Alibaba Cloud SSL Certificates Service allows you to download a certificate and install
it on an Apache server so that the Apache server can be accessed over HTTPS. This
topic describes how to install an SSL certificate.
Prerequisites
- Port 443, the default port for the HTTPS service, has been enabled on your Apache
server.
- The mod_ssl.so module has been installed on your Apache server, which is used to enable SSL.
- In this example, domain name is the certificate name, domain name_public.crt is the certificate file name, domain name_chain.crt is the certificate chain file, and domain name.key is the certificate key file.
- If you do not select Automatic for CSR Generation when applying for the certificate, the downloaded certificate package will not include
the .key file.
Procedure
- Decompress the downloaded certificate package.
The following three files are extracted from the package:

- Certificate file: suffixed with .crt or of .crt file format.
- Certificate chain file: suffixed with .crt or of .crt file format.
- Key file: suffixed with .key or of .key file format.
- Create a cert directory in the Apache installation directory, and copy the downloaded Apache certificate file, certificate
chain file, and key file to the cert directory. To install multiple certificates, create the corresponding number of cert directories in the Apache directory to store the certificates separately.
Note If you have selected Manual for CSR Generation when applying for the certificate, save the key file you created
manually to the cert directory and name the key file as domain name.key.
- Modify the httpd.conf configuration file.
- In the Apache installation directory, open Apache/conf/httpd.conf, find the following parameters, and configure them based on the following annotation:
#LoadModule ssl_module modules/mod_ssl.so # Delete the configuration statement annotator "#" at the beginning of the line to load the mod_ssl.so module and enable the SSL service. Apache does not enable this module by default.
#Include conf/extra/httpd-ssl.conf # Delete the configuration statement annotator "#" at the beginning of the line.
Note If you cannot find the preceding configuration statements in the httpd.conf file, check whether the mod_ssl.so module is installed on your Apache server. You can run the yum install -y mod_ssl
command to install the mod_ssl module.
- Save the httpd.conf file and exit.
- Modify the httpd-ssl.conf configuration file.
- Open Apache/conf/extra/httpd-ssl.conf, find the following parameters, and configure them based on the following annotation:
Note Depending on the operating system, the http-ssl.conf file may be stored in the conf.d/ssl.conf directory.
<VirtualHost *:443>
ServerName # Change it to the domain name www.YourDomainName1.com that was bound when you applied for the certificate.
DocumentRoot /data/www/hbappserver/public
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 # Add supported SSL protocols and remove the insecure ones.
SSLCipherSuite HIGH:! RC4:! MD5:! aNULL:! eNULL:! NULL:! DH:! EDH:! EXP:+MEDIUM # Modify the cipher suite.
SSLHonorCipherOrder on
SSLCertificateFile cert/domain name1_public.crt # Replace domain name1_public.crt with the name of your certificate file.
SSLCertificateKeyFile cert/domain name1.key # Replace domain name1.key with the name of your certificate key file.
SSLCertificateChainFile cert/domain name1_chain.crt # Replace domain name1_chain.crt with the name of your certificate chain file. If the name starts with #, delete it.
</VirtualHost>
# If your certificate contains multiple domain names, copy the preceding parameters, and replace ServerName with the second domain name.
<VirtualHost *:443>
ServerName # Change it to the second domain name www.YourDomainName2.com that was bound when you applied for the certificate.
DocumentRoot /data/www/hbappserver/public
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 # Add supported SSL protocols and remove the insecure ones.
SSLCipherSuite HIGH:! RC4:! MD5:! aNULL:! eNULL:! NULL:! DH:! EDH:! EXP:+MEDIUM # Modify the cipher suite.
SSLHonorCipherOrder on
SSLCertificateFile cert/domain name2_public.crt # Replace domain name2 with the second domain name that was bound when you applied for the certificate.
SSLCertificateKeyFile cert/domain name2.key # Replace domain name2 with the second domain name that was bound when you applied for the certificate.
SSLCertificateChainFile cert/domain name2_chain.crt # Replace domain name2 with the second domain name that was bound when you applied for the certificate. If the name starts with #, delete it.
</VirtualHost>
Note Note that whether your browser version supports server name indication (SNI). If not,
the multi-domain-name certificate configuration will not take effect.
- Save the httpd-ssl.conf file and exit.
- Restart Apache to make the SSL configuration take effect.
Run the following command in the bin directory of Apache:
- Stop the Apache service.
apachectl -k stop
- Start the Apache service.
apachectl -k start
- Optional:Modify the httpd.conf file to automatically redirect HTTP requests to HTTPS.
Add the following redirection code to <VirtualHost *:80> </VirtualHost>
in the httpd.conf file:
RewriteEngine on
RewriteCond %{SERVER_PORT} ! ^443$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
What to do next
After you complete the preceding operations, you can verify that the certificate is
installed by accessing the domain name that is bound to the certificate.
https://domain name # Replace domain name with the domain name that is bound to your certificate.
If the lock icon appears in the address bar, the certificate is installed.
- When the DV SSL digital certificate is deployed on the server, you can view the following
in the URL field:

- When the OV SSL digital certificate is deployed on the server, you can view the following
in the URL field:

- When the EV SSL digital certificate is deployed on the server, you can view the following
in the URL field:

If your website cannot be accessed over HTTPS when you perform the preceding verification,
check whether port 443 on the server where you installed the certificate is enabled
or blocked by other tools.