Installing an SSL Certificate on Apache
Samantha ClarkShare
Apache HTTP Server remains one of the most widely deployed web servers, and its SSL Certificate installation process has a reputation for tripping people up in one specific place.
The way Apache handles Intermediate Certificates changed at version 2.4.8, and guides that ignore the change leave servers with broken chains that look fine in a desktop browser. This guide covers the modern approach, the legacy approach, and how to tell which one your server needs.
Prerequisites and Required Files
You need shell access with permission to edit the Apache configuration and restart the service, plus the mod_ssl module enabled. On Debian and Ubuntu systems the command a2enmod ssl enables it, while Red Hat based systems typically install it through the mod_ssl package.
You also need three pieces of material. The first is your issued SSL Certificate file, the second is the ca-bundle file containing the Intermediate Certificates, and both are available in the tracking system once issuance is complete. View Our Tracking & SSL Management 🔗
The third piece is the Private Key created on your server when you generated your Certificate Signing Request (CSR). Trustico® does not store Private Keys, so the file on your server is the only copy in existence. Learn About Generating a CSR 🔗
Locating the Apache SSL Configuration
Apache configuration layouts differ by distribution, and knowing where your HTTPS VirtualHost lives is the first practical step. On Debian and Ubuntu the site definitions sit in /etc/apache2/sites-available/ with a default SSL site file named default-ssl.conf. On Red Hat, CentOS, AlmaLinux, and Rocky Linux the SSL configuration usually lives in /etc/httpd/conf.d/ssl.conf.
If you are unsure which file controls your domain, the following command lists every file that defines a VirtualHost on port 443.
apachectl -S
Configuring the VirtualHost for Apache 2.4.8 and Later
Modern Apache deprecated the separate chain directive and instead reads the Intermediate Certificates from the same file as the server SSL Certificate. Concatenate the two files with your SSL Certificate first, exactly as you would for NGINX.
cat yourdomain.crt yourdomain.ca-bundle > yourdomain-fullchain.crt
Reference the combined file and the Private Key inside the VirtualHost.
# /etc/apache2/sites-available/yourdomain-ssl.conf <VirtualHost *:443> ServerName yourdomain.com ServerAlias www.yourdomain.com DocumentRoot /var/www/yourdomain SSLEngine on SSLCertificateFile /etc/ssl/certs/yourdomain-fullchain.crt SSLCertificateKeyFile /etc/ssl/private/yourdomain.key SSLProtocol -all +TLSv1.2 +TLSv1.3 </VirtualHost>
The ServerName and ServerAlias directives must match the hostnames your SSL Certificate covers. A mismatch between these directives and the SSL Certificate produces hostname warnings even when the chain itself is perfect.
Configuring the VirtualHost for Apache Older Than 2.4.8
Servers running older Apache releases keep the chain separate using a third directive. The server SSL Certificate, the Private Key, and the ca-bundle each get their own line.
SSLEngine on SSLCertificateFile /etc/ssl/certs/yourdomain.crt SSLCertificateKeyFile /etc/ssl/private/yourdomain.key SSLCertificateChainFile /etc/ssl/certs/yourdomain.ca-bundle
Note : The command apachectl -v reports your installed version. If you are on 2.4.8 or later and your configuration still contains SSLCertificateChainFile, Apache will continue to honor it for now, but consolidating to the combined file format keeps the configuration future proof.
Whichever directive style applies to your version, the next step is the same.
Testing and Applying the Configuration
Apache validates configuration syntax before you commit to a restart, and running the test first protects a live site from going down on a typo.
apachectl configtest
A response of Syntax OK clears the way. Restart the service to load the new SSL Certificate, using the service name appropriate to your distribution.
sudo systemctl restart apache2
On Red Hat family systems the service is named httpd rather than apache2, so the equivalent command is sudo systemctl restart httpd.
Verifying the Installation
Load the site over HTTPS and inspect the SSL Certificate details in the browser. Then run an external scan, because desktop browsers cache Intermediate Certificates and routinely mask an incomplete chain that mobile devices will reject. Trustico® provides free checking tools that show the chain exactly as a fresh client receives it. Explore Our Trustico® SSL Tools 🔗
While verifying, it is worth confirming that plain HTTP visitors are redirected to HTTPS so that no traffic continues over an unencrypted connection. Learn About Redirecting HTTP to HTTPS Using htaccess 🔗
Troubleshooting Common Installation Problems
A key mismatch error in the Apache error log means the Private Key does not pair with the SSL Certificate being loaded.
This usually traces back to a CSR that was regenerated after the original submission, leaving the issued SSL Certificate paired with a key that no longer exists. A reissue against the current CSR is the clean fix. Learn About Reissuing Your SSL Certificate 🔗
Chain warnings on mobile devices while desktop browsers stay quiet mean the Intermediate Certificates are missing from the served chain. On modern Apache, rebuild the combined file and confirm SSLCertificateFile points at it. On older Apache, confirm the SSLCertificateChainFile line is present and points at the ca-bundle. Learn About Intermediate Certificates 🔗
If Apache refuses to start and the error log mentions port 443 already in use, another service holds the port. The command ss -tlnp identifies the conflicting process so it can be stopped or reconfigured.
Professional Installation Assistance
Apache installations are straightforward once the chain handling is understood, but complex environments with multiple VirtualHosts, proxied applications, or strict uptime requirements sometimes call for direct help.
Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf. Discover Our Premium Installation Service 🔗
