In this guide, you will learn how to install an SSL certificate on Apache, step by step. The instructions apply to Apache 2.4, the current stable release line.
Table of Contents
- How to generate a CSR code on Apache?
- Install an SSL certificate on Apache
- Test your SSL installation
- Where to buy an SSL certificate for Apache?
How to generate a CSR code on Apache?
The Certificate Signing Request, or simply CSR, is a small text file containing information about your domain ownership and/or company. Generating a CSR is an integral part of the SSL buying process, and all commercial Certificate Authorities require SSL applicants to complete this step.
You have two options:
- Generate the CSR automatically using our CSR Generator.
- Follow our step-by-step tutorial on how to create the CSR on Apache.
Install an SSL certificate on Apache
After the Certificate Authority signs and sends you the SSL certificate, you can safely install it on your Apache server. Follow the steps below.
Step 1: Prepare your certificate files
Download and extract the files from the ZIP folder you received from your Certificate Authority. You will typically find:
- The .crt file – your primary SSL certificate.
- The .ca-bundle file – the intermediate (and root) certificates that form the chain of trust. This chain is required so that browsers and applications can verify your certificate. Without it, some clients may flag your site as not secure.
Upload these files, together with the private key (.key) you generated alongside your CSR, to a secure directory on your server, for example /etc/ssl/. Keep the private key readable only by root (chmod 600).
Recommended (Apache 2.4.8 and newer): combine your certificate and the CA bundle into a single “full chain” file. Since Apache 2.4.8, the SSLCertificateFile directive loads the intermediate certificates directly from this file, which is why the old SSLCertificateChainFile directive is no longer needed:
cat your_domain.crt your_domain.ca-bundle > your_domain_fullchain.crtIf your CA delivered the intermediate certificates as separate files, concatenate them with your certificate first, followed by the intermediates ordered from the one that signed your certificate up to the root (the root certificate itself is optional):
cat your_domain.crt intermediate.crt root.crt > your_domain_fullchain.crtFor example, when installing a Sectigo PositiveSSL certificate, you would concatenate your domain certificate with the Sectigo intermediate bundle. Always use the exact file names provided by your CA.
Step 2: Enable the SSL module (mod_ssl)
Before configuring HTTPS, make sure Apache’s SSL module is enabled.
On Debian/Ubuntu, enable mod_ssl (and mod_headers, which you will need for the HSTS header in Step 4):
sudo a2enmod ssl
sudo a2enmod headersOn RHEL/CentOS/AlmaLinux/Rocky Linux, install the SSL module package (the module loads automatically once installed):
sudo dnf install mod_sslStep 3: Locate the Apache configuration file
Depending on your operating system and Apache version, the configuration may live in different files. Look for httpd.conf, apache2.conf, or a dedicated SSL/site configuration file, in one of the following locations:
- Debian/Ubuntu: main config /etc/apache2/apache2.conf; per-site configs in /etc/apache2/sites-available/.
- RHEL/CentOS/AlmaLinux/Rocky: main config /etc/httpd/conf/httpd.conf; SSL config /etc/httpd/conf.d/ssl.conf.
Note: If your Apache server is running on Ubuntu, you can also follow our dedicated SSL installation instructions for Ubuntu.
Step 4: Configure the virtual host
First, back up your current configuration file. This way, if something goes wrong, you can quickly revert your changes:
sudo cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.backupNow open the configuration file and set up the HTTPS (port 443) virtual host. A complete, modern virtual host looks like this:
<VirtualHost *:443>
ServerName www.example.com
ServerAdmin [email protected]
DocumentRoot /var/www/example
SSLEngine on
# Apache 2.4.8+ : server certificate + intermediate chain in ONE file
SSLCertificateFile /etc/ssl/example_com_fullchain.crt
SSLCertificateKeyFile /etc/ssl/example_com.key
# Recommended TLS hardening (2026)
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLHonorCipherOrder off
# Tell browsers to always use HTTPS (enable only after HTTPS works)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
ErrorLog ${APACHE_LOG_DIR}/example_error.log
CustomLog ${APACHE_LOG_DIR}/example_access.log combined
</VirtualHost>Replace example.com, the document root, and the file paths with your own values. Here is what the key directives do:
- SSLEngine on – enables SSL/TLS for this virtual host.
- SSLCertificateFile – path to your full-chain file (certificate + intermediates) created in Step 1. On Apache 2.4.8+ this single directive replaces the deprecated SSLCertificateChainFile.
