Apache and SSL certification

Create a CSR and install your SSL certificate on your Ubuntu server with Apache 2 using OpenSSL.

To use OpenSSL in order to create a CSR and then install the SSL certificate on the Ubuntu server with Apache2, use the instructions on this page.
NB: after installing the SSL / TLS certificate and configuring the server to use it, you need to restart the Apache2 instance.

For Apache instructions, see Apache: Create CSR and Install SSL Certificate (OpenSSL). For other instructions on the OS platform, see Creating a CSR (Certificate Signing Request).

You can use these instructions to create OpenSSL CSR and install all types of DigiCert SSL certificates on the Ubuntu server with Apache2: standard SSL, EV SSL, multi-domain SSL, EV multi-domain SSL and SSL Wildcard.

  1. To create your certificate signing request (CSR), consult Ubuntu with Apache2: Creating your CSR with OpenSSL
  2. To install the SSL certificate, consult Ubuntu with Apache2: Installing and configuring the SSL certificate

Ubuntu with Apache2: Creating your CSR with OpenSSL

Use the instructions in this section to create shell commands to generate Ubuntu with CSR Apache2 with OpenSSL.

How to generate a CSR for Ubuntu with Apache 2 using OpenSSL
If you prefer to create your shell commands to generate Ubuntu with CSR Apache2, follow the instructions below.

1. Access your server through the terminal client (ssh)
2. Execute command

At the prompt, type the following command:
NB: make sure you replace the server with the name of your server.

ssl certificate

3. Generate files

a. Now you have started the process to generate the following two files:

  • Private-Key File: used to generate the CSR and subsequently to protect and verify connections using the certificate.
  • CSR (Certificate Signing Request) file: used to order the SSL certificate and then to encrypt the messages that can be deciphered only with the corresponding private-key.

b. When prompted for the common name (domain name), type the fully qualified domain name (FQDN) for the site you want to protect.
NB: if you are generating an Apache CSR for a certified Wildcard, make sure that your common name starts with an asterisk (eg *. Example.com).

c. When requested, enter the organizational information, starting from the geographical information.
NB: you may have already set the default information.

d. Now, your OpenSSL .csr file has been created.

4. Order your SSL / TLS certificate

a. Open the .csr file you created in a text editor.
b. Copy the text, including the – START THE NEW CERTIFICATE REQUEST (BEGIN NEW CERTIFICATE REQUEST) – and – END OF THE NEW CERTIFICATE REQUEST (END NEW CERTIFICATE REQUEST) – label it and paste it into the DigiCert order form.

5. Save the Private-Key

Save (backup) the generated key file. You will need it later to install your SSL certificate.

6. Install certificate

After receiving the SSL certificate from DigiCert, you can install it on your server.

Ubuntu with Apache2: Installation and configuration of the SSL certificate

If you still need to create a certificate signing request (CSR) and order the certificate, consult Ubuntu with Apache2: How to use OpenSSL to create your own CSR.

After validating and issuing the SSL certificate, you can install it on Ubuntu with the Apache2 server (where the CSR was generated) and configure the server to use the certificate.

How to install and configure the SSL certificate on your Ubuntu server with Apache2

1. Copy the certificate files to your server

a. Log in to your DigiCert account and download the intermediate files (DigiCertCA.crt) and your primary certificate (your_domain_name.crt).
b. Copy these files, along with the .key file generated during the creation of the CSR, to the directory on the server where you keep the certificate and the key files.
NB: make them readable only by root to increase security.

2. Find the Apache configuration file you need to modify

The location and name of the configuration file may vary from server to server, especially if a special interface is used to manage the server configuration.

  • The Ubuntu server with the main Apache2 configuration file for your SSL / TLS site is typically located in / etc / apache2 / sites-enabled / your_site_name.
  • If it was not found in the “sites-enabled” directory, run the following command.
    sudo a2ensite your_site_name
  • Open the file with a text editor and find the blocks that contain the Apache settings.

3. Identify the SSL block you need to configure

If your site needs to be accessible through secure (https) and unsecured (http) connections, you need two separate files in / etc / apache2 / sites-enabled /. One file is for port 80 and the other file is for port 443. Configure both files for SSL as described in step 4.

If you want to securely access your site, configure the existing virtual host for SSL as described in step 4.

4. Configure the block for the SSL-enabled site

a. Below is a very simple example of a virtual host configured for SSL. The blue parts are the ones you need to add to configure the SSL configuration; may be present throughout the file.

SSL certificated file

b. Make sure to arrange the file names to match your certified files.

  • SSLCertificateFile is the DigiCert certificate file (for example, your_domain_name.crt).
  • SSLCertificateKeyFile is the .key file generated when you created the CSR (for example, your_private.key).
  • SSLCertificateChainFile is the DigiCert intermediate certificate file (eg, DigiCertCA.crt).

NB: if the SSLCertificateChainFile directive does not work, try using the SSLCACertificateFile directive instead.

5. Test the Apache2 configuration file before restarting

As a good practice, check your Apache2 configuration file for errors before restarting Apache.
Warning: Apache2 will not restart if the configuration files show syntax errors.
Run the following command to test the configuration file (on some systems, it is apache2ctl):
apachectl configtest

6. Restart Apache2

You can use apachectl commands to stop and start Apache2 with SSL support.
apachectl stop
apachect1 start

Restart notes:
If Apache2 doesn’t reboot with SSL support, try using apachectl startssl instead of apachectl start. If SSL support is only run with startssl apachectl, we recommend adjusting the apache boot configuration to include SSL support in the normal apachectl start command. Otherwise, the server may require manual reboot of Apache2 using apachectl startssl if the server is restarted. This usually involves removing tags and enclosing the SSL configuration.

7. Congratulations! You have successfully installed your SSL certificate

Test of SSL / TLS certificate installation

1. Browser test

a. For best results, be sure to close your browser first and then launch it.
b. Visit your site with the secure https URL (for example, go to https://www.example.com not http://www.example.com).
c. Make sure you test your site with other browsers that are not just Internet Explorer. Download missing intermediate certificates.

2. Diagnostic tool for DigiCert® SSL installation

If your site is publicly accessible, use our Server Certificate Tester to test the installation of the SSL / TLS certificate; it detects common installation problems.

Configuration and useful commands

Install Apache2
Required to use SSL / TLS certificates:
sudo apt-get install apache2

Enable SSL module

1. Replace “default-ssl” with the real site name you set in / etc / apache2 / sites-available /
sudo a2enmod ssl

2. Once the site listed in the previous command is enabled, the site appears in / etc / apache2 / sites-enabled

Apply the SSL module to the site
sudo a2ensite default-ssl
sudo /etc/init.d/apache2 restart

Cipher Suite

  • Once you run the sudo a2enmod ssl command, edit the ssl.conf file in / etc / apache2 / mods-enabled
  • If you haven’t run the a2enmod command yet, preconfigure the ssl.conf file in / etc / apache2 / mods-available