bg-tutorials

How to Install an SSL Certificate in Linux

Last updated on by Denis Graur

In this tutorial, you will learn how to install an SSL certificate on Linux running the Apache (httpd) web server. The examples use Red Hat Enterprise Linux (RHEL) and its close relatives (Rocky Linux, AlmaLinux, CentOS, Fedora), where Apache is the httpd package and configuration lives under /etc/httpd/. The final section includes SSL buying recommendations for Red Hat Linux servers.

Generate the CSR on Linux

If you’ve already generated your CSR and received your certificate, skip ahead to the installation section.

A CSR (Certificate Signing Request) is a small block of encoded text containing information about your domain and, for business certificates, your organization. Generating a CSR is a required part of the SSL ordering process; every commercial Certificate Authority asks for one before it issues your certificate.

You have two options:

Submit the CSR to the Certificate Authority during checkout. Once the CA validates it and issues your SSL certificate, continue with the installation below.

Install an SSL certificate on Linux (Red Hat / Apache)

After validation, your Certificate Authority emails you a ZIP archive with the installation files. Download and extract it. You should have:

  • yourdomain.crt, your primary SSL certificate (the leaf certificate).
  • yourdomain.ca-bundle, the intermediate certificates, also called the CA bundle.
  • yourdomain.key, the private key you generated together with the CSR.

If your CA sent the certificate as text rather than files, open the primary certificate, copy everything including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines, and save it as yourdomain.crt. Do the same for the CA bundle. Follow the steps below to complete the installation.

Step 1: Install the SSL module (mod_ssl)

On Red Hat-based systems, HTTPS support comes from the mod_ssl package. Install it (on RHEL 8/9 and Fedora use dnf; on older releases use yum):

sudo dnf install mod_ssl

Installing the package also creates the default SSL configuration file at /etc/httpd/conf.d/ssl.conf, which is where you’ll add your certificate directives.

Step 2: Upload your certificate files to the server

Copy your files to the standard Red Hat certificate locations. Certificates go in /etc/pki/tls/certs/ and the private key goes in /etc/pki/tls/private/:

sudo cp yourdomain.crt /etc/pki/tls/certs/
sudo cp yourdomain.ca-bundle /etc/pki/tls/certs/
sudo cp yourdomain.key /etc/pki/tls/private/

Lock down the private key so only root can read it:

sudo chmod 600 /etc/pki/tls/private/yourdomain.key

On Apache 2.4.8 and newer, which covers every supported RHEL release, combine your certificate and the CA bundle into a single full-chain file (leaf certificate first, intermediates after). This single file is all the SSLCertificateFile directive needs:

cat yourdomain.crt yourdomain.ca-bundle > yourdomain_fullchain.crt
sudo cp yourdomain_fullchain.crt /etc/pki/tls/certs/

Step 3: Configure the HTTPS VirtualHost

Open the SSL configuration file with a text editor:

sudo nano /etc/httpd/conf.d/ssl.conf

Inside the port 443 VirtualHost block, set up a complete, modern configuration like the one below. Adjust the paths and domain to match your files:

<VirtualHost *:443>
    ServerName  www.yourdomain.com
    DocumentRoot /var/www/html

    SSLEngine on

    # Apache 2.4.8+ : certificate + CA bundle in one full-chain file
    SSLCertificateFile    /etc/pki/tls/certs/yourdomain_fullchain.crt
    SSLCertificateKeyFile /etc/pki/tls/private/yourdomain.key

    # Recommended TLS hardening (2026)
    SSLProtocol         -all +TLSv1.2 +TLSv1.3
    SSLHonorCipherOrder off

    # Enable HSTS only after you confirm HTTPS works
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</VirtualHost>
  • SSLCertificateFile: your full-chain file (certificate followed by the intermediates). On Apache 2.4.8+ this single directive replaces the deprecated SSLCertificateChainFile.
  • SSLCertificateKeyFile: the private key you created with the CSR.

Legacy Apache (older than 2.4.8): if you are stuck on a very old server, keep the certificate and chain separate, point SSLCertificateFile at yourdomain.crt, and add SSLCertificateChainFile /etc/pki/tls/certs/yourdomain.ca-bundle, pointing to the CA bundle, not to your own certificate.

