In this tutorial, you will learn how to install an SSL certificate on Linux running the Apache (httpd) web server.
The examples use Red Hat Enterprise Linux (RHEL) and its close relatives (Rocky Linux, AlmaLinux, CentOS, Fedora), where Apache is the httpd package and configuration lives under /etc/httpd/. The final section includes SSL buying recommendations for Red Hat Linux servers.
Generate the CSR on Linux
If you’ve already generated your CSR and received your certificate, skip ahead to the installation section.
A CSR (Certificate Signing Request) is a small block of encoded text containing information about your domain and, for business certificates, your organization. Generating a CSR is a required part of the SSL ordering process; every commercial Certificate Authority asks for one before it issues your certificate. You have two options:
- Generate the CSR automatically with our CSR Generator.
- Follow our step-by-step tutorial on how to generate a CSR on Red Hat Linux.
Submit the CSR to the Certificate Authority during checkout. Once the CA validates it and issues your SSL certificate, continue with the installation below.
Install an SSL certificate on Linux (Red Hat / Apache)
After validation, your Certificate Authority emails you a ZIP archive with the installation files. Download and extract it. You should have:
- yourdomain.crt, your primary SSL certificate (the leaf certificate).
- yourdomain.ca-bundle, the intermediate certificates, also called the CA bundle.
- yourdomain.key, the private key you generated together with the CSR.
If your CA sent the certificate as text rather than files, open the primary certificate, copy everything including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines, and save it as yourdomain.crt. Do the same for the CA bundle. Follow the steps below to complete the installation.
Step 1: Install the SSL module (mod_ssl)
On Red Hat-based systems, HTTPS support comes from the mod_ssl package. Install it (on RHEL 8/9 and Fedora use dnf; on older releases use yum):
sudo dnf install mod_ssl
Installing the package also creates the default SSL configuration file at /etc/httpd/conf.d/ssl.conf, which is where you’ll add your certificate directives.
Step 2: Upload your certificate files to the server
Copy your files to the standard Red Hat certificate locations. Certificates go in /etc/pki/tls/certs/ and the private key goes in /etc/pki/tls/private/:
sudo cp yourdomain.crt /etc/pki/tls/certs/
sudo cp yourdomain.ca-bundle /etc/pki/tls/certs/
sudo cp yourdomain.key /etc/pki/tls/private/
Lock down the private key so only root can read it:
sudo chmod 600 /etc/pki/tls/private/yourdomain.key
On Apache 2.4.8 and newer, which covers every supported RHEL release, combine your certificate and the CA bundle into a single full-chain file (leaf certificate first, intermediates after). This single file is all the SSLCertificateFile directive needs:
cat yourdomain.crt yourdomain.ca-bundle > yourdomain_fullchain.crt
sudo cp yourdomain_fullchain.crt /etc/pki/tls/certs/
Step 3: Configure the HTTPS VirtualHost
Open the SSL configuration file with a text editor:
sudo nano /etc/httpd/conf.d/ssl.conf
Inside the port 443 VirtualHost block, set up a complete, modern configuration like the one below. Adjust the paths and domain to match your files:
<VirtualHost *:443>
ServerName www.yourdomain.com
DocumentRoot /var/www/html
SSLEngine on
# Apache 2.4.8+ : certificate + CA bundle in one full-chain file
SSLCertificateFile /etc/pki/tls/certs/yourdomain_fullchain.crt
SSLCertificateKeyFile /etc/pki/tls/private/yourdomain.key
# Recommended TLS hardening (2026)
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLHonorCipherOrder off
# Enable HSTS only after you confirm HTTPS works
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</VirtualHost>
- SSLCertificateFile: your full-chain file (certificate followed by the intermediates). On Apache 2.4.8+ this single directive replaces the deprecated SSLCertificateChainFile.
- SSLCertificateKeyFile: the private key you created with the CSR.
Legacy Apache (older than 2.4.8): if you are stuck on a very old server, keep the certificate and chain separate, point SSLCertificateFile at yourdomain.crt, and add SSLCertificateChainFile /etc/pki/tls/certs/yourdomain.ca-bundle, pointing to the CA bundle, not to your own certificate.
Step 4: Redirect HTTP to HTTPS
So visitors always reach the secure version of your site, add a port 80 VirtualHost (in your main site config, for example /etc/httpd/conf.d/yourdomain.conf) that redirects to HTTPS:
<VirtualHost *:80>
ServerName www.yourdomain.com
ServerAlias yourdomain.com
Redirect permanent / https://www.yourdomain.com/
</VirtualHost>
Step 5: Test the configuration
Always test the syntax before reloading; a typo in the config can stop Apache from starting:
sudo apachectl configtest
You should see Syntax OK. If you get an error, revisit the previous steps before continuing.
Step 6: Reload Apache
Apply the changes by reloading the httpd service. A reload activates the new configuration without dropping existing connections:
sudo systemctl reload httpd
sudo systemctl start httpd
sudo systemctl enable httpd
One more thing: make sure the firewall allows HTTPS traffic on port 443:
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
Congratulations. Your SSL certificate is now installed on your Red Hat Linux Apache server.
To confirm everything works and get an instant status report, run your domain through our SSL Checker. The scans flag any chain or configuration errors that could affect how browsers trust your certificate.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

