Assuming you bought an SSL certificate for your domain , let's call it example.com , the following files will be generated for you.
- CSR: SSL_CSR_www_example_com.csr. The filename depends on the provider you request your SSL certificate from. The file extension may be .txt but the filename should contains the string "CSR" in order for you to recognise it.
- Private key: SSL_PrivateKEY_www_example_com.key. The filename depends on the provider you request your SSL certificate from. The file extension may be .txt but the filename should contains the string "KEY" in order for you to recognise it. If so rename the extension to .key.
- Validation file. 1B6E060908A7F05BE53D22A7C27C738F.txt. This file comes in .txt file with an arbitrary filename. We need this file in order for the SSL provider to validate that it's for the correct domain name.
The validation file (1B6E060908A7F05BE53D22A7C27C738F.txt) should be place in the root directory of your application and usually under the '.well-known' directory (create it if doesn't exist). Anyway when you bought the SSL certificate there will be some initial guide on where you should put it.
The SSL provider will look for that file (http://example.com/.well-known/1B6E060908A7F05BE53D22A7C27C738F.txt) periodically during the day in order for them to validate the domain exists. So the sooner you place that file on your server the sooner the validation process will begin.
After the SSL provider validates your domain, they will send you a confirmation email including some files regarding your certificate:
- CRT: www_example_com.crt. That's your certificate file.
- CA: Certificate Authority. The CA intermediate certificate(s).
The files that are the CA ones combine them in one file. You can recognise them by the string "CA" in the filename,
cat AddTrustExternalCARoot.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAddTrustCA.crt > example_com.ca-bundle.crt
The newly created file name could be anything you want. Just add the extension ".ca-bundle.crt" for consistency reasons.
You need to ssh into your server and upload these files to a directory let's name it /home/example_com
- The CRT file from step 2 www_example_com.crt
- The file we created in step 2 example_com.ca-bundle.crt
- The private file from step 0, SSL_PrivateKEY_www_example_com.key
Make a backup of your configuration file by copying it. Assuming your server is running on the default virtual host configuration file,
/etc/apache2/sites-available/000-default.conf, use these commands to to make a copy:
cd /etc/apache2/sites-available cp 000-default.conf 000-default.conf.orig
Then open the file for editing:
<VirtualHost *:80> entry and modify it so your web server will listen on port
Then add the
ServerName directive, if it doesn’t already exist (substitute your domain name here):
Then add the following lines to specify your certificate and key paths (substitute your actual paths here):
SSLEngine on SSLCertificateFile /home/example_com/www_example_com.crt SSLCertificateKeyFile /home/example_com/SSL_PrivateKEY_www_example_com.key
If you are using Apache 2.4.8 or greater, specify the CA intermediate bundle by adding this line (substitute the path):
If you are using an older version of Apache, specify the CA intermediate bundle with this line (substitute the path):
At this point, your server is configured to listen on HTTPS only (port 443), so requests to HTTP (port 80) will not be served. To redirect HTTP requests to HTTPS, add the following to the top of the file (substitute the name in both places):
<VirtualHost *:80> ServerName example.com Redirect permanent / https://example.com/ </VirtualHost>
Save and exit.
Enable the Apache SSL module by running this command:
sudo a2enmod ssl
Now restart Apache to load the new configuration and enable TLS/SSL over HTTPS!
sudo service apache2 restart
Test it out by accessing your site via HTTPS, e.g.
https://example.com. You will also want to try connecting via HTTP, e.g.
http://example.com to ensure that the redirect is working properly!