bg-tutorials

How to Install an SSL Certificate on CentOS

In this guide, you’ll learn how to install an SSL certificate on CentOS and its RHEL-family successors (AlmaLinux, Rocky Linux, and CentOS Stream) using the Apache httpd web server.

We also recorded a video that walks you through the entire process. If you prefer the text version, keep reading below.


Generate a CSR code

When applying for an SSL certificate, you first generate a CSR (Certificate Signing Request) and send it to the Certificate Authority. The CSR is a block of text that contains your contact and domain details, and it pairs with a private key created at the same time. You have two options:

Submit the CSR to the Certificate Authority during checkout. Once the CA validates it and issues your certificate, continue with the installation below.

Install an SSL certificate on CentOS / RHEL (Apache)

Heads-up on versions: CentOS Linux 8 reached End of Life on December 31, 2021, and CentOS Linux 7 reached EOL on June 30, 2024. For production, run a supported RHEL-family distribution instead: RHEL 8/9/10, AlmaLinux, Rocky Linux, or CentOS Stream. They all share the same Apache httpd layout, so the steps below apply to every one of them.

Before you start

After validation, your Certificate Authority emails you the certificate files. Make sure you have these three separate files ready:

  • yourdomain.crt, your primary SSL certificate.
  • yourdomain.ca-bundle, the intermediate certificates (the CA bundle).
  • yourdomain.key, the private key you generated with the CSR.

Important: never bundle the private key into the certificate chain. The key stays in its own file, readable only by root.

Step 1: Install TLS support (mod_ssl)

Install mod_ssl, which adds TLS support to Apache and drops a default TLS config at /etc/httpd/conf.d/ssl.conf:

sudo dnf install -y mod_ssl

On older systems that still use the yum package manager, run sudo yum install -y mod_ssl instead.

Step 2: Place your SSL files

Copy the private key into /etc/pki/tls/private/ and lock down its permissions so only root can read it:

sudo cp yourdomain.key /etc/pki/tls/private/
sudo chown root:root /etc/pki/tls/private/yourdomain.key
sudo chmod 600 /etc/pki/tls/private/yourdomain.key

Next, build the full-chain file by concatenating your certificate and the CA bundle, and place it in /etc/pki/tls/certs/:

cat yourdomain.crt yourdomain.ca-bundle \
  | sudo tee /etc/pki/tls/certs/yourdomain-fullchain.crt > /dev/null

The full-chain file must contain only the public certificate and the intermediate chain, never the private key.

Step 3: Configure the Apache TLS virtual host

You can either edit the default /etc/httpd/conf.d/ssl.conf that mod_ssl created, or (cleaner) create a dedicated file for your site, for example /etc/httpd/conf.d/yourdomain.conf. Open it with a text editor:

sudo nano /etc/httpd/conf.d/yourdomain.conf

Add a port 80 virtual host that redirects all traffic to HTTPS, followed by the secure port 443 virtual host that holds your SSL directives:

<VirtualHost *:80>
  ServerName yourdomain.com
  ServerAlias www.yourdomain.com
  Redirect permanent / https://yourdomain.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName yourdomain.com
  ServerAlias www.yourdomain.com
  DocumentRoot /var/www/yourdomain.com

  SSLEngine on
  SSLCertificateFile    /etc/pki/tls/certs/yourdomain-fullchain.crt
  SSLCertificateKeyFile /etc/pki/tls/private/yourdomain.key
</VirtualHost>
  • SSLCertificateFile, your full-chain file (certificate + intermediates). On Apache 2.4.8 and newer, this single directive replaces the deprecated SSLCertificateChainFile.
  • SSLCertificateKeyFile, the private key you created with the CSR.

Note on the default host: mod_ssl’s /etc/httpd/conf.d/ssl.conf ships its own <VirtualHost _default_:443> with a self-signed certificate. When you add a per-site *:443 host as above, requests that match your ServerName use your certificate, but unmatched HTTPS requests (for example, hitting the server by its IP address) still fall back to that default self-signed host. If you don’t want that fallback, comment out the <VirtualHost _default_:443> block in ssl.conf or point it at your own certificate.

Note on TLS hardening: Apache on RHEL 8 and newer follows the system-wide crypto policy, which already disables obsolete protocols. To set the policy across the whole server, run sudo update-crypto-policies --set DEFAULT (or FUTURE for stricter settings). If you prefer to pin protocols per virtual host instead, add SSLProtocol -all +TLSv1.2 +TLSv1.3 inside the port 443 block.

