TLS certificate installation on an Apache server

The following instructions will show you how to create a public key on an Apache server using OpenSSL, which can be used on any server, and then install a newly issued certificate..

Generating a CSR on Apache (OpenSSL)

To generate a CSR request (public key) and private key, the OpenSSL tool is used.

In the first step, generate a key pair (private key and public key in CSR). Open the OpenSSL and use the following commands:

openssl genrsa –des3 –out www.mydomain.com.key 2048

Parameter -des3 ensures the use of a passphrase for the private key (encryption); if you do not use this parameter, the private key will be unprotected.

In the second step, generate the CSR request itself. You can also generate a CSR with a private key in the SSLmarket administration and save the private key for later installation..

openssl req –new –key www.mydomain.com.key –out www.mydomain.com.csr

On the Windows platform, if you see an error Unable to load config info from /usr/local/ssl/openssl.cnf, type command set OPENSSL_CONF=C:/.../openssl.cnf in the command prompt; this defines the location of the file.

After entering the order, you will be asked to specify the data for the CSR.

Common Name: Common Name is the complete name of the domain for which the certificate is to be issued.
Company / Organization: Enter the full name of the company as it appears in the Commercial Register, including the legal form.
Organizational Unit: This field is optional and is used to specify the organizational unit of the organization, such as the branch or department.
Locality / City: City name
State / Province: Left if blank
Country Name: State code - GB

Example of correctly filled information in the CSR

CN: www.sslmarket.co.uk
OU: Software
O: ZONER software
ST:
C: GB
L: London

Do not enter additional information such as e-mail address, password or optional company name in the CSR request. OpenSSL will create a file with the CSR extension, which you will insert into the certificate order at sslmarket.co.uk.

Installation of the issued certificate on the server

Creating files with keys

The issued TLS certificate is delivered by email. The certificate arrives in text form encoded in Base64 format. Save the certificate text to the server as a file public.crt.

Intermediate certificates

Get the right intermediate certificates and save them to one file intermediate.crt . Copy both new files to the /usr/local/ssl/crt/ folder.

Intermediate certificates are sent in the email with the certificate. You can find them on our site under Intermediate certificates as well.

Server configuration

To use the created keys, it is necessary to set up the server itself. Open and edit the Apache configuration file called httpd.conf (it's typically in /etc/httpd folder) and add the following 3 directives to the section :

SSLCertificateFile /usr/local/ssl/crt/public.crt
SSLCertificateKeyFile /usr/local/ssl/private/private.key
SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt

Some versions of Apache do not support SSLCertificateChainFile, so use SSLCACertificateFile directive instead.

Save the file. Before restarting, you can test the correct configuration with the command apachectl configtest The final step is to restart the Apache webserver.


apachectl stop


apachectl startssl

Example of server configuration

Here is a typical example of a server configuration in an httpd.conf file. Listen 80 Listen 443 ServerName http://www.example.com SSLEngine on SSLCertificateFile /usr/local/ssl/install/openssl/certs/example.crt SSLCertificateKeyFile /usr/loca/ssl/install/openssl/certs/example.key SSLCACertificateFile /usr/loca/ssl/install/openssl/certs/intermediate.crt

Is everything alright? Check the certificate installation in our simple tool. For more information read the article Check installation of TLS certificate.

Are you lost?

Write us
info@sslmarket.co.uk
Contact form

Help