All Products
Search

This Product

    Certificate Management Service:Install an SSL certificate on an Apache server (Linux)

    Document Center

    Certificate Management Service:Install an SSL certificate on an Apache server (Linux)

    Last Updated:Mar 31, 2026

    Enable HTTPS on a Linux Apache server by installing a single-domain, multi-domain, or wildcard SSL certificate. This guide covers certificate file preparation, mod_ssl and VirtualHost configuration, and post-deployment verification.

    Prerequisites

    Before you begin, ensure that you have:

    • A valid SSL certificate issued by a trusted certificate authority (CA). If your certificate is about to expire or has already expired, renew it before proceeding.

    • A certificate that covers all domains you want to secure. To add or change bound domains, purchase a new certificate or update the bound domains.

    • A root account or an account with sudo privileges on the server.

    • A DNS record for the domain that resolves to your server's public IP address.

    • Domain name resolution: The domain's DNS record is configured and resolves to the server's public IP address.

    Domain coverage rules:

    Certificate typeCoverage
    Exact-matchexample.com protects only example.com; www.example.com protects only www.example.com
    Wildcard*.example.com covers first-level subdomains (e.g., www.example.com, a.example.com), but not the root domain example.com or multi-level subdomains like a.b.example.com
    Note

    To cover multi-level subdomains, the Bound Domains field must include the exact domain (e.g., a.b.example.com) or a matching wildcard (e.g., *.b.example.com).

    Step 1: Prepare the certificate files

    1. Go to the SSL Certificate Management page. In the Actions column for your certificate, click Download Certificate. On the Download tab, select Apache as the Server Type and download the package.

    2. Extract the downloaded package. The package contains two or three files depending on how the Certificate Signing Request (CSR) was generated:

      Note

      If you generated the CSR with OpenSSL or Keytool, the private key was saved only on your local machine and is not included in the downloaded package. If the private key is lost, the certificate cannot be used. Purchase a new certificate and generate a new CSR and private key.

      ScenarioFiles in packageAction
      System-managed key (CSR generated by Alibaba Cloud)<bound_domain_name>_public.crt, <bound_domain_name>_chain.crt, <bound_domain_name>.keyStore all three files in a secure location.
      Self-managed key (CSR generated with OpenSSL or Keytool)<bound_domain_name>_public.crt, <bound_domain_name>_chain.crt onlyDeploy these together with the private key file you saved locally when generating the CSR.

    3. Upload the certificate file, certificate chain file, and private key file to a secure directory on your server, such as /etc/ssl/cert.

      Note

      Use a remote login tool such as PuTTY, Xshell, or WinSCP to upload files. If your server is an Alibaba Cloud Elastic Compute Service (ECS) instance, see Upload or download files.

    Step 2: Open port 443

    Make sure your server's firewall and security group allow inbound traffic on port 443.

    Check whether port 443 is open

    Run the following command to test port 443 connectivity. Replace <your_server_public_ip> with your server's public IP address.

    RHEL/CentOS

    command -v nc > /dev/null 2>&1 || sudo yum install -y nc
# Replace <your_server_public_ip> with the public IP address of your server.
sudo ss -tlnp | grep -q ':443 ' || sudo nc -l 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443

    Expected output if port 443 is open: Ncat: Connected to <your_server_public_ip>:443

    Debian/Ubuntu

    command -v nc > /dev/null 2>&1 || sudo apt-get install -y netcat
# Replace <your_server_public_ip> with the public IP address of your server.
sudo ss -tlnp | grep -q ':443 ' || sudo nc -l -p 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443

    Expected output if port 443 is open: Connection to <your_server_public_ip> port [tcp/https] succeeded! or [<your_server_public_ip>] 443 (https) open

    If port 443 is not open, complete the following two sub-steps.

    Open port 443 in your security group

    Important

    If your server runs on a cloud platform, confirm that its security group allows inbound TCP traffic on port 443. Otherwise, the HTTPS service will be inaccessible. The steps below use Alibaba Cloud ECS as an example; for other platforms, refer to their documentation.

    Go to the Elastic Compute Service (ECS) instances page and click your instance name. In the Security Group Details section, add a security group rule with the following settings:

    FieldValue
    ActionAllow
    ProtocolCustom TCP
    Destination (Current Instance)HTTPS (443)
    Source0.0.0.0/0 (anywhere)

    Open port 443 in your system firewall

    Run the following command to identify your active firewall:

    if command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet firewalld; then
    echo "firewalld"
elif command -v ufw >/dev/null 2>&1 && sudo ufw status | grep -qw active; then
    echo "ufw"
elif command -v nft >/dev/null 2>&1 && sudo nft list ruleset 2>/dev/null | grep -q 'table'; then
    echo "nftables"
elif command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet iptables; then
    echo "iptables"
elif command -v iptables >/dev/null 2>&1 && sudo iptables -L 2>/dev/null | grep -qE 'REJECT|DROP|ACCEPT'; then
    echo "iptables"
else
    echo "none"
fi

    If the output is none, no further action is needed. Otherwise, run the command that matches your firewall type:

    firewalld

    sudo firewall-cmd --permanent --add-port=443/tcp && sudo firewall-cmd --reload

    ufw

    sudo ufw allow 443/tcp

    nftables

    sudo nft add table inet filter 2>/dev/null
sudo nft add chain inet filter input '{ type filter hook input priority 0; }' 2>/dev/null
sudo nft add rule inet filter input tcp dport 443 counter accept 2>/dev/null

    iptables

    sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

    To persist iptables rules across reboots:

    *RHEL/CentOS*

    sudo yum install -y iptables-services
sudo service iptables save

    *Debian/Ubuntu*

    sudo apt-get install -y iptables-persistent
sudo iptables-save | sudo tee /etc/iptables/rules.v4 >/dev/null

    Step 3: Install the certificate on Apache

    The configuration steps vary by Apache version. Check your version first, then follow the corresponding instructions.

