How do I setup SSL CRT on my Apache2 server?

configuration apache2 ssl

30,678

This depends. You'll likely want to add those lines to the VirtualHost file. I'll use the default as the example but you'll likely have multiple VirtualHosts defined (they are typically in the /etc/apache2/site-available/ directory).

However, you'll first need to install the SSL certificates. Typically you can place the .crt file (or the certificate file, if it doesn't end with .crt) in /etc/ssl/certs/directory. Then copy the .key file to /etc/ssl/private/ directory. Make sure that the .key file doesn't have other readable permissions, as it can lead to an exploit. As a reminder these are just default SSL certificate locations, you can put them anywhere you want I've seen some installations use /etc/apache2/ssl for a dumping ground of CRT and KEY files. This, again, is entirely up to you.

For actually setting up the SSL site in Apache, you'll want to copy the site's VirtualHost and edit a few lines so it operates properly with SSL. In this example I'll continue to just use the default setup but replace default with whichever VirtualHost file you're editing.

So for default site, you'll copy the /etc/apache2/sites-available/default file, like so:

cp /etc/apache2/sites-available/default /etc/apache2/sites-available/default-ssl

Then edit the new default-ssl file. First change the first line, <VirtualHost..., from :80 to :443 so it will probably look like:

<VirtualHost *:443>

The * will likely need to be the IP address for which Apache listens to for that site. It can still be an asterisk, which is a wildcard match, but this may cause problems for when you have multiple SSL certificates on multiple sites. When that's updated at the bottom of the file, just above the </VirtualHost> line, add the following:

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/<yourssl>.crt
    SSLCertificateKeyFile /etc/ssl/private/<yourssl>.key
    SSLCertificateChainFile /etc/ssl/certs/<yourssl>.crt

After you've done this you'll need to enable your site. Invoke the following commands to enable mod_ssl, the new VirtualHost you created, and restart Apache.

sudo a2enmod ssl
sudo a2ensite default-ssl
sudo /etc/init.d/apache2 restart

Now when you navigate to the site via https:// you should be able to successfully connect!

30,678

jnbdz

Updated on September 18, 2022

Comments

jnbdz over 1 year

I just got from Godaddy a SSL certificate. I downloaded the files... But now I am wandering where I should put them. And is there anything else I need to setup?

The reason I am asking because I am receving conflicting ways of how to setup the SSL on a Apache2 server.

They say use ssl.conf but I found two on my server:

/etc/apache2/mods-available/ssl.conf
/etc/apache2/mods-enabled/ssl.conf

Then they say I have to add these instructions:

SSLCertificateFile /path/to/your/certificate/file
SSLCertificateKeyFile /path/to/your/key/file
SSLCertificateChainFile /path/to/intermediate/bundle/file

Also they say that it might not be in the ssl.conf but in the httpd.conf file...

So wich is it?

And if I use ssl.conf wich file must I modify?

Thanks in advance for any help.

UPDATE:

Here is my config:

<VirtualHost 00.00.000.00:443>
    ServerName example.com
    ServerAlias www.example.com
    ServerAdmin [email protected]
    DocumentRoot /var/www/example.com
    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on

    #   A self-signed (snakeoil) certificate can be created by installing
    #   the ssl-cert package. See
    #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
    #   If both key and certificate are stored in the same file, only the
    #   SSLCertificateFile directive is needed.
    SSLCertificateFile    /etc/ssl/certs/example.crt
    SSLCertificateKeyFile /etc/ssl/private/example.key
    #SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt
</VirtualHost>

It seems that Godaddy cert. is not reconized by Google Chrome for some reason...

So what is the SSLCertificateChainFile?

jnbdz over 12 years

I am using VirtualHost... So I modify the file default-ssl like you said... But what about the file with the config of the website itself...
jnbdz over 12 years

Only one of those sites will use HTTPS...
Michael Gundlach over 12 years

You need to setup a new VirtualHost definition which is just a copy of the current VirtualHost except for the few changes outlined in the above post. So the HostName, DocumentRoot, all other settings remain the same as the current VirtualHost
jnbdz over 12 years

Problem: Now when I type in the address with the https I get a list of all my vhosts...
jnbdz over 12 years

Also I have a .csr what do I do with it?
jnbdz over 12 years

What is the SSLCertificateChainFile ? Do I have it? Because I only have three files here... Plus the gd_bundle.crt is that it?
jnbdz over 12 years

Perfect it's working... For some reason Google Chrom does not recognize Godaddy as a cert. provider...