bg-tutorials

How to Install an SSL Certificate on a Debian Server

Last updated on by Dionisie Gitlan

This guide explains how to install an SSL certificate on a Debian server with Apache.

How to generate CSR for a Debian server?

Before installation, your first task is to generate a CSR (Certificate Signing Request) code. This is the standard procedure when applying for an SSL Certificate. The CSR contains relevant details about your domain and organization which the Certificate Authority must verify before issuing you the certificate.

You have two options:

  1. Generate the CSR automatically using our CSR Generator.
  2. Follow our step-by-step tutorial on how to create the CSR on Debian.

Copy the entire CSR content and submit it to the Certificate Authority during your order. Depending on the validation type, you should receive your SSL certificate within minutes or, for higher-validation certificates, in a few days. Once the CA issues it, continue with the installation below.

Step 1: Upload your certificate and private key to the server

Place the files in the Debian-standard locations. Keep the private key in /etc/ssl/private/ with strict permissions, and combine the certificate and intermediate(s) into a single full-chain file in /etc/ssl/certs/:

# Private key (set strict permissions)
sudo install -m 600 yourdomain.key /etc/ssl/private/yourdomain.key

# Concatenate the server certificate + intermediate(s) into one full-chain file
cat yourdomain.crt intermediate1.crt intermediate2.crt | sudo tee /etc/ssl/certs/yourdomain-fullchain.pem >/dev/null

On Apache 2.4.8 and newer, this single full-chain file is all you need for SSLCertificateFile. The old SSLCertificateChainFile directive is deprecated and no longer required.

Step 2: Enable the SSL module

Enable Apache’s SSL module (and the headers module, used for HSTS in Step 3):

sudo a2enmod ssl
sudo a2enmod headers

Step 3: Create your HTTPS VirtualHost

Create a new site configuration file in /etc/apache2/sites-available/:

sudo nano /etc/apache2/sites-available/yourdomain-ssl.conf

Paste the following port 443 VirtualHost and adjust the paths and domain names to match your setup:

<VirtualHost *:443>
    ServerName yourdomain.com
    ServerAlias www.yourdomain.com

    DocumentRoot /var/www/yourdomain

    SSLEngine on
    SSLCertificateFile    /etc/ssl/certs/yourdomain-fullchain.pem
    SSLCertificateKeyFile /etc/ssl/private/yourdomain.key

    # Recommended TLS hardening (2026)
    SSLProtocol         -all +TLSv1.2 +TLSv1.3
    SSLHonorCipherOrder off

    # Enable HSTS only after you confirm HTTPS works
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

    # Optional: enable HTTP/2
    # Protocols h2 http/1.1

    <Directory /var/www/yourdomain>
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog  ${APACHE_LOG_DIR}/yourdomain-ssl-error.log
    CustomLog ${APACHE_LOG_DIR}/yourdomain-ssl-access.log combined
</VirtualHost>
  • SSLCertificateFile, your full-chain file (certificate + intermediates). On Apache 2.4.8+ this replaces the deprecated SSLCertificateChainFile.
  • SSLCertificateKeyFile, the private key you created with the CSR.

Step 4: Force a redirect from HTTP to HTTPS

So visitors always reach the secure version, create a separate port 80 VirtualHost that redirects all HTTP traffic to HTTPS:

sudo nano /etc/apache2/sites-available/yourdomain-redirect.conf

Then paste the following:

<VirtualHost *:80>
    ServerName yourdomain.com
    ServerAlias www.yourdomain.com
    Redirect permanent / https://yourdomain.com/
</VirtualHost>

Step 5: Enable your site configurations

Enable the new HTTPS site (and the redirect, if you created it). The files in sites-enabled/ are just symlinks to sites-available/:

sudo a2ensite yourdomain-ssl

# If you created the redirect
sudo a2ensite yourdomain-redirect

Step 6: Test the configuration

Always test the configuration before reloading, because a syntax error can take the site offline:

sudo apache2ctl configtest

You should see Syntax OK. If you get an error, revisit the previous steps before continuing.

Step 7: Reload the Apache server

Apply the changes by reloading Apache. A reload activates the new configuration without dropping existing connections:

sudo systemctl reload apache2

You’ve successfully configured your SSL certificate on your Debian server. You can always check the state of your SSL installation with our SSL Checker.

Where to buy an SSL Certificate for a Debian server?

The best place to buy an SSL certificate for Debian is from SSL Dragon. We offer competitive prices, regular discounts, and great deals across the entire range of our SSL products. We’ve carefully selected the best SSL brands on the market to give your website strong encryption. All our SSL certificates are compatible with Debian.

Get an SSL certificate now

Frequently Asked Questions

Where are SSL certificates stored in Debian?

By convention, certificates go in /etc/ssl/certs/ and private keys in /etc/ssl/private/ (keep the key readable only by root). These are defaults; you can use other locations as long as your VirtualHost points to them.

How do I know if an SSL certificate is installed on Debian?

Connect to your site with OpenSSL and read the certificate it serves:
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -dates
If a certificate is installed, this prints its issuer and validity dates. You can also list Apache’s active virtual hosts with sudo apache2ctl -S, or simply open your site in a browser and check the padlock.

Where is the Apache site config located on Debian?

Site configuration files live in /etc/apache2/sites-available/ (for example yourdomain-ssl.conf), and enabled sites are symlinked into /etc/apache2/sites-enabled/. Enable a site with sudo a2ensite yourdomain-ssl.

Do I need an SSL certificate on Debian?

Yes. Without an SSL certificate, browsers flag your site as “Not secure” and traffic between your users and your server is unencrypted. An SSL certificate encrypts that connection and is effectively mandatory for any production website.

Bottom line

Installing an SSL certificate on Debian with Apache comes down to uploading your files, enabling mod_ssl, configuring the HTTPS VirtualHost with your full-chain certificate, adding an HTTP→HTTPS redirect, testing with sudo apache2ctl configtest, and reloading Apache. Need a certificate first? Browse our SSL certificates.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

Order Now
A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.

How to Install SSL
A Linux logo icon
Linux Platforms
Tutorials