How to install a SSL certificate for Apache2

From Cosmin's Wiki

Jump to: navigation, search

Home > Linux how to's > How to install a SSL certificate for Apache2

Many websites use secured connections (SSL) to secure data submitted by the user, like credit card information for example. For this, first you need to find a Certificate Authority to buy the certificate from. Personally, I use Trustico, but there are also many others. First, you need to install OpenSSL on your server, if it is not already installed. Then you will need to create a RSA key for your apache server: Create a directory under the

> cd /etc/apache2
> mkdir ssl.key

Generate the key file

> openssl genrsa -des3 -out domainname.key 1024

The CSR file (certificate signing request)

Next you will create the CSR (certificate signing request) using the key you have just created:

openssl req -new -key domainname.key -out domainname.csr

When creating a CSR, you will be prompted to enter several information, which will be displayed in your certificate. For these, you need to follow several conventions, like characters which are not allowed: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&

Do not enter extra attributes when prompted for them. Just press Enter. Should you want to verify the contents of your CSR, you do this:

openssl req -noout -text -in domainname.csr

Submit your CSR to your issuing authority using their online web pages. Most likely you will then receive your key file by email. Copy the certificate (.crt file) to your server (same location where the other 2 files are located). I strongly advise you to create a backup copy of 3 files (.key .csr and .crt), as if you loose the .crt file, you will need to purchase a new certificate.


If you have created your key file with a password, you will be asked for the password of the key file every time you start/restart your Apache server. Should you get tired of this, you can extract the password from your key file like this:
> openssl rsa -in domainname.key -out domainname.key.unencrypted
Now all you have to do is to point your server to this unecrypted key and you're done.

It's also nice to take care and make the key file readable only by root:

> chmod 400 domainname.key.unencrypted