CertificateManager
Website Sign up free

Installing a Signed SSL Certificate in Apache

CertificateManager
Written by Certificate Manager
Last updated: 15 May 2026

Introduction

After receiving a signed SSL/TLS certificate from a Certificate Authority (CA), the next step is installing it correctly on your Apache web server. A proper installation ensures encrypted HTTPS communication, prevents browser warnings, and enables modern security standards.

This guide explains how to install a signed certificate on Apache HTTP Server for Linux environments commonly used by DevOps teams, system administrators, and IT operations engineers.

Problem

You have received:

  • A signed server certificate (yourdomain.crt)
  • An intermediate certificate bundle (ca-bundle.crt)
  • The private key generated during the CSR process (yourdomain.key)

But Apache is not yet configured to use them.

Common issues include:

  • HTTPS site not loading
  • Apache startup failures
  • Browser certificate warnings
  • Missing certificate chain errors
  • Incorrect virtual host configuration

Solution

Step 1 — Verify Required Files

Ensure you have the following files available:

yourdomain.crt
ca-bundle.crt
yourdomain.key

Typical locations:

/etc/ssl/certs/
/etc/pki/tls/certs/
/etc/apache2/ssl/

Recommended permissions:

chmod 600 yourdomain.key
chmod 644 yourdomain.crt
chmod 644 ca-bundle.crt

Step 2 — Copy Certificate Files

Move the certificate files to a secure directory.

Example:

sudo mkdir -p /etc/apache2/ssl
sudo cp yourdomain.crt /etc/apache2/ssl/
sudo cp ca-bundle.crt /etc/apache2/ssl/
sudo cp yourdomain.key /etc/apache2/ssl/

Step 3 — Enable SSL Module

On Debian/Ubuntu systems:

sudo a2enmod ssl

Restart Apache:

sudo systemctl restart apache2

On RHEL/CentOS/AlmaLinux/Rocky:

Verify mod_ssl is installed:

sudo dnf install mod_ssl

or

sudo yum install mod_ssl

Step 4 — Configure Apache Virtual Host

Edit your SSL virtual host configuration.

Typical locations:

Debian / Ubuntu

/etc/apache2/sites-available/default-ssl.conf

RHEL / CentOS

/etc/httpd/conf.d/ssl.conf

Example configuration:

<VirtualHost *:443>

    ServerName yourdomain.com
    DocumentRoot /var/www/html

    SSLEngine on

    SSLCertificateFile /etc/apache2/ssl/yourdomain.crt
    SSLCertificateKeyFile /etc/apache2/ssl/yourdomain.key
    SSLCertificateChainFile /etc/apache2/ssl/ca-bundle.crt

    <Directory /var/www/html>
        AllowOverride All
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/ssl-error.log
    CustomLog ${APACHE_LOG_DIR}/ssl-access.log combined

</VirtualHost>

Note: On newer Apache versions (2.4.8+), the intermediate chain may be included directly in the main certificate file instead of using SSLCertificateChainFile.

Combined example:

cat yourdomain.crt ca-bundle.crt > fullchain.crt

Then use:

SSLCertificateFile /etc/apache2/ssl/fullchain.crt

Step 5 — Enable the SSL Site

Debian/Ubuntu:

sudo a2ensite default-ssl
sudo systemctl reload apache2

RHEL/CentOS:

sudo systemctl restart httpd

Step 6 — Validate Apache Configuration

Before restarting Apache, always validate the configuration.

Debian/Ubuntu:

sudo apache2ctl configtest

RHEL/CentOS:

sudo httpd -t

Expected output:

Syntax OK

Step 7 — Restart Apache

Debian/Ubuntu:

sudo systemctl restart apache2

RHEL/CentOS:

sudo systemctl restart httpd

Step 8 — Verify the Certificate Installation

Test HTTPS connectivity locally:

openssl s_client -connect yourdomain.com:443

Check certificate details:

openssl x509 -in yourdomain.crt -text -noout

Validate the full certificate chain:

openssl verify -CAfile ca-bundle.crt yourdomain.crt

You can also verify externally using:

Troubleshooting

Apache Fails to Start

Check logs:

Debian/Ubuntu

sudo journalctl -u apache2

RHEL/CentOS

sudo journalctl -u httpd

Common causes:

  • Wrong certificate path
  • Incorrect permissions
  • Mismatched private key
  • Invalid certificate chain

Verify Private Key Matches Certificate

Compare moduli:

openssl rsa -noout -modulus -in yourdomain.key | openssl md5
openssl x509 -noout -modulus -in yourdomain.crt | openssl md5

The hashes must match.

Enable Strong TLS Settings

Example hardened configuration:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on

Example Directory Structure

/etc/apache2/ssl/
├── yourdomain.crt
├── ca-bundle.crt
├── yourdomain.key
└── fullchain.crt

Screenshot Placeholders

[Screenshot Placeholder — Apache SSL VirtualHost configuration]

[Screenshot Placeholder — Successful apache2ctl configtest output]

[Screenshot Placeholder — Browser showing secure HTTPS connection]

Conclusion

Installing a signed SSL certificate on Apache requires:

    1. Correct certificate and key placement
    2. Proper SSL VirtualHost configuration
    3. Enabling Apache SSL modules
    4. Validating the certificate chain
    5. Restarting and testing Apache safely

A properly configured Apache HTTPS setup improves security, compliance, and reliability for public-facing services and internal applications.

Was this helpful?

Related articles

Installing a Signed SSL Certificate in Webmin

This guide explains how to install a signed SSL/TLS certificate in Webmin.

Categories