Articles in Root

Installing SSL on Apache 2.2 using httpd.conf

Problem

How do I install an SSL Certificate into older versions of Apache using the httpd.conf?

Solution

The knowledgebase article assumes that you are installing this certificate on Apache 2.4.7 or lower. If you have a version of Apache higher than this, then there is another KB article that you should follow.

  • Obtain the necessary files.
  • On the certificate download page within Trust/Link, select the option to download the certificate in PEM format. You will also need create a bundle file that includes both the intermediate and root certificates.

    To create this file, you must:

    1. Open up a Text editor.
    2. On the certificate download page of Trust/Link, copy the entire contents of the Intermediate CA certificate box into the text editor.
    3. Start a new line in the text editor after the Intermediate contents you just pasted in. Usually, this can be done using the enter key.
    4. Back in the certificate download page of Trust/Link, copy the entire contents of the Root CA certificate box into the text editor, directly underneath the Intermediate text.
    5. It should look something like this:
      -----BEGIN CERTIFICATE-----
      <several lines of PEM encoded content in alphanumeric characters>
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      <several lines of PEM encoded content in alphanumeric characters>
      -----END CERTIFICATE-----

    6. Save the document as qv_bundle.crt. This is your bundle file.

    7. Note: If you don't have access to Trust/Link but you know which intermediates and root certificates you require, you can obtain them at https://www.quovadisglobal.com/QVRepository/DownloadRootsAndCRL.aspx. If you don't have access to Trust/Link and you don't know which intermediate and root certificates you require, please contact QuoVadis Support and provide them the Common Name of your certificate.

  • Upload the certificate and the bundle file from step 1 to your server along with the private key.
  • You will need to upload the certificate, the bundle file you created and the private key to the server. The private key is the *.key file that was created along with the CSR (Certificate Signing Request) that you submitted to Trust/Link. Once have these files, upload them to the server which has Apache.

  • Locate and open the Apache configuration file (httpd.conf).
  • Apache usually makes its SSL configurations in the httpd.conf or the ssl.conf files. This article will focus on the httpd.conf file, however the same changes could be made to the ssl.conf file if that is being used. Find this file on your server and open it in a simple text editor.

  • Backup the Apache configuration file
  • It is wise to make a backup of your Apache configuration file. If something goes wrong, you can simply revert to the previous file and restart the Apache service (pending you didn't delete any files).

  • Locate and configrue the <VitrualHost> section of the configuration file.
  • You will need to configure your <VirtualHost> section of the configuration to include the certificates and use them. This is a an example of what the <VirtualHost> section may look like as they can differ from site to site:

    <VitrualHost apache.quovadisglobal.com:443>
    Listen 443
    ServerName <your_server_name>:443
    SSLEngine on
    SSLCertificateFile /<path to <your_SSL_Certificate>.crt
    SSLCertificateKeyFile /<path to the *.key file you created with the CSR>.key
    SSLCertificateChainFile /<path to qv_bundle.crt>
    </VirtualHost>

    Save the configuration file after the changes have been made.

    Note: SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file. This is why the bundle file was downloaded from Trust/Link as it contains all required certificates. If you are using Apache 2.4.8 or higher, do not include SSLCertificateChainFile or your Apache service may not start.

    Note: The SSLCACertificateFile should only be used when including client authentication on the server. The file included in this directive specifies the trust list of root certificate allowed for client authentication.

  • Restart the Apache service.
  • Apache will continue to use the old configuration until you restart it, so you must do so in order to use the new SSL certificates. If Apache fails to start, then something with your configuration file is wrong. To revert back, you can simply replace the httpd.conf file with your backup and attempt another restart. If you have to do this, then you should revise the changes that you make (typos, incorrect file paths, syntax errors, etc.).

    OCSP Stapling Support

    Although optional, it is highly recommended to enable OCSP Stapling which will improve the SSL handshake speed of your website. CSP Stapling has been enabled since Apache 2.3.6.  It is included in the enable mod_ssl function (which is also required for SSL).  OCSP Stapling is disabled by default in Apache.

    In order to enabled it, you must include the following lines in your configuration file:

    SSLUseStapling On
    SSLStaplingCache shmcb:/path/to/datafile[(size)]


    Note: The SSLStaplingCache is mandatory for OCSP Stapling to work.

    More information on these directives can be found at http://httpd.apache.org/docs/trunk/mod/mod_ssl.html.  You can read up more on OCSP Stapling at https://support.quovadisglobal.com/KB/a415/what-is-ocsp- stapling.aspx.