Articles in Root

How do I install an SSL certificate onto Apache?

Problem

How do I install an SSL Certificate into Apache using the httpd.conf?

Solution

The knowledgebase article assumes that you are installing this certificate on Apache 2.4.8 or above. If you have a version of Apache lower than this, then please contact QuoVadis Support.

On the certificate download page within Trust/Link, select the option at the bottom to download PEM with chain. This will give you the bundle file that will install the certificate correctly in Apache. If you do not have access to Trust/Link, then you will need to create the bundle yourself.

You will need to upload the certificate bundle file and the private key to the server. You would have received your certificate bundle file in the previous step. The private key is the *.key file that was created along with the CSR (Certificate Signing Request) that you submitted to Trust/Link. Once have these files, upload them to the server which has Apache.

Apache usually makes its SSL configurations in the httpd.conf or the ssl.conf files. This article will focus on the httpd.conf file, however the same changes could be made to the ssl.conf file if that is being used. Find this file on your server and open it in a simple text editor.

It is wise to make a backup of your Apache configuration file. If something goes wrong, you can simply revert to the previous file and restart the Apache service (pending you didn't delete any files).

You will need to configure your <VirtualHost> section of the configuration to include the certificates and use them. This is a an example of what the <VirtualHost> section may look like as they can differ from site to site:

<VitrualHost apache.quovadisglobal.com:443>
Listen 443
ServerName <your_server_name>:443
SSLEngine on
SSLCertificateFile /<path to <your_SSL_Certificate>.crt
SSLCertificateKeyFile /<path to the *.key file you created with the CSR>.key </VirtualHost>

Save the configuration file after the changes have been made.

Note: SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file. This is why the bundle file was downloaded from Trust/Link as it contains all required certificates. If you are using Apache 2.4.8 or higher, do not include SSLCertificateChainFile or your Apache service may not start.

Note: The SSLCACertificateFile should only be used when including client authentication on the server. The file included in this directive specifies the trust list of root certificate allowed for client authentication.

Apache will continue to use the old configuration until you restart it, so you must do so in order to use the new SSL certificates. If Apache fails to start, then something with your configuration file is wrong. To revert back, you can simply replace the httpd.conf file with your backup and attempt another restart. If you have to do this, then you should revise the changes that you make (typos, incorrect file paths, syntax errors, etc.).

OCSP Stapling Support

Although optional, it is highly recommended to enable OCSP Stapling which will improve the SSL handshake speed of your website. OCSP Stapling has been enabled since Apache 2.3.6.  It is included in the enable mod_ssl function (which is also required for SSL).  OCSP Stapling is disabled by default in Apache.

In order to enabled it, you must include the following lines in your configuration file:

SSLUseStapling On
SSLStaplingCache shmcb:/path/to/datafile[(size)]

Note: The SSLStaplingCache is mandatory for OCSP Stapling to work.

QuoVadis also recommends that you add the following configuration to the OCSP Stapling section of your configuration file:

SSLStaplingResponderTimeout 5
​SSLStaplingReturnResponderError off​

The SSLStaplingResponderTimeout command is the number of seconds that the server will wait for a response from the OCSP Responder.  The SSLStaplingReturnReponsderError off command prevents user error messages from being registered.

More information on these directives can be found at http://httpd.apache.org/docs/trunk/mod/mod_ssl.html.  You can read up more on OCSP Stapling at https://support.quovadisglobal.com/KB/a415/what-is-ocsp-stapling.aspx.

  1. Download the certificate bundle file from Trust/Link.
  2. Upload the certificate bundle file from step 1 to your server along with the private key.
  3. Locate and open the Apache configuration file (httpd.conf).
  4. Backup the Apache configuration file
  5. Locate and configrue the <VitrualHost> section of the configuration file.
  6. Restart the Apache service.