All Products
Search
Document Center

Certificate Management Service:Install SSL certificates on Apache 2 servers that run Ubuntu

Last Updated:Jun 20, 2024

This topic describes how to install an SSL certificate on an Apache 2 server, including downloading and uploading a certificate file, configuring related parameters on the Apache 2 server, and verifying the installation result. The parameters are related to the certificate file, certificate chain, and certificate key. After the certificate is installed, you can access the Apache 2 server over HTTPS, which ensures the security of data transmission.

Prerequisites

  • A certificate is issued by using the Certificate Management Service console. For more information, see Purchase SSL certificates and Apply for a certificate.

  • Domain Name System (DNS) resolution is complete on the domain name that is bound to the certificate. The domain name is resolved to an IP address. You can use the DNS verification tool to check whether the DNS record of the domain name takes effect. For more information, see Verify the DNS record of your domain name.

  • Port 443 is enabled on your web server. Port 443 is the standard port used for HTTPS communication.

    If you use an Alibaba Cloud Elastic Compute Service (ECS) instance, make sure that an inbound security group rule is configured to allow TCP access on port 443. For more information, see Add a security group rule.

Preparations

  • Operating system: Ubuntu

  • Web server type: Apache 2

Important

The installation process may vary based on the version of the operating system or web server. If you have questions, contact your account manager.

Step 1: Download the certificate

  1. Log on to the Certificate Management Service console.

  2. In the left-side navigation pane, choose Manage Certificates > SSL Certificate Management.

  3. On the SSL Certificates page, find the certificate that you want to manage and click Download in the Actions column.

  4. Find Apache in the Server Type column and click Download in the Actions column.

    image.png

  5. Decompress the downloaded certificate package.

    The following table describes the files that you can extract from the package. The files vary based on the certificate signing request (CSR) generation method that you use when you submit the certificate application.

    Value of the CSR Generation parameter

    File extracted from the certificate package

    Automatic

    • Certificate file in the CRT format: By default, the certificate file is named in the Domain name bound to the certificate_public format. The CRT certificate file is encoded in Base64.

    • Certificate chain file in the CRT format: By default, the certificate chain file is named in the Domain name bound to the certificate_chain format.

    • Private key file in the KEY format: By default, the private key file is named in the Domain name bound to the certificate format.

    Manual

    • If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set CSR Generation to Automatic.

    • If the specified CSR is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.

Step 2: Install the certificate on the Apache 2 server

  1. Run the following command to create a directory named ssl in the installation directory of Apache 2.

    mkdir /etc/apache2/ssl
  2. Upload the certificate file and private key file to the certificate directory /etc/apache2/ssl of the Apache 2 server.

    Note

    You can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service instance, see Upload files to or download files from a Windows instance or Upload a file to a Linux instance.

  3. Run the following command to enable the SSL module:

    sudo a2enmod ssl

    image.png

    • After you enable the SSL module, the SSL configuration file default-ssl.conf is generated in the /etc/apache2/sites-available directory.

      Note

      The default-ssl.conf file may be stored in the /etc/apache2/sites-available or /etc/apache2/sites-enabled directory.

      • The sites-available directory stores the configuration files of available virtual hosts.

      • The sites-enabled directory stores the configuration files of enabled virtual hosts.

    • After you enable the SSL module, HTTPS port 443 is automatically enabled. If port 443 is not automatically enabled, you can add Listen 443 to the /etc/apache2/ports.conf configuration file to enable port 443.

  4. Modify certificate-related settings in the default-ssl.conf configuration file.

    1. Run the following command to open the default-ssl.conf file:

      vim /etc/apache2/sites-available/default-ssl.conf
    2. Find the following parameters in the default-ssl.conf configuration file and modify the settings based on the following comments:

      ServerName example.com  # Replace example.com with the domain name that you bind to the certificate. If the configuration file of your server does not contain this parameter, you must manually add this parameter. 
      SSLCertificateFile /etc/apache2/ssl/domain_name_public.crt  # Specify the path to your certificate file.  
      SSLCertificateKeyFile /etc/apache2/ssl/domain_name.key   # Specify the path to your private key file.  
      SSLCertificateChainFile /etc/apache2/ssl/domain_name_chain.crt  # Specify the path to your certificate chain file. 
  5. Run the following command to map the default-ssl.conf configuration file to the /etc/apache2/sites-enabled directory to realize automatic association between the configuration file and the directory.

    sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/001-ssl.conf
  6. Run the following command to reload the Apache 2 configuration file:

    sudo /etc/init.d/apache2 force-reload

    image.png

  7. Run the following command to restart the Apache 2 service:

    sudo /etc/init.d/apache2 restart

    image.png

Step 3: Check whether the certificate is installed

After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.

https://yourdomain   # Replace yourdomain with the domain name that is bound to your certificate.

If a lock icon appears in the address bar, the certificate is installed.

image.png

References

After I deploy a certificate to a website, the certificate does not take effect or the website is reported as insecure when I access the website. What do I do?