for it and add it to the configuration.
To use the supplied certificate, it is necessary to modify the vhost configuration for the given domain. Open the configuration file default-ssl.conf (or domain-ssl.conf) for editing (it should be located in /etc/apache2/sites-enabled; if it is not, go back to the Initial steps paragraph) and modify in the following two directives the location of the private key file and certificate file that shall be used:
- SSLCertificateFile /etc/ssl/private/linux_cert+ca.pem
- SSLCertificateKeyFile /etc/ssl/private/private.key
sudo apache2ctl configtestIn the end, restart Apache:
sudo systemctl restart apache2
Example server configuration
On the Apache web server, enabled and used configurations are stored in the /etc2/apache2/sites-enabled. Here is a typical server configuration example in the default-ssl.conf file.
If you want to simplify the web server`s configuration, use moz://a SSL Configuration Generator. The configurator will immediately recommend the correct settings for web server security.
You can check the SSL certificate is correctly installed in our verifier.