SSL certificate maximum validity is being reduced to 200 days from March 2026. Read more →

SSL Certificates

Cheap SSL DV SSL Wildcard SSL Multi-Domain (SAN) OV & EV SSL

Specialty Certificates

Code Signing Document Signing Email / S/MIME VMC / BIMI
In effect now Certificate Lifetime

Automation

Overview Auto DNS FairSSL vs Let's Encrypt

Platforms

Windows Setup Linux & Kubernetes Appliances ACME Clients

Tools

SSL Scanner Certificate Decoder CAA Generator

Guides

Windows Server Linux & Open Source All guides

Company

About Us Contact Installation Service
News

Language

Dansk Svenska English

Currency

Login Create Account
Apache / Linux Advanced ~9 min. read

Apache SSL/TLS Administration

A technical guide for configuring and managing SSL/TLS certificates in Apache HTTP Server on Linux distributions.

Apache SSL/TLS Administration

Introduction

When ordering an SSL certificate, you are required to provide a Certificate Signing Request (CSR), which is generated from a private key.

If you wish to create the private key yourself and generate the CSR file, please follow the section on Generating a CSR for certificate ordering, then SSL certificate installation, and finally Updating general SSL settings.

If you already have your private key and certificate ready, proceed directly to SSL certificate installation followed by Updating general SSL settings.

This guide was written using OpenSSL 1.1.1f and Apache 2.4.41 with a standard configuration.

The following instructions describe how to create, install, and configure SSL/TLS in Apache on Linux.

This guide is applicable to distributions such as Ubuntu, Red Hat, and CentOS. Note that there may be minor variations in file paths and commands depending on your specific Linux version.

  1. To check which version of OpenSSL is installed, run the following command:

openssl version

Openssl Version

  1. To check which version of Apache is installed, run the following command:

apache2 -v

Apache Version

  1. You can use the Mozilla SSL Configuration Generator to generate an SSL configuration tailored to your server.

You can choose between the following security levels. We generally recommend the Intermediate profile unless you have a specific reason to choose otherwise. We also suggest leaving HSTS disabled unless you are fully confident in its implementation.

(For an updated list of client support for these levels, see https://wiki.mozilla.org/Security/Server_Side_TLS)

    • Modern: Provides higher security but lower compatibility, as it excludes many older browsers and legacy devices.

Recommended if all clients are known, such as for an internal company website.

    • Intermediate: A balance of high security and broad compatibility.

This is the general recommendation for servers accessed by unknown clients, such as a webshop. It optimises security while still allowing slightly older clients to access the site.

    • Old: Low security, maximum compatibility.

This setting is only recommended if compatibility is more critical than security, as it enables deprecated SSL standards with known vulnerabilities.

    • HSTS: (HTTP Strict Transport Security) is a server-side header that instructs the browser to only access the domain via HTTPS in the future. This is cached by clients for the specified max-age duration; once set, it is difficult to revert, so proceed with caution.

Follow a thorough guide, be conservative, and start with a 300-second (5-minute) max-age for at least a week before gradually increasing it.

Be careful with subdomains and preloading unless every service on the domain is already running over HTTPS.

    • OCSP Stapling: Enabling OCSP Stapling is highly recommended. It allows the server to fetch the revocation status of the certificate periodically and deliver it to clients, rather than requiring every client to check the status individually during each connection.

Mozilla Ssl Configuration Generator

Generating a CSR for certificate ordering

In this example, we use a single DNS name that works for both standard and SAN certificates. For a wildcard certificate, the Common Name should be changed to *.fairssl.dk

To complete your order and generate the CSR code, you need to gather the following information for the certificate:

  • Common Name (CN): The primary Fully Qualified Domain Name (FQDN). E.g.: www.fairssl.dk
  • Organisation Name (O): The full legal name of the company. E.g.: FairSSL A/S
  • Organisational Unit (OU): The department requesting the certificate. This should not be confused with another company. It is often left blank or set to the company name. E.g.: FairSSL A/S
  • Locality (L): The city or town. E.g.: Ørum Djurs
  • State (S): The state, province, or county. E.g.: Norddjurs
  • Country (C): The ISO-standard two-letter country code, must be in uppercase. E.g.: DK

We recommend using OpenSSL for creating both the private key and the CSR. If you have a standard installation, the OpenSSL binary is typically located at /usr/local/ssl/bin or accessible via your PATH.