Step 4: Redirect HTTP to HTTPS

So visitors always reach the secure version of your site, add a port 80 VirtualHost (in your main site config, for example /etc/httpd/conf.d/yourdomain.conf) that redirects to HTTPS:

<VirtualHost *:80>
    ServerName www.yourdomain.com
    Redirect permanent / https://www.yourdomain.com/
</VirtualHost>

Step 5: Test the configuration

Always test the syntax before reloading; a typo in the config can stop Apache from starting:

sudo apachectl configtest

You should see Syntax OK. If you get an error, revisit the previous steps before continuing.

Step 6: Reload Apache

Apply the changes by reloading the httpd service. A reload activates the new configuration without dropping existing connections:

sudo systemctl reload httpd

If Apache wasn’t running yet, start it and enable it on boot instead:

sudo systemctl enable --now httpd

One more thing: make sure the firewall allows HTTPS traffic on port 443:

sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

Congratulations. Your SSL certificate is now installed on your Red Hat Linux Apache server. To confirm everything works and get an instant status report, run your domain through our SSL Checker. The scans flag any chain or configuration errors that could affect how browsers trust your certificate.

Where to buy an SSL certificate for Red Hat Linux?

SSL Dragon is your source for all your SSL needs. We offer some of the lowest prices on the market across our entire range of SSL products, and we’ve partnered with the best SSL brands in the industry for strong security and dedicated support. All our SSL certificates are fully compatible with Red Hat Linux, Rocky Linux, AlmaLinux, CentOS, Fedora, and the Apache (httpd) web server.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and a 25-day money-back guarantee. Coupon code: SAVE10

Get an SSL certificate now

Frequently Asked Questions

Where are SSL certificates stored on Red Hat Linux?

By convention on RHEL and its derivatives, certificates go in /etc/pki/tls/certs/ and private keys in /etc/pki/tls/private/. These are defaults; you can store the files elsewhere as long as your VirtualHost directives point to the correct paths.

Where is the Apache SSL configuration file on Red Hat?

Installing the mod_ssl package creates /etc/httpd/conf.d/ssl.conf, which holds the default port 443 VirtualHost and the SSL directives. The main Apache configuration file is /etc/httpd/conf/httpd.conf, and any file ending in .conf inside /etc/httpd/conf.d/ is loaded automatically.

Do I need to merge the certificate and CA bundle on Red Hat Linux?

On Apache 2.4.8 and later (every supported RHEL release), yes: concatenate your certificate and CA bundle into one full-chain file and point SSLCertificateFile at it. The separate SSLCertificateChainFile directive is deprecated and only needed on older Apache versions. Merging the chain prevents the “incomplete certificate chain” errors that some browsers and SSL checkers report.

How do I check if the SSL certificate is installed correctly?

Connect to your site with OpenSSL and read the certificate it serves:
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -dates
If the certificate is installed, this prints its issuer and validity dates.

Why won’t Apache start after I add the SSL configuration?

Almost always a configuration typo or a wrong file path. Run sudo apachectl configtest to pinpoint the line, double-check that the certificate and key paths exist and have no stray spaces, and confirm the private key matches the certificate. On RHEL with SELinux enabled, also verify the certificate files carry the correct context (cert_t); restore it if needed with sudo restorecon -Rv /etc/pki/tls/.

Bottom line

Installing an SSL certificate on Linux with Apache comes down to installing mod_ssl, uploading your certificate and private key to /etc/pki/tls/, configuring the port 443 VirtualHost in /etc/httpd/conf.d/ssl.conf with your full-chain certificate, testing with sudo apachectl configtest, and reloading httpd.

Need a certificate first? Browse our SSL certificates.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

Order Now
A detailed image of a dragon in flight
Written by

I've been building and managing websites for over 20 years, with a heavy focus on the technical side of the cybersecurity, VPN, and SaaS industries. I know how sites are built from the ground up, which means I know how to secure them. Here at SSL Dragon, I write about web architecture, encryption, and keeping your infrastructure safe.

How to Install SSL
A Linux logo icon
Linux Platforms
Tutorials