How to configure Apache SSL step by step
Setting up Apache SSL configures the popular web server to use HTTPS. HTTPS encrypts the connection between the user’s browser and the web server. To set it up, manual steps may be taken on the server depending on the hosting environment. We show how to proceed in this process.
Requirements to use Apache SSL
To establish SSL-encrypted connections with the Apache web server, a valid SSL certificate is required first. SSL certificates are usually provided free of charge via ‘Let’s Encrypt’ and configured automatically in affordable hosting plans. There are many other ways to obtain an SSL certificate, too. For professional applications, it is worthwhile setting up a specially issued SSL certificate. This signals to site visitors that they are actually communicating with the desired organisation. This fosters additional trust in your site.
Buy an SSL certificate from IONOS – it’ll provide affordable encryption for your website.
In essence, an SSL certificate is issued for a specific domain. This is a purely technical verification criterion. Beyond that, more stringent validation levels exist, up to and including verification of the organisational identity by a human. Let’s take a look at the different validation levels at a glance:
Validation | Explanation | Use |
Domain Validation (DV) | Ensures that communication is encrypted and only with the specified domain. Doesn’t reveal who owns the domain. | Leads to warning message in browser in case of phishing attempt or man-in-the-middle attack. |
Organisation Validation (OV) | Like DV; additionally checks that the domain belongs to the specified organisation. | Considered a minimum requirement for online commerce. |
Extended Validation (EV) | Like OV; additional human verification of the organisation’s identity. | Used by large organisations such as banks, as well as government and official organisations. |
In addition to SSL certificates for individual domains, there are wildcard certificates. These apply to all subdomains below a specified domain. So, the certificate *.example.com is valid for the domains www.example.com, dev.example.com, store.example.com, blog.example.com etc. Wildcard certificates are practical for running a live and staging site and store or blog in parallel on one server.
If you already have a valid SSL certificate, you still need SSH access to the web server and ‘sudo’ or ‘root’ access to set up Apache SSL.
Learn to set up an Apache webserver yourself!
How to set up an Apache SSL certificate
The specific procedure for setting up Apache SSL depends on the operating system (OS) and Apache version used. Here’s the process for the ‘Apache httpd 2.4 default layout’. The Apache2 environment on Ubuntu requires a slightly different procedure. For more configurations for common combinations of OS and Apache version, see the official Apache Wiki.
The general process when setting up Apache SSL manually includes the following steps:
- Generate certificate files
- Place certificate files on server
- Insert Apache SSL configuration
- Test Apache SSL functionality
Let’s look at each step in detail.
Generate Apache SSL certificate files
To obtain the SSL certificate files, a ‘Certificate Signing Request’ (CSR) is executed. The CSR process associates the domain name with identifying characteristics of the organisation and a cryptographic key. Depending on the certificate provider, the CSR is executed either via a web interface or from the command line. We’ll show an example of a certificate signing request via OpenSSL:
openssl req –new –newkey rsa:2048 –nodes –keyout <server-name>.key –out <server-name>.csr
When the command is executed, information is requested and a handful of files are created. Here’s an overview of the files created when the Certificate Signing Request (CSR) is executed, including file extensions:
File | Extension | Explanation |
Private key | .key | Used to generate CSR and later secure and verify connections using the certificate. |
CSR file | .csr | Required to order the SSL certificate. |
Intermediate SSL Certificate | .crt | Certificate that enables a certificate authority to issue additional certificates. |
Primary SSL certificate | .crt | SSL certificate issued for a specific domain and organisation. |
Place Apache SSL certificate files on server
To set up Apache SSL, the certificate files are placed on the server. Usually, there are two to three files:
- Private key
- Primary SSL certificate
- Intermediate SSL certificate, if applicable
Put these files in their own folder and make sure they are readable by the root user only. From the command line, use the following steps:
Create folder for certificate files:
mkdir -p /root/cert/
- Move certificate files to folder:
mv /path/to/cert-files/* /root/cert/
- Customise users and permissions to make folders and files readable only by root:
chown root:root /root/cert/
chown root:root /root/cert/*
chmod 400 /root/cert/*
chmod 500 /root/cert/
Protecting the certificate folder is not the same process as setting password protection for a directory with Apache. Make sure you know the difference!
Insert Apache SSL configuration
Once the certificate files are on the server, you can turn to the Apache SSL configuration. The heart of the Apache SSL configuration is a ‘Virtual Host’ block (VHost block). In most cases, a VHost block already exists for HTTP connections. If the server is to respond to both HTTPS and HTTP requests, both VHost blocks are required.
Edit Apache configuration file:
nano /usr/local/apache2/conf/httpd.conf
Identify the existing VHost block for HTTP.
The block you are looking for for HTTP contains port number 80:
<VirtualHost *:80>
DocumentRoot ‘/var/www/html’
ServerName your.domain.example.com
</VirtualHost>
Duplicate HTTP VHost block and adjust for HTTPS.
Now duplicate the HTTP VHost block, adjust the port to 443, and add the Apache SSL-specific settings:
<VirtualHost *:443>
DocumentRoot ‘/var/www/html’
ServerName your.domain.example.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>
Test Apache SSL functionality
A lot can go wrong when setting up the Apache SSL configuration. There are subtle differences in the settings depending on the deployment scenario and requirements. It is therefore necessary to test the Apache SSL functionality. The handy command line tool 'apachectl' is available for this purpose:
apachectl configtest
If this command does not work, try the alternative command 'apache2ctl':
apache2ctl configtest
If the test was successful, restart the Apache server:
apachectl restart
After the Apache server restarts with customised configuration, test the SSL connection. To do this, open the site in at least two different browsers. Last but not least, put the installed certificate to the test. For this purpose, you can use the free SSL check from IONOS.
Learn how to proceed with improving the performance of an Apache web server!