Creating a private key

  1. Log in to the server with an account that has administrative privileges.
  1. Run the following command to create a private RSA 2048-bit key without a passphrase:

sudo openssl genrsa -out /etc/ssl/private/www.fairssl.dk.key 2048

Key No Password

If you prefer to protect the key with a passphrase, run the following command instead:

sudo openssl genrsa -des3 -out /etc/ssl/private/www.fairssl.dk.key 2048

You will then be prompted to enter and confirm a password for the key file.

Key With Password

  1. Run the following command to generate 2048-bit Diffie-Hellman parameters:

sudo openssl dhparam -out /etc/ssl/private/dhparam.pem 2048

Dh Param

We generate the private key in /etc/ssl/private/ as this is a secured directory specifically designed for this purpose.

Never send your private key to us via email.

The key file must be stored securely and should never leave the server. It is no longer possible to use smaller keys, such as RSA 1024-bit.

Creating the CSR

  1. Run the following command to create a CSR using the private key generated earlier:

sudo openssl req -new -key /etc/ssl/private/www.fairssl.dk.key -out /etc/ssl/private/www.fairssl.dk.csr

If you chose to secure your key with a passphrase, you will be prompted to enter it now.

Enter the information you gathered earlier, followed by [ENTER]. Ensure that the Country Name is the ISO code in 2 uppercase letters. You should leave the last three fields blank. See the following example:

Country Name: DK

State or Province Name: Norddjurs

Locality Name: Ørum Djurs

Organization Name: FairSSL A/S

Organizational Unit Name: FairSSL A/S

Common Name: www.fairssl.dk

Email Address:

A Challenge Password:

An Optional Company Name:

Create Csr Command

  1. You can verify that your CSR has been created correctly using this command:

sudo openssl req -noout -text -in /etc/ssl/private/www.fairssl.dk.csr

Confirm Csr

  1. Open the CSR file with a text editor (e.g., sudo nano /etc/ssl/private/www.fairssl.dk.csr), and copy the entire text, including all the dashes at the beginning and end.

You will need to paste this text into the CSR field during the certificate ordering process.

The following is an example of a complete CSR text:

Csr Text

A CSR does not contain confidential information, so there is no security risk in sending it via unencrypted email.

SSL certificate installation

If your server is already active and you have existing sites configured, follow Server with existing sites.

If you do not have any sites configured on your server (e.g., a fresh installation), follow Server without existing sites.

Server with existing sites

  1. Log in to the server with an administrative account.
  1. Create the following files in the same directory as your private key (e.g., /etc/ssl/private):

www.fairssl.dk.pem: Paste the text of your SSL certificate from the email into this file, including all dashes.

intermediate.pem: Paste the text of the intermediate certificate into this file.

  1. If your private key was generated elsewhere (e.g., via our CSR service), move it to /etc/ssl/private/ using the following command:

sudo mv ./www.fairssl.dk.key /etc/ssl/private/www.fairssl.dk.key

  1. Navigate to /etc/apache2/sites-available

If this is a new website, copy the configuration file from another site (e.g.: sudo cp www.fairssl.net.conf www.fairssl.dk.conf)

Open the configuration file for your website in a text editor (e.g., sudo nano www.fairssl.dk.conf).

Update the following information to match your website (comments have been removed in the image below for clarity):

Configure Virtual Host

  1. If the website is not yet active, run the following command to enable it:

sudo a2ensite www.fairssl.dk.conf

Enable Website

If you run this command on an already active site, you will receive a warning that it is already enabled, which can be ignored.

