This topic describes how to install an SSL certificate on an Apache 2 server, including downloading and uploading a certificate file, configuring related parameters on the Apache 2 server, and verifying the installation result. The parameters are related to the certificate file, certificate chain, and certificate key. After the certificate is installed, you can access the Apache 2 server over HTTPS, which ensures the security of data transmission.
Prerequisites
A certificate is issued by using the Certificate Management Service console. For more information, see Purchase SSL certificates and Apply for a certificate.
Domain Name System (DNS) resolution is complete on the domain name that is bound to the certificate. The domain name is resolved to an IP address. You can use the DNS verification tool to check whether the DNS record of the domain name takes effect. For more information, see Verify the DNS record of your domain name.
Port 443 is enabled on your web server. Port 443 is the standard port used for HTTPS communication.
If you use an Alibaba Cloud Elastic Compute Service (ECS) instance, make sure that an inbound security group rule is configured to allow TCP access on port 443. For more information, see Add a security group rule.
Preparations
Operating system: Ubuntu
Web server type: Apache 2
The installation process may vary based on the version of the operating system or web server. If you have questions, contact your account manager.
Step 1: Download the certificate
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose .
On the SSL Certificate Management page, find the certificate that you want to manage, click More in the Actions column. On the page that appears, click the Download tab.
Find Apache in the Server Type column and click Download in the Actions column.
Decompress the downloaded certificate package.
The following table describes the files that you can extract from the package. The files vary based on the certificate signing request (CSR) generation method that you use when you submit the certificate application.
Value of the CSR Generation parameter
File extracted from the certificate package
Automatic
Certificate file in the CRT format: By default, the certificate file is named in the Domain name bound to the certificate_public format. The CRT certificate file is encoded in Base64.
Certificate chain file in the CRT format: By default, the certificate chain file is named in the Domain name bound to the certificate_chain format.
Private key file in the KEY format: By default, the private key file is named in the Domain name bound to the certificate format.
Manual
If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set the CSR Generation parameter to Automatic.
If you specify a CSR that is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.
Step 2: Install the certificate on the Apache 2 server
Run the following command to create a directory named ssl in the installation directory of Apache 2.
mkdir /etc/apache2/ssl
Upload the certificate file and private key file to the certificate directory
/etc/apache2/ssl
of the Apache 2 server.NoteYou can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service (ECS) instance, see Upload files to or download files from a Windows instance or Upload a file to a Linux instance.
Run the following command to enable the SSL module:
sudo a2enmod ssl
After you enable the SSL module, the SSL configuration file default-ssl.conf is generated in the
/etc/apache2/sites-available
directory.NoteThe default-ssl.conf file may be stored in the
/etc/apache2/sites-available
or/etc/apache2/sites-enabled
directory.The
sites-available
directory stores the configuration files of available virtual hosts.The
sites-enabled
directory stores the configuration files of enabled virtual hosts.
After you enable the SSL module, HTTPS port 443 is automatically enabled. If port 443 is not automatically enabled, you can add Listen 443 to the
/etc/apache2/ports.conf
configuration file to enable port 443.
Modify certificate-related settings in the default-ssl.conf configuration file.
Run the following command to open the default-ssl.conf file:
vim /etc/apache2/sites-available/default-ssl.conf
Find the following parameters in the default-ssl.conf configuration file and modify the settings based on the following comments:
ServerName example.com # Replace example.com with the domain name that you bind to the certificate. If the configuration file of your server does not contain this parameter, you must manually add this parameter. SSLCertificateFile /etc/apache2/ssl/domain_name_public.crt # Specify the path to your certificate file. SSLCertificateKeyFile /etc/apache2/ssl/domain_name.key # Specify the path to your private key file. SSLCertificateChainFile /etc/apache2/ssl/domain_name_chain.crt # Specify the path to your certificate chain file.
Run the following command to map the default-ssl.conf configuration file to the
/etc/apache2/sites-enabled
directory to realize automatic association between the configuration file and the directory.sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/001-ssl.conf
Run the following command to reload the Apache 2 configuration file:
sudo /etc/init.d/apache2 force-reload
Run the following command to restart the Apache 2 service:
sudo /etc/init.d/apache2 restart
Step 3: Check whether the certificate is installed
After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.
https://yourdomain # Replace yourdomain with the domain name that is bound to your certificate.
If a lock icon appears in the address bar, the certificate is installed.