How do I setup SSL CRT on my Apache2 server?
This depends. You'll likely want to add those lines to the VirtualHost file. I'll use the default as the example but you'll likely have multiple VirtualHosts defined (they are typically in the /etc/apache2/site-available/
directory).
However, you'll first need to install the SSL certificates. Typically you can place the .crt
file (or the certificate file, if it doesn't end with .crt) in /etc/ssl/certs/
directory. Then copy the .key
file to /etc/ssl/private/
directory. Make sure that the .key
file doesn't have other readable permissions, as it can lead to an exploit. As a reminder these are just default SSL certificate locations, you can put them anywhere you want I've seen some installations use /etc/apache2/ssl
for a dumping ground of CRT and KEY files. This, again, is entirely up to you.
For actually setting up the SSL site in Apache, you'll want to copy the site's VirtualHost and edit a few lines so it operates properly with SSL. In this example I'll continue to just use the default setup but replace default
with whichever VirtualHost file you're editing.
So for default site, you'll copy the /etc/apache2/sites-available/default
file, like so:
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/default-ssl
Then edit the new default-ssl
file. First change the first line, <VirtualHost
..., from :80
to :443
so it will probably look like:
<VirtualHost *:443>
The *
will likely need to be the IP address for which Apache listens to for that site. It can still be an asterisk, which is a wildcard match, but this may cause problems for when you have multiple SSL certificates on multiple sites. When that's updated at the bottom of the file, just above the </VirtualHost>
line, add the following:
SSLEngine on
SSLCertificateFile /etc/ssl/certs/<yourssl>.crt
SSLCertificateKeyFile /etc/ssl/private/<yourssl>.key
SSLCertificateChainFile /etc/ssl/certs/<yourssl>.crt
After you've done this you'll need to enable your site. Invoke the following commands to enable mod_ssl, the new VirtualHost you created, and restart Apache.
sudo a2enmod ssl
sudo a2ensite default-ssl
sudo /etc/init.d/apache2 restart
Now when you navigate to the site via https:// you should be able to successfully connect!
Related videos on Youtube
jnbdz
Updated on September 18, 2022Comments
-
jnbdz over 1 year
I just got from Godaddy a SSL certificate. I downloaded the files... But now I am wandering where I should put them. And is there anything else I need to setup?
The reason I am asking because I am receving conflicting ways of how to setup the SSL on a Apache2 server.
They say use ssl.conf but I found two on my server:
/etc/apache2/mods-available/ssl.conf /etc/apache2/mods-enabled/ssl.conf
Then they say I have to add these instructions:
SSLCertificateFile /path/to/your/certificate/file SSLCertificateKeyFile /path/to/your/key/file SSLCertificateChainFile /path/to/intermediate/bundle/file
Also they say that it might not be in the ssl.conf but in the httpd.conf file...
So wich is it?
And if I use
ssl.conf
wich file must I modify?Thanks in advance for any help.
UPDATE:
Here is my config:
<VirtualHost 00.00.000.00:443> ServerName example.com ServerAlias www.example.com ServerAdmin [email protected] DocumentRoot /var/www/example.com # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/ssl/certs/example.crt SSLCertificateKeyFile /etc/ssl/private/example.key #SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt </VirtualHost>
It seems that Godaddy cert. is not reconized by Google Chrome for some reason...
So what is the SSLCertificateChainFile?
-
jnbdz over 12 yearsI am using VirtualHost... So I modify the file default-ssl like you said... But what about the file with the config of the website itself...
-
jnbdz over 12 yearsOnly one of those sites will use HTTPS...
-
Michael Gundlach over 12 yearsYou need to setup a new VirtualHost definition which is just a copy of the current VirtualHost except for the few changes outlined in the above post. So the HostName, DocumentRoot, all other settings remain the same as the current VirtualHost
-
jnbdz over 12 yearsProblem: Now when I type in the address with the https I get a list of all my vhosts...
-
jnbdz over 12 yearsAlso I have a .csr what do I do with it?
-
jnbdz over 12 yearsWhat is the SSLCertificateChainFile ? Do I have it? Because I only have three files here... Plus the gd_bundle.crt is that it?
-
jnbdz over 12 yearsPerfect it's working... For some reason Google Chrom does not recognize Godaddy as a cert. provider...