Articles in Root

How to install SSL onto Apache using ssl.conf

Problem

How do I install an SSL Certificate into Apache using the httpd.conf?

Solution

Sometimes to reduce the httpd.conf file in size and content, some administrators include the SSL virtualhosts in a seperate file.  This separate file is called the ssl.conf file (or ssl-httpd.conf).  The guide belows shows you how to configure this file.

  1. Locate your ssl.conf file and open it using a simple text editor (such as notepad).
    Note: The defualt name of this file is httpd-ssl.conf.
    Note: The default location of this file is:
    Windows - C:\Program Files\Apache Software Foundation\Apache2.2\conf.extra
    Linux - /usr/local/apache/etc
  2. Make a backup of your current ssl.conf file.  You can simply copy the current one and rename it as ssl.conf_backup (or ssl-httdp.conf if you prefer).
  3. Once the ssl.conf file is open, look through it and make sure that the following lines do not have a '#' in front of them.  Also note that anything in bold should be changed to reflect your settings.  It is sstrongly recommended that you backup and read through the entire configuration file before modifying it.

Listen 443
ServerName <your_server_name>:443
SSLEngine on
SSLCertificateFile /<path to><your_SSL_Certificate>.crt
SSLCertificateKeyFile /<path to><*.key file you created with the CSR>.key
SSLCertificateChainFile /<path to> qvsslicag2.crt
SSLCACertificateFile /<path to> qvrca2.crt

Note: SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file. If you are using Apache 2.4.8 or higher, do not include SSLCertificateChainFile or your Apache service may not start.

  1. Once you have made the following changed and created a backup, save the ssl.conf file.
  2. Now you will want to locate your httpd.conf file and open it using a text editor.
  3. Backup your httpd.conf file the same way as you did in step 2.
  4. In the httpd.conf file, include the following line anywhere within the text (be sure not to include any '#' signs infront of it):

Include conf/extra/ssl.conf

Note: the "conf/extra" might change depending on if the ssl.conf file is in a different location.  It may also depend on what OS Apache is installed on.
Note: The file name "ssl.conf" might also be "httpd-ssl.conf" depending on what you named your configuration file.

  1. Save the httpd.conf file.
  2. Restart the Apache service.

Note: If during this process, either your Apache service fails to restart or something goes wrong, you should delete the current httpd.conf file and revert back to your backup httpd.conf file.  This can be done by renaming the httpd.conf_backup to just httpd.conf.  The same applies to the ssl.conf file.

OCSP Stapling Support

Although optional, it is highly recommended to enable OCSP Stapling which will improve the SSL handshake speed of your website. CSP Stapling has been enabled since Apache 2.3.6.  It is included in the enable mod_ssl function (which is also required for SSL).  OCSP Stapling is disabled by default in Apache.

In order to enabled it, you must include the following lines in your configuration file:

SSLUseStapling On
SSLStaplingCache shmcb:/path/to/datafile[(size)]

Note: The SSLStaplingCache is mandatory for OCSP Stapling to work.

More information on these directives can be found at http://httpd.apache.org/docs/trunk/mod/mod_ssl.html.  You can read up more on OCSP Stapling at What is OCSP Stapling.