How to configure Apache SSL step by step

Setting up Apache SSL configures the popular web server to use HTTPS. HTTPS encrypts the connection between the user’s browser and the web server. To set it up, manual steps may be taken on the server depending on the hosting environment. We show how to proceed in this process.

Requirements to use Apache SSL

To establish SSL-encrypted connections with the Apache web server, a valid SSL certificate is required first. SSL certificates are usually provided free of charge via ‘Let’s Encrypt’ and configured automatically in affordable hosting plans. There are many other ways to obtain an SSL certificate, too. For professional applications, it is worthwhile setting up a specially issued SSL certificate. This signals to site visitors that they are actually communicating with the desired organisation. This fosters additional trust in your site.

Tip

Buy an SSL certificate from IONOS – it’ll provide affordable encryption for your website.

In essence, an SSL certificate is issued for a specific domain. This is a purely technical verification criterion. Beyond that, more stringent validation levels exist, up to and including verification of the organisational identity by a human. Let’s take a look at the different validation levels at a glance:

Validation Explanation Use
Domain Validation (DV) Ensures that communication is encrypted and only with the specified domain. Doesn’t reveal who owns the domain. Leads to warning message in browser in case of phishing attempt or man-in-the-middle attack.
Organisation Validation (OV) Like DV; additionally checks that the domain belongs to the specified organisation. Considered a minimum requirement for online commerce.
Extended Validation (EV) Like OV; additional human verification of the organisation’s identity. Used by large organisations such as banks, as well as government and official organisations.

In addition to SSL certificates for individual domains, there are wildcard certificates. These apply to all subdomains below a specified domain. So, the certificate *.example.com is valid for the domains www.example.com, dev.example.com, store.example.com, blog.example.com etc. Wildcard certificates are practical for running a live and staging site and store or blog in parallel on one server.

If you already have a valid SSL certificate, you still need SSH access to the web server and ‘sudo’ or ‘root’ access to set up Apache SSL.

Tip

Learn to set up an Apache webserver yourself!

How to set up an Apache SSL certificate

The specific procedure for setting up Apache SSL depends on the operating system (OS) and Apache version used. Here’s the process for the ‘Apache httpd 2.4 default layout’. The Apache2 environment on Ubuntu requires a slightly different procedure. For more configurations for common combinations of OS and Apache version, see the official Apache Wiki.

The general process when setting up Apache SSL manually includes the following steps:

  1. Generate certificate files
  2. Place certificate files on server
  3. Insert Apache SSL configuration
  4. Test Apache SSL functionality

Let’s look at each step in detail.

Generate Apache SSL certificate files

To obtain the SSL certificate files, a ‘Certificate Signing Request’ (CSR) is executed. The CSR process associates the domain name with identifying characteristics of the organisation and a cryptographic key. Depending on the certificate provider, the CSR is executed either via a web interface or from the command line. We’ll show an example of a certificate signing request via OpenSSL:

openssl req –new –newkey rsa:2048 –nodes –keyout <server-name>.key –out <server-name>.csr

When the command is executed, information is requested and a handful of files are created. Here’s an overview of the files created when the Certificate Signing Request (CSR) is executed, including file extensions:

File Extension Explanation
Private key .key Used to generate CSR and later secure and verify connections using the certificate.
CSR file .csr Required to order the SSL certificate.
Intermediate SSL Certificate .crt Certificate that enables a certificate authority to issue additional certificates.
Primary SSL certificate .crt SSL certificate issued for a specific domain and organisation.

Place Apache SSL certificate files on server

To set up Apache SSL, the certificate files are placed on the server. Usually, there are two to three files:

  1. Private key
  2. Primary SSL certificate
  3. Intermediate SSL certificate, if applicable

Put these files in their own folder and make sure they are readable by the root user only. From the command line, use the following steps:

Create folder for certificate files:

mkdir -p /root/cert/
  1. Move certificate files to folder:
mv /path/to/cert-files/* /root/cert/
  1. Customise users and permissions to make folders and files readable only by root:
chown root:root /root/cert/
chown root:root /root/cert/*
chmod 400 /root/cert/*
chmod 500 /root/cert/
Note

Protecting the certificate folder is not the same process as setting password protection for a directory with Apache. Make sure you know the difference!

Insert Apache SSL configuration

Once the certificate files are on the server, you can turn to the Apache SSL configuration. The heart of the Apache SSL configuration is a ‘Virtual Host’ block (VHost block). In most cases, a VHost block already exists for HTTP connections. If the server is to respond to both HTTPS and HTTP requests, both VHost blocks are required.

Edit Apache configuration file:

nano /usr/local/apache2/conf/httpd.conf

Identify the existing VHost block for HTTP.

The block you are looking for for HTTP contains port number 80:

<VirtualHost *:80>
    DocumentRoot ‘/var/www/html’
    ServerName your.domain.example.com
</VirtualHost>

Duplicate HTTP VHost block and adjust for HTTPS.

Now duplicate the HTTP VHost block, adjust the port to 443, and add the Apache SSL-specific settings:

<VirtualHost *:443>
    DocumentRoot ‘/var/www/html’
    ServerName your.domain.example.com
        SSLEngine on
        SSLCertificateFile /path/to/your_domain_name.crt
        SSLCertificateKeyFile /path/to/your_private.key
        SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

Subsequently, save the changes to the Apache configuration file.

Test Apache SSL functionality

A lot can go wrong when setting up the Apache SSL configuration. There are subtle differences in the settings depending on the deployment scenario and requirements. It is therefore necessary to test the Apache SSL functionality. The handy command line tool 'apachectl' is available for this purpose:

apachectl configtest

If this command does not work, try the alternative command 'apache2ctl':

apache2ctl configtest

If the test was successful, restart the Apache server:

apachectl restart

After the Apache server restarts with customised configuration, test the SSL connection. To do this, open the site in at least two different browsers. Last but not least, put the installed certificate to the test. For this purpose, you can use the free SSL check from IONOS.

Tip
Was this article helpful?
Page top