bg-tutorials

How to Install an SSL Certificate in Linux

In this tutorial, you will learn how to install an SSL certificate on Linux running the Apache (httpd) web server.

The examples use Red Hat Enterprise Linux (RHEL) and its close relatives (Rocky Linux, AlmaLinux, CentOS, Fedora), where Apache is the httpd package and configuration lives under /etc/httpd/. The final section includes SSL buying recommendations for Red Hat Linux servers.

Generate the CSR on Linux

If you’ve already generated your CSR and received your certificate, skip ahead to the installation section.

A CSR (Certificate Signing Request) is a small block of encoded text containing information about your domain and, for business certificates, your organization. Generating a CSR is a required part of the SSL ordering process; every commercial Certificate Authority asks for one before it issues your certificate. You have two options:

Submit the CSR to the Certificate Authority during checkout. Once the CA validates it and issues your SSL certificate, continue with the installation below.

Install an SSL certificate on Linux (Red Hat / Apache)

After validation, your Certificate Authority emails you a ZIP archive with the installation files. Download and extract it. You should have:

  • yourdomain.crt, your primary SSL certificate (the leaf certificate).
  • yourdomain.ca-bundle, the intermediate certificates, also called the CA bundle.
  • yourdomain.key, the private key you generated together with the CSR.

If your CA sent the certificate as text rather than files, open the primary certificate, copy everything including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines, and save it as yourdomain.crt. Do the same for the CA bundle. Follow the steps below to complete the installation.

Step 1: Install the SSL module (mod_ssl)

On Red Hat-based systems, HTTPS support comes from the mod_ssl package. Install it (on RHEL 8/9 and Fedora use dnf; on older releases use yum):

sudo dnf install mod_ssl

Installing the package also creates the default SSL configuration file at /etc/httpd/conf.d/ssl.conf, which is where you’ll add your certificate directives.

Step 2: Upload your certificate files to the server

Copy your files to the standard Red Hat certificate locations. Certificates go in /etc/pki/tls/certs/ and the private key goes in /etc/pki/tls/private/:

sudo cp yourdomain.crt /etc/pki/tls/certs/
sudo cp yourdomain.ca-bundle /etc/pki/tls/certs/
sudo cp yourdomain.key /etc/pki/tls/private/

Lock down the private key so only root can read it:

sudo chmod 600 /etc/pki/tls/private/yourdomain.key

On Apache 2.4.8 and newer, which covers every supported RHEL release, combine your certificate and the CA bundle into a single full-chain file (leaf certificate first, intermediates after). This single file is all the SSLCertificateFile directive needs:

cat yourdomain.crt yourdomain.ca-bundle > yourdomain_fullchain.crt
sudo cp yourdomain_fullchain.crt /etc/pki/tls/certs/

Step 3: Configure the HTTPS VirtualHost

Open the SSL configuration file with a text editor:

sudo nano /etc/httpd/conf.d/ssl.conf

Inside the port 443 VirtualHost block, set up a complete, modern configuration like the one below. Adjust the paths and domain to match your files:

<VirtualHost *:443>
    ServerName  www.yourdomain.com
    DocumentRoot /var/www/html

    SSLEngine on

    # Apache 2.4.8+ : certificate + CA bundle in one full-chain file
    SSLCertificateFile    /etc/pki/tls/certs/yourdomain_fullchain.crt
    SSLCertificateKeyFile /etc/pki/tls/private/yourdomain.key

    # Recommended TLS hardening (2026)
    SSLProtocol         -all +TLSv1.2 +TLSv1.3
    SSLHonorCipherOrder off

    # Enable HSTS only after you confirm HTTPS works
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</VirtualHost>
  • SSLCertificateFile: your full-chain file (certificate followed by the intermediates). On Apache 2.4.8+ this single directive replaces the deprecated SSLCertificateChainFile.
  • SSLCertificateKeyFile: the private key you created with the CSR.

Legacy Apache (older than 2.4.8): if you are stuck on a very old server, keep the certificate and chain separate, point SSLCertificateFile at yourdomain.crt, and add SSLCertificateChainFile /etc/pki/tls/certs/yourdomain.ca-bundle, pointing to the CA bundle, not to your own certificate.

Step 4: Redirect HTTP to HTTPS

So visitors always reach the secure version of your site, add a port 80 VirtualHost (in your main site config, for example /etc/httpd/conf.d/yourdomain.conf) that redirects to HTTPS:

<VirtualHost *:80>
    ServerName www.yourdomain.com
    ServerAlias yourdomain.com
    Redirect permanent / https://www.yourdomain.com/
</VirtualHost>

Step 5: Test the configuration

Always test the syntax before reloading; a typo in the config can stop Apache from starting:

sudo apachectl configtest

You should see Syntax OK. If you get an error, revisit the previous steps before continuing.

Step 6: Reload Apache

Apply the changes by reloading the httpd service. A reload activates the new configuration without dropping existing connections:

sudo systemctl reload httpd
sudo systemctl start httpd
sudo systemctl enable httpd

One more thing: make sure the firewall allows HTTPS traffic on port 443:

sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

Congratulations. Your SSL certificate is now installed on your Red Hat Linux Apache server.

To confirm everything works and get an instant status report, run your domain through our SSL Checker. The scans flag any chain or configuration errors that could affect how browsers trust your certificate.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been building and managing websites for over 20 years, with a heavy focus on the technical side of the cybersecurity, VPN, and SaaS industries. I know how sites are built from the ground up, which means I know how to secure them. Here at SSL Dragon, I write about web architecture, encryption, and keeping your infrastructure safe.