Install an Apache certificate

You received your certificate by email with one or several intermediary certificates and a root certificate. Keep this email within reach.

1- Retrieve your certificate(s) on your server

Go back where the private key has been generated, for example:

cd /etc/httpd/conf
or
cd /etc/apache/conf

In the delivery email you'll find several links. Click on them and download the associated files:

• A: your server certificate
• B: certification chain

2- Set up Apache

If you are using Apache 1.3 with mod_ssl or Apache 2 and similar others (Mac OS X, WAMP, EasyPHP)

Find the setup file of your apache. It is often:

/etc/httpd/conf/httpd.conf

you can also find the SSL setup in an other file. For example:

/etc/httpd/conf/ssl/default-vhost.conf
/etc/httpd/conf/ssl.conf

Or in a Windows environment (EasyPHP, Wamp, ...) :

C:/Program Files/Apache Software Foundation/Apache X.X/conf/extra/httpd-ssl.conf
C:/Program Files/Apache Software Foundation/EasyPHP/

Nota: Your Apache Set up might raises problems if:

the path includes special characters such as : spaces, bracket (), accents éàèêîï, ...

the path is too long ( > 200 characters)

the private key, certificate or certification chain files can't be read by the user/session that runs the Apache/httpd server.

If you only have one certificate on this machine, spot the section beginning by:

<VirtualHost _default_:443>

and edit the following instructions to make them point at your files:

# your server certificate (A)
SSLCertificateFile    /etc/httpd/conf/cert-0000000000-1234.cer
# your private key (generated previously)
SSLCertificateKeyFile /etc/httpd/conf/www.virtualhost.com.key
# SSL configuration
# 40-bit mini
#SSLCipherSuite !ADH:!DSS:!RC2:RC4-SHA:RC4-MD5:HIGH:MEDIUM:+AES128:+3DES:LOW
# 128-bit mini
SSLCipherSuite !ADH:!DSS:!RC2:RC4-SHA:RC4-MD5:HIGH:MEDIUM:+AES128:+3DES
               
SSLProtocol all -SSLv2
SSLHonorCipherOrder on  # apache 2.1+

Warning: SSLHonorCipherOrder is not available on every version of Apache, see our documentation.
And for your certification chain (B), add:

SSLCertificateChainFile /etc/httpd/conf/chain-0000000000-1234.txt 

For very old versions of Apache, see SSLCACertificateFile

If you run on Apache-ssl (ben-SSL)

Find the setup file of your Apache. It is often:

/etc/httpd/conf/httpd.conf

and edit the following instructions to make them point at your files:

# your server certificate (A)
SSLCertificateFile    /etc/httpd/conf/cert-0000000000-1234.cer
# your private key (generated previously)
SSLCertificateKeyFile /etc/httpd/conf/www.virtualhost.com.key

# acceptable Ciphers set up
# 40-bit mini
#SSLRequiredCiphers DHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5:RC4-64-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:EDH-RSA-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-DES-CBC-SHA
# 128-bit mini
SSLRequiredCiphers DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA
# forbidden Ciphers set up
SSLBanCipher NULL-MD5 NULL-SHA

# if you run under a version greater than or equal to Apache_1.3.29+ssl_1.53
# add a line SSLNoV2 (recommended for safety matters)
SSLNoV2

If you have to install a certification chain file (B), add:

SSLCACertificateFile /etc/httpd/conf/chain-0000000000-1234.txt 

3- Restart Apache and run a test

Once setted up, restart the Apache server.

httpd restart service
or
/etc/init.d/apache restart

Verify the log (for any syntax error) and check the access of your website's secured pages with IE 6 and Firefox.

On windows platforms (Easy Php, WAMP, ...)

• You must see an administration/management menu in the task bar of your Apache server to start and stop it.
  
• Make sure the HTTPS port (443) is open in the Firewall rules.
• If an error occurs the server might not start. You'll then need to consult the error logs: the error messages can also appear in the Widows "Events Logs".

Meticulous adjustment of the encypherment level

• Set up Apache to run only under 128-bit encryption
• Set up Apache for a 128-bit server certificate
  

External links

• Apache 2: http://httpd.apache.org/docs/2.0/ssl/
• Apache 1.3 with mod_ssl: http://www.modssl.org/
• Apache-ssl (benssl): http://www.apache-ssl.org/
• Apache under Mac OS X: http://developer.apple.com/internet/serverside/modssl.html

Subcategories:
Answers in this category:

• Install a certificate for Apache release 1 OVH (base RH 7.2)
• Apache under OS X
• ApacheSSL for NEXEN
• Install a certificate for Apache release 2 OVH (base gentoo)