How do I install an SSL Certificate into older versions of Apache using the httpd.conf?
The knowledgebase article assumes that you are installing this certificate on Apache 2.4.7 or lower. If you have a version of Apache higher than this, then there is another KB article that you should follow.
On the certificate download page within Trust/Link, select the option to download the certificate in PEM format. You will also need create a bundle file that includes both the intermediate and root certificates.
To create this file, you must:
It should look something like this:
-----BEGIN CERTIFICATE-----
<several lines of PEM encoded content in alphanumeric characters>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<several lines of PEM encoded content in alphanumeric characters>
-----END CERTIFICATE-----
Note: If you don't have access to Trust/Link but you know which intermediates and root certificates you require, you can obtain them at https://www.quovadisglobal.com/QVRepository/DownloadRootsAndCRL.aspx. If you don't have access to Trust/Link and you don't know which intermediate and root certificates you require, please contact QuoVadis Support and provide them the Common Name of your certificate.
You will need to upload the certificate, the bundle file you created and the private key to the server. The private key is the *.key file that was created along with the CSR (Certificate Signing Request) that you submitted to Trust/Link. Once have these files, upload them to the server which has Apache.
Apache usually makes its SSL configurations in the httpd.conf or the ssl.conf files. This article will focus on the httpd.conf file, however the same changes could be made to the ssl.conf file if that is being used. Find this file on your server and open it in a simple text editor.
It is wise to make a backup of your Apache configuration file. If something goes wrong, you can simply revert to the previous file and restart the Apache service (pending you didn't delete any files).
You will need to configure your <VirtualHost> section of the configuration to include the certificates and use them. This is a an example of what the <VirtualHost> section may look like as they can differ from site to site:
<VitrualHost apache.quovadisglobal.com:443>
Listen 443
ServerName <your_server_name>:443
SSLEngine on
SSLCertificateFile /<path to <your_SSL_Certificate>.crt
SSLCertificateKeyFile /<path to the *.key file you created with the CSR>.key
SSLCertificateChainFile /<path to qv_bundle.crt>
</VirtualHost>
Save the configuration file after the changes have been made.
Note: SSLCertificateChainFile
became obsolete with version 2.4.8, when SSLCertificateFile
was extended to also load
intermediate CA certificates from the server certificate file. This is
why the bundle file was downloaded from Trust/Link as it contains all
required
certificates. If you are using Apache 2.4.8 or higher, do not include SSLCertificateChainFile
or your Apache service may not start.
Note: The SSLCACertificateFile
should only be used when including client authentication on the server. The file included in this
directive specifies the trust list of root certificate allowed for client authentication.
Apache will continue to use the old configuration until you restart it, so you must do so in order to use the new SSL certificates. If Apache fails to start, then something with your configuration file is wrong. To revert back, you can simply replace the httpd.conf file with your backup and attempt another restart. If you have to do this, then you should revise the changes that you make (typos, incorrect file paths, syntax errors, etc.).
Although optional, it is highly recommended to enable OCSP Stapling which will improve the SSL handshake speed of your website. CSP Stapling has been enabled since Apache 2.3.6. It is included in the enable mod_ssl function (which is also required for SSL). OCSP Stapling is disabled by default in Apache.
In order to enabled it, you must include the following lines in your configuration file:
SSLUseStapling On
SSLStaplingCache shmcb:/path/to/datafile[(size)]
Note: The SSLStaplingCache is mandatory for OCSP Stapling to work.
More information on these directives can be found at http://httpd.apache.org/docs/trunk/mod/mod_ssl.html. You can read up more on OCSP Stapling at https://support.quovadisglobal.com/KB/a415/what-is-ocsp- stapling.aspx.