In this article, you can find installation instructions for TLS/SSL certificates on the following servers:
Apache & mod_ssl
Installing your Certificate on Apache with mod_ssl
- Extract all of the contents of the ZIP file that was sent to you and copy/move them to your server. The extracted contents will typically be named: yourDomainName.crt and yourDomainName.ca-bundle
-
Move all of the certificate related files to their appropriate directories.
A typical setup:- Move the Private Key that was generated earlier to the ssl.key directory, which is typically found in /etc/ssl/. This must be a directory which only Apache can access.
-
Move the yourDomainName.crt and yourDomainName.ca-bundle to the ssl.crt directory, which is typically found in the /etc/ssl/ directory.
-
Edit the file that contains the SSL configuration with your favorite text editor.
Examples: nano, vi, pico, emacs, mousepad, notepad, notepad++, etc.Note: The location of this file may vary from each distribution. It will be referenced in the Apache global configuration file. Look for the lines starting with include.
-
Apache Configuration File:
-
Fedora/CentOS/RHEL: /etc/httpd/conf/httpd.conf
-
Debian and Debian based: /etc/apache2/apache2.conf
SSL Configuration File:
Some possible names:-
httpd-ssl.conf
-
ssl.conf
-
In the /etc/apache2/sites-enabled/ directory.
Note: If need be please consult your distribution's documentation on Apache and SSL or navigate to the Apache Foundation's Apache2 Documentation.
-
-
In the VirtualHost section of the file please add these directives if they do not exist. It is best to comment out what is already there and add the below entries.
-
SSLEngine on
-
SSLCertificateKeyFile /etc/ssl/ssl.key/server.key
-
SSLCertificateFile /etc/ssl/ssl.crt/yourDomainName.crt
-
SSLCertificateChainFile /etc/ssl/ssl.crt/yourDomainName.ca-bundle ***
-
-
Apache 1.3.x:
SSLEngine on
SSLCertificateKeyFile /etc/ssl/ssl.key/server.key
SSLCertificateFile /etc/ssl/ssl.crt/yourDomainName.crt
SSLCACertificateFile /etc/ssl/ssl.crt/yourDomainName.ca-bundleApache 2.x:
SSLEngine on
SSLCertificateKeyFile /etc/ssl/ssl.key/server.key
SSLCertificateFile /etc/ssl/ssl.crt/yourDomainName.crt
SSLCertificateChainFile /etc/ssl/ssl.crt/yourDomainName.ca-bundle -
Save your config file and restart the Apache service. It is sometimes required to 'stop' then 'start' Apache, instead of issuing the 'restart' command for the changes to take effect.
Notes:
If you have chosen to have a password on your private key, you will be prompted to enter it each time Apache is started or restarted. Apache will not fully start until the password is entered.
The configuration file is often called httpd.conf or apache.conf, although sometimes the SSL-specific section is placed in a separate file called ssl.conf and linked from the main configuration by an 'Include' command. Sometimes, theVirtualHost section will be in a specific file for that site, in a sub-directory often labelled sites-enabled/.
Much of the layout of Apache's configuration files and directory naming conventions is controlled by the distribution of OS you are using. It is recommended that you look at the distribution's own site and documentation to confirm the locations.
OpenSSL
Step one: Copy your certificate to file
You will receive an email with the certificate in the email (yourdomainname.crt). When viewed in a text editor, your certificate will look something like:
-----BEGIN CERTIFICATE-----
MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAmowggHXAhAF
UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNVBAYTAlVTMSAw
(.......)
E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6
K99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS/16S36ITclu4AADEAAAAAAAAA
-----END CERTIFICATE-----
Copy your SSL Certificate into the directory that you will be using to hold your certificates. In this example we will use /etc/ssl/crt/. Both the public and private key files will already be in this directory. The private key used in the example will be labeled private.key and the public key will be yourdomainname.crt. It is recommended that you make the directory that contains the private key file only readable by root.
Step two: Install the Intermediate Certificate
You will need to install the Intermediate CA certificates in order for browsers to trust your certificate. The Intermediate CA certificates are contained within the ca-bundle file that was attached to your email in the zip file (this should be named your SERVERNAME.ca-bundle). In the relevant Virtual Host section for your site, you will need to complete the following in get this file correctly reference:
Copy the. SERVERNAME.ca-bundle file to the same directory as certificate and key files and name it ca.txt
Add the following line to the SSL section of the httpd.conf (assuming /etc/httpd/conf/ is the directory to where you have copied the intermediate CA file) If the line already exists amend it to read the following:
SSLCACertificateFile /etc/httpd/conf/SERVERNAME.ca-bundle
If you are using a different location and certificate file names you will need to change the path and filename to reflect the path and file name that you are using. The SSL section of the updated config file should now read similar to this example (depending on the file name and directories used):
SSLCertificateFile /etc/ssl/crt/yourdomainname.crt
SSLCertificateKeyFile /etc/ssl/crt/private.key
SSLCACertificateFile /etc/ssl/crt/SERVERNAME.ca-bundle
Save your config file and restart Apache.
Note: The ssl configuration file will always be referenced in the apache config file if the configuration is not included in it. Look for the lines starting 'include', which is the directive for including other files etc. For example, depending on the distribution, it might be called ssl.conf, httpd-ssl.conf etc
Microsoft IIS 7.x
- Open Internet Information Services Manager (IISM) to the appropriate Server
Start -> Administrative Tools -> IISM -> Server Name - Open the Server Certificates icon.
- Open 'Complete Certificate Request' Wizard From the 'Actions' Menu on the right select 'Complete Certificate Request'
- Proceed to Complete Certificate Request' Wizard
Fill out all appropriate information. You may need to browse to the location of the certificate or you may enter it in the provided box. The friendly name is not part of the certificate itself, but is used by the server administrator to easily distinguish the certificate.
Note: You may receive a .cer file which is also accepted by IIS however if you receive an error, change the .cer extension to .crt
Note: There is a known issue in IIS 7 giving the following error: 'Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created.' You may also receive a message stating 'ASN1 bad tag value met'. If this is the same server that you generated the CSR on then, in most cases, the certificate is actually installed. Simply cancel the dialog and press 'F5' to refresh the list of server certificates. If the new certificate is now in the list, you can continue with the next step. If it is not in the list, you will need to reissue your certificate using a new CSR (see our CSR creation instructions for IIS 7). After creating a new CSR, login to your Sectigo account and click the 'replace' button for your certificate.
Assign to Website
- Navigate back to the root of the appropriate website. The center of the window should say 'Default Website Home' or whatever the name of the website is.
- Select 'Bindings' from the 'Edit Site' sub menu.
- Add Port 443
In the 'Site Bindings' window, click 'Add'. This will open the 'Add Site Binding' window.
Under 'Type' choose https. The IP address should be the IP address of the site or All Unassigned, and the port over which traffic will be secured by SSL is usually 443. The 'SSL Certificate' field should specify the certificate that was installed using the above steps.
Click 'OK' to save changes.
Note: There may already be an 'https' entry in this area. If so, click 'https' to highlight it. Then click 'Edit' and in the 'SSL certificate' area select the friendly name that was generated earlier. Click 'OK' to save changes.
Click 'OK' on the 'Web Site Bindings' Window to complete the install.
Important: You must now restart IIS / the website to complete the install of the certificate.