- SSLCertificateKeyFile – path to your private key, generated together with the CSR.
- SSLProtocol -all +TLSv1.2 +TLSv1.3 – disables the old, insecure SSL/TLS protocols and allows only TLS 1.2 and TLS 1.3.
- Strict-Transport-Security (HSTS) – instructs browsers to connect over HTTPS only. Requires mod_headers (enabled in Step 2). Turn it on only after you have confirmed HTTPS works correctly.
Make sure none of these lines start with a # (which would comment them out). On Debian/Ubuntu, ${APACHE_LOG_DIR} resolves to /var/log/apache2; on RHEL-based systems use /var/log/httpd/ instead.
Legacy servers: If you are stuck on an Apache version older than 2.4.8, keep the certificate and the chain in separate files and add the deprecated SSLCertificateChainFile /etc/ssl/example_com.ca-bundle directive below SSLCertificateFile. On any modern server, the full-chain approach above is preferred.
Advanced hardening (optional): for a stronger cipher suite and OCSP stapling, generate a tailored configuration with the Mozilla SSL Configuration Generator. OCSP stapling also requires an SSLStaplingCache directive in your global Apache configuration.
Step 5: Redirect HTTP to HTTPS
To make sure visitors always reach the secure version of your site, add a second virtual host on port 80 that permanently redirects all HTTP traffic to HTTPS:
<VirtualHost *:80>
ServerName www.example.com
Redirect permanent / https://www.example.com/
</VirtualHost>Step 6: Test your configuration and restart Apache
Always test your configuration before restarting. A syntax error can take your site offline, so run:
sudo apachectl configtestIf everything is correct, you will see:
Syntax OKNow apply the changes by reloading Apache (a reload activates the new configuration without dropping existing connections):
sudo systemctl reload apache2 # Debian/Ubuntu
sudo systemctl reload httpd # RHEL/CentOS/AlmaLinux/RockyIf a reload is not enough, restart the service instead (sudo systemctl restart apache2 or httpd). On older systems without systemd, use sudo apachectl graceful.
If the installation was successful, congratulations! Your website is now secured with SSL/TLS.
Test your SSL installation
After installing your SSL certificate on Apache, verify that everything works as expected. An instant scan will reveal any errors or vulnerabilities that could affect your certificate’s performance. Use our SSL Checker tool to check the status of your installation.
You can also confirm the certificate and its chain directly from the command line:
openssl s_client -connect www.example.com:443 -servername www.example.comWhere to buy an SSL certificate for Apache?
The best place to get an SSL certificate for Apache is from SSL Dragon. We offer unbeatable prices and discounts across our entire range of SSL products, and we have carefully selected the best SSL brands on the market to equip your website with bulletproof protection. All our SSL certificates are compatible with Apache. Get an SSL certificate now!
Keep in mind that SSL/TLS certificate lifespans are shrinking: the maximum validity drops to 200 days in March 2026, 100 days in 2027, and just 47 days by 2029. Shorter lifecycles mean more frequent renewals, so it is worth planning your renewal process (and automation) in advance.
Frequently Asked Questions
SSL (Secure Sockets Layer), now succeeded by TLS (Transport Layer Security), is a cryptographic protocol that encrypts communication between two network endpoints, for instance a web server such as Apache and a user’s browser.
On Debian and Ubuntu distributions, search the configuration for the SSL protocol directive:grep -ir SSLProtocol /etc/apache2/
If SSL is configured, you will see output similar to:/etc/apache2/mods-available/ssl.conf:SSLProtocol +TLSv1.2 +TLSv1.3
You can also confirm that the SSL module is loaded into the running server:apachectl -M | grep ssl
The configuration file may reside in different locations depending on your OS and setup. On Debian/Ubuntu, check /etc/apache2/apache2.conf and the per-site files in /etc/apache2/sites-available/. On RHEL/CentOS/AlmaLinux/Rocky, check /etc/httpd/conf/httpd.conf and /etc/httpd/conf.d/ssl.conf.
SSLCertificateFile points to your server certificate. Since Apache 2.4.8, the same file can also hold the intermediate certificates, so it serves the complete chain. SSLCertificateChainFile was the old way to supply those intermediates separately, but it has been deprecated since Apache 2.4.8. On any modern server, place the certificate and intermediates in one file and reference it with SSLCertificateFile only.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10