  1. If you have multiple websites, repeat steps 2-5 for each one.

Ensure you update the DocumentRoot, ServerName, SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to match each respective site.

Make sure only one virtual host is designated as default; all others should be bound to a specific IP address or use *.

  1. Once you have bound the certificate to all required websites, you should update the general SSL settings for the Apache server; follow Updating general SSL settings.

Server without existing sites

  1. Log in to the server with an administrative account.
  1. Create the following files in the directory containing your private key (e.g., /etc/ssl/private):

www.fairssl.dk.pem: Paste the text of your SSL certificate from the email into this file, including all dashes.

intermediate.pem: Paste the text of the intermediate certificate into this file.

  1. If your private key was generated elsewhere (e.g., via our CSR service), move it to /etc/ssl/private/ using the following command:

sudo mv ./www.fairssl.dk.key /etc/ssl/private/www.fairssl.dk.key

  1. Copy default-ssl.conf in sites-available to a new file named after your website:

sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/www.fairssl.dk.conf

Copy Ssl Conf File

  1. Open the new file in a text editor (e.g., sudo nano www.fairssl.dk.conf).

Update the following information to match your website:

    • DocumentRoot: The full path to the root of your website; do not include a trailing slash.
    • ServerName: The addresses the website should respond to.
    • SSLCertificateFile: The full path to the server certificate.
    • SSLCertificateKeyFile: The full path to the private key.
    • SSLCertificateChainFile: The full path to the intermediate certificate.

Configure Virtual Host

If the site needs to respond to both HTTP and HTTPS, copy the virtual host configuration to a section outside the SSL block and remove all lines containing SSL.

  1. Save your changes and run the following command to enable the website:

sudo a2ensite www.fairssl.dk.conf

Enable Website

  1. Disable the default Apache placeholder site to ensure only your site is active:

sudo a2dissite 000-default.conf

Disable Default

  1. If you have multiple websites, repeat steps 2-6 for each one.

Ensure you update the DocumentRoot, ServerName, SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile for each site.

Ensure only one virtual host is set as default; others should use an IP address or *.

  1. After binding the certificate to all relevant websites, update the general SSL settings for the Apache server; follow Updating general SSL settings.

Updating general SSL settings

SSL settings on the server are not always updated automatically when the OS is upgraded, primarily to avoid breaking compatibility with older clients.

We recommend updating your server's SSL configuration every time you replace a certificate.

  1. Create a backup of ssl.conf named ssl.conf.bak.

sudo cp /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-available/ssl.conf.bak

  1. Open ssl.conf in a text editor (e.g., sudo nano ssl.conf).

Add the settings you generated with the Mozilla generator in the Introduction section that are not already present in the global configuration.

Adjust the settings to meet your specific security requirements.

(Comments have been removed in the image below for clarity).

Configure General Ssl

Some settings, such as SSLProtocol and SSLCipherSuite, may already exist; ensure they are only defined once in the file.

  1. Save your changes and close the editor.
  1. Run a configuration test to verify that the syntax of your changes is correct:

sudo apachectl configtest

Configtest

  1. Reload the Apache service for the changes to take effect:

sudo systemctl reload apache2

We recommend testing your installation using our server scanner at: https://www.fairssl.com/en/tools/ssl-scanner

Intermediate Certificates

You can find intermediate certificates from various Certificate Authorities here.

We recommend using the intermediate certificate provided with your order, as it is guaranteed to be the correct match for your specific server certificate. Only download from here if you have lost the original file.

Intermediate Certificates

Strengthen your TLS security

Use the Mozilla SSL Configuration Generator to generate a secure TLS configuration with modern cipher suites and protocol settings.

Mozilla SSL Configuration Generator guide
Back to guides

Ready to create a free account?

Create a free account and issue your first certificate in under 10 minutes.

Create free account Compare certificates