In this tutorial, you will learn how to install an SSL certificate on Ubuntu with Apache.
We also recorded a video that walks you through the entire process. If you prefer the text version, keep reading below.
Generate a CSR code
We’ll begin with CSR (Certificate Signing Request) generation. A CSR is a request sent to a Certificate Authority to apply for a digital certificate. You have two options:
- Use our CSR Generator to create the CSR automatically.
- Follow our step-by-step tutorial on how to generate a CSR in Ubuntu.
Submit the CSR to the Certificate Authority during your order. After the CA validates it and issues your SSL certificate, continue with the installation below.
Install an SSL certificate on Ubuntu Server
Step 1: Upload your certificate files
After validation, the Certificate Authority emails you the certificate files. Extract the archive. You should have:
- yourdomain.crt, your primary SSL certificate.
- yourdomain.ca-bundle, the intermediate certificates (the CA bundle).
- yourdomain.key, the private key you generated with the CSR.
Upload the certificate and CA bundle to /etc/ssl/ and the private key to /etc/ssl/private/ (keep the key readable only by root). On Apache 2.4.8 and newer (which includes every supported Ubuntu release), combine the certificate and CA bundle into one full-chain file:
cat yourdomain.crt yourdomain.ca-bundle > yourdomain_fullchain.crtStep 2: Enable the SSL module and find your site config
Enable Apache’s SSL module (and the headers module, used for HSTS in Step 3):
sudo a2enmod ssl
sudo a2enmod headersYour site’s configuration file lives in /etc/apache2/sites-available/ (typically yourdomain.conf). Edit the file there. The files in sites-enabled/ are just symlinks. If the site is not enabled yet, enable it with:
sudo a2ensite yourdomain.confNote: serve HTTP (port 80) and HTTPS (port 443) from separate VirtualHost blocks. The HTTPS one is where the SSL directives go.
Step 3: Configure the HTTPS VirtualHost
Set up the port 443 VirtualHost. A complete, modern block looks like this; adjust the paths to match your files:
<VirtualHost *:443>
ServerName www.yourdomain.com
DocumentRoot /var/www/yourdomain
SSLEngine on
# Apache 2.4.8+ : certificate + CA bundle in one full-chain file
SSLCertificateFile /etc/ssl/yourdomain_fullchain.crt
SSLCertificateKeyFile /etc/ssl/private/yourdomain.key
# Recommended TLS hardening (2026)
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLHonorCipherOrder off
# Enable HSTS only after you confirm HTTPS works
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</VirtualHost>- SSLCertificateFile: your full-chain file (certificate + intermediates). On Apache 2.4.8+ this replaces the deprecated SSLCertificateChainFile.
- SSLCertificateKeyFile: the private key you created with the CSR.
Legacy Apache (older than 2.4.8): keep the certificate and chain separate and add SSLCertificateChainFile /etc/ssl/yourdomain.ca-bundle, pointing to the CA bundle, not to your certificate file.
Step 4: Redirect HTTP to HTTPS
So visitors always reach the secure version, add a port 80 VirtualHost that redirects to HTTPS:
<VirtualHost *:80>
ServerName www.yourdomain.com
Redirect permanent / https://www.yourdomain.com/
</VirtualHost>Step 5: Test the configuration
Always test before reloading; a syntax error can take the site offline:
sudo apache2ctl configtestYou should see Syntax OK. If you get an error, revisit the previous steps before continuing.
Step 6: Reload Apache
Apply the changes by reloading Apache (a reload activates the new config without dropping connections):
sudo systemctl reload apache2Congratulations, your SSL certificate is now installed on your Ubuntu server. To verify the result and get an instant status report, use our SSL Checker.
Where to Buy an SSL Certificate for Ubuntu Server?
SSL Dragon is your source for all your SSL needs. We offer some of the lowest prices on the market across our entire range of SSL products, and we’ve partnered with the best SSL brands in the industry for strong security and dedicated support. All our SSL certificates are compatible with Ubuntu servers.
Frequently Asked Questions
Connect to your site with OpenSSL and read the certificate it serves:echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -dates
If a certificate is installed, this prints its issuer and validity dates. You can also list Apache’s active virtual hosts with sudo apache2ctl -S, or simply open your site in a browser and check the padlock.
By convention, certificates go in /etc/ssl/certs/ (or /etc/ssl/) and private keys in /etc/ssl/private/. These are defaults; you can use other locations as long as your VirtualHost points to them.
Site configuration files live in /etc/apache2/sites-available/ (for example yourdomain.conf), and enabled sites are symlinked into /etc/apache2/sites-enabled/. Enable a site with sudo a2ensite yourdomain.conf.
On Apache 2.4.8 and later (all supported Ubuntu releases), yes: concatenate your certificate and CA bundle into one file and point SSLCertificateFile at it. The separate SSLCertificateChainFile directive is deprecated and only needed on older Apache versions.
Bottom line
Installing an SSL certificate on Ubuntu with Apache comes down to uploading your files, enabling mod_ssl, configuring the HTTPS VirtualHost with your full-chain certificate, testing with sudo apache2ctl configtest, and reloading Apache. Need a certificate first? Browse our SSL certificates.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10