Step 4: Test your Apache configuration

Always check the syntax before reloading, because a single typo can take the site offline:

sudo apachectl configtest

You should see Syntax OK. (The command sudo httpd -t does the same thing.) Fix any reported errors before continuing.

Step 5: Restart Apache

Apply the changes by reloading the httpd service (a reload activates the new config without dropping live connections):

sudo systemctl reload httpd

If httpd was not running yet, start it with sudo systemctl enable --now httpd. Your website should now be live over HTTPS. To verify the result and get an instant status report, use our SSL Checker.

Notes for older CentOS (7 and earlier)

CentOS Linux 7, 6, and 8 are all past End of Life and no longer receive security updates, so migrate to a supported RHEL-family distribution when you can. If you must work on a legacy server, the process is the same as above, with two differences:

  • Package manager: CentOS 7 and 6 use yum instead of dnf. Check whether mod_ssl is already installed with rpm -qa | grep mod_ssl, and if not, install it with sudo yum install -y mod_ssl.
  • Apache older than 2.4.8: only very old builds predate 2.4.8. There, keep the certificate and the chain in separate files and add a third directive, SSLCertificateChainFile, pointing at the CA bundle (not at your certificate):
SSLCertificateFile      /etc/pki/tls/certs/yourdomain.crt
SSLCertificateKeyFile   /etc/pki/tls/private/yourdomain.key
SSLCertificateChainFile /etc/pki/tls/certs/yourdomain.ca-bundle

On Apache 2.4.8 and newer (which covers every currently supported release), use the simpler single full-chain SSLCertificateFile shown in Step 3 instead.

Where to buy an SSL certificate for CentOS?

The best place to buy an SSL certificate for your CentOS server is a reputable SSL reseller such as SSL Dragon. Our prices are among the lowest on the market, and we offer regular discounts and great deals across our entire range of SSL products, backed by stellar customer support. All our certificates are compatible with CentOS and its RHEL-family successors.

SSL Dragon takes care of your sensitive data security, so your website or business can thrive online.

Frequently Asked Questions

How do I know if an SSL certificate is installed on CentOS?

Connect to your site with OpenSSL and read the certificate it serves:
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -dates
If a certificate is installed, this prints its issuer and validity dates. To inspect a certificate file on disk instead, run openssl x509 -text -noout -in certificate.crt. You can also list Apache’s active virtual hosts with sudo apachectl -S, or open your site in a browser and check the padlock.

Where are SSL certificates stored in CentOS?

By convention, certificates go in /etc/pki/tls/certs/ and private keys in /etc/pki/tls/private/. These are the RHEL-family defaults; you can use other locations as long as your virtual host points to them.

Where is the Apache SSL config located on CentOS?

The TLS module installs its defaults at /etc/httpd/conf.d/ssl.conf, and the main Apache config is /etc/httpd/conf/httpd.conf. You can add your virtual hosts to ssl.conf, but it’s cleaner to create a per-site file such as /etc/httpd/conf.d/yourdomain.conf. Any .conf file in /etc/httpd/conf.d/ is loaded automatically. Apache logs live in /var/log/httpd/.

Do I need to merge the certificate and CA bundle on CentOS?

On Apache 2.4.8 and later (every currently supported RHEL-family release), yes: concatenate your certificate and CA bundle into one full-chain file and point SSLCertificateFile at it. The separate SSLCertificateChainFile directive is deprecated and only needed on Apache builds older than 2.4.8.

How do I install OpenSSL on CentOS?

OpenSSL ships pre-installed on CentOS and every other major Linux distribution, so you usually don’t need to install it. If it’s missing, add it with sudo dnf install -y openssl (or sudo yum install -y openssl on CentOS 7 and earlier). Learn more about OpenSSL and its command lines.

Bottom line

Installing an SSL certificate on CentOS or RHEL with Apache comes down to installing mod_ssl, placing your private key and full-chain certificate under /etc/pki/tls/, configuring the <VirtualHost *:443> block in /etc/httpd/conf.d/, testing with sudo apachectl configtest, and reloading with sudo systemctl reload httpd. Need a certificate first? Browse our SSL certificates.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been building and managing websites for over 20 years, with a heavy focus on the technical side of the cybersecurity, VPN, and SaaS industries. I know how sites are built from the ground up, which means I know how to secure them. Here at SSL Dragon, I write about web architecture, encryption, and keeping your infrastructure safe.