Knowledge Base

Overview 

By the end of this article, you will have generated a Certificate Signing Request (CSR) and a private key, submitted the CSR to a Certificate Authority (CA), and installed the issued SSL certificate on your Apache server so that your site serves traffic over HTTPS. The article covers, in order: creating the CSR and private key with OpenSSL, preparing the certificate files returned by the CA, and editing the Apache virtual host configuration to enable SSL. A private key is the secret file that pairs with your certificate, a virtual host is the Apache configuration block that defines how a site is served, and the certificate chain (CA bundle) is the set of intermediate and root certificates that lets browsers trust your certificate. 

Prerequisites 

Part 1: Generate a CSR and private key 

Step 1 — Generate the private key and CSR 

You can create the CSR in one of two ways: 

Enter the requested details (such as your domain name, organization, and location) accurately, because they are embedded in the certificate. 

Step 2 — Retrieve the CSR 

After OpenSSL finishes, locate and open the generated .csr file on the server to view its contents. This file holds the CSR text you will submit to the CA. 

Step 3 — Submit the CSR to the Certificate Authority 

Copy the entire contents of the .csr file, including the 
-----BEGIN CERTIFICATE REQUEST-----  
and 
-----END CERTIFICATE REQUEST-----  
lines, and submit it to your chosen Certificate Authority (CA) to request your SSL certificate. 

Part 2: Install the SSL certificate on Apache 

Step 1 — Prepare the certificate files 

Download and extract the ZIP folder the CA provides. It contains: 

If the CA bundle arrives as separate certificate files, combine them into one file: 

cat IntermediateCertificate1.crt IntermediateCertificate2.crt RootCertificate.crt >> bundle.crt 

Step 2 — Locate the Apache configuration file 

Find the Apache configuration file that defines your site. Common locations are: 

Step 3 — Configure the virtual host 

Back up the configuration file before editing it: 

cp /path/to/your/apache.conf /path/to/your/apache.conf_backup 

Edit the virtual host block so it points to your certificate, private key, and CA bundle: 

<VirtualHost *:443> 
    ServerAdmin [email protected] 
    DocumentRoot /var/www/ 
    ServerName www.yourdomain.com 
    ErrorLog /path/to/error_log 
    SSLEngine on 
    SSLCertificateFile /etc/ssl/yourdomain.crt 
    SSLCertificateKeyFile /etc/ssl/yourdomain.key 
    SSLCertificateChainFile /etc/ssl/yourdomain.ca-bundle 
</VirtualHost> 

Make sure every SSL directive is uncommented (no # at the start of the line). 

Step 4 — Save and restart Apache 

Save the configuration file and restart Apache to apply the changes: 

apachectl restart 

If Apache fails to restart, restore the backup file you created in Step 3 and review the configuration for any errors before trying again. 

Step 5 — Test the SSL installation 

Confirm the certificate is served correctly using an online SSL checker, such as: 

How to verify success 

The installation is successful when your site loads over HTTPS without browser warnings and an SSL checker reports a valid certificate with a complete chain. If the padlock appears and the checker shows no chain or trust errors, the certificate is installed correctly. 

Troubleshooting 

Issue: Apache fails to start after editing the configuration. 

Cause: A syntax error in the virtual host block, an incorrect file path, or a commented-out SSL directive. 

Solution: Restore the backup configuration from Part 2, Step 3, then re-check the certificate, key, and CA bundle file paths and confirm all SSL directives are uncommented.