    Check your Apache version and enable the SSL module

    Step 3a: Check your Apache version

    RHEL/CentOS

    httpd -v

    Debian/Ubuntu

    apache2 -v

    Step 3b: Verify that the SSL module is enabled

    RHEL/CentOS

    httpd -M | grep 'ssl_module'

    Debian/Ubuntu

    apachectl -M | grep 'ssl_module'

    If the module is loaded, the output includes ssl_module (shared). If not, install it:

    RHEL/CentOS

    sudo yum install -y mod_ssl
# For RHEL/CentOS 8.0 and later:
sudo dnf install -y mod_ssl

    Debian/Ubuntu

    sudo a2enmod ssl

    Configure the VirtualHost

    Apache 2.4.8 and later (recommended)

    Combine the certificate files

    Concatenate the certificate file and chain file into a single fullchain file:

    # Append the certificate chain to the server certificate to create a complete chain file.
cat domain_name_public.crt domain_name_chain.crt > domain_name_fullchain.pem

    This produces two files: domain_name_fullchain.pem and domain_name.key.

    Edit the SSL VirtualHost configuration

    Note

    The configuration file is typically at /etc/httpd/conf.d/ssl.conf (RHEL/CentOS) or /etc/apache2/sites-available/your-site-ssl.conf (Debian/Ubuntu).

    vim /etc/httpd/conf.d/ssl.conf

    Update the SSL parameters in the VirtualHost block:

    <VirtualHost *:443>

    # Replace example.com with the domain name you want to secure.
    ServerName example.com

    # Certificate file. Use the path to the combined fullchain file.
    SSLCertificateFile /etc/ssl/cert/domain_name_fullchain.pem

    # Private key file. Replace with the path to your private key file.
    SSLCertificateKeyFile /etc/ssl/cert/domain_name.key

    # Other configurations
    # ...

</VirtualHost>

    Apache 2.4.7 and earlier

    Prepare the certificate files

    Confirm that the certificate directory contains all three files: domain_name_public.crt, domain_name_chain.crt, and domain_name.key.

    Edit the SSL VirtualHost configuration

    Note

    The configuration file is typically at /etc/httpd/conf.d/ssl.conf (RHEL/CentOS) or /etc/apache2/sites-available/your-site-ssl.conf (Debian/Ubuntu).

    vim /etc/httpd/conf.d/ssl.conf

    Update the SSL parameters in the VirtualHost block:

    <VirtualHost *:443>

    # Replace example.com with the domain name bound to your certificate.
    ServerName example.com

    # Certificate file. Replace with the path to your certificate file.
    SSLCertificateFile /etc/ssl/cert/domain_name_public.crt

    # Certificate chain file (specified separately). Replace with the actual path.
    SSLCertificateChainFile /etc/ssl/cert/domain_name_chain.crt

    # Private key file. Replace with the path to your private key file.
    SSLCertificateKeyFile /etc/ssl/cert/domain_name.key

    # Other configurations
    # ...

</VirtualHost>

    Validate and reload Apache

    Check the configuration syntax:

    RHEL/CentOS

    sudo httpd -t

    Debian/Ubuntu

    sudo apache2ctl -t

    If the output is Syntax OK, reload or restart Apache to apply the certificate:

    RHEL/CentOS

    # Reload (graceful, recommended):
sudo systemctl reload httpd

# Restart (force restart):
sudo systemctl restart httpd

    Debian/Ubuntu

    # Reload (graceful, recommended):
sudo systemctl reload apache2

# Restart (force restart):
sudo systemctl restart apache2

    Step 4: Verify the installation

    Open https://yourdomain in a browser (replace yourdomain with your actual domain). A lock icon in the address bar confirms the certificate is active.

    image

    If no lock icon appears or you get an access error, clear your browser cache or retry in incognito mode.

    Starting from Chrome 117, the image icon has been replaced with image. Click this icon to view certificate details.

    Note

    If you still have issues, see the FAQ section below.

    Going live

    Apply these practices before deploying to production:

    • Use a non-root service account: Create a dedicated, low-privilege system user for Apache. Never run the server under a root or administrator account.

      Note

      Consider terminating SSL at the load balancer layer — deploy the certificate on a Server Load Balancer (SLB), which handles HTTPS and forwards decrypted HTTP traffic to backend servers.

    • Keep credentials out of code: Never hard-code passwords or private keys in configuration files. Inject credentials via environment variables, HashiCorp Vault, or a cloud key management service.

    • Redirect HTTP to HTTPS: Configure Apache to redirect all HTTP traffic to HTTPS to prevent man-in-the-middle attacks.

    • Disable legacy TLS protocols: In your Apache configuration, disable SSLv3, TLSv1.0, and TLSv1.1. Enable only TLSv1.2 and TLSv1.3.

    • Monitor and renew before expiration: After deployment, enable domain monitoring. Alibaba Cloud checks certificate validity and sends renewal reminders before expiration. See Purchase and enable public domain name monitoring.

    FAQ

    HTTPS is inaccessible after installation — what should I check?

    Work through the following checks in order:

    1. Port 443 blocked: Confirm port 443 is open in both the security group and system firewall. See Step 2: Open port 443.

    2. Domain mismatch: The domain you are accessing is not listed in the certificate's Bound Domains. See the domain coverage rules in Prerequisites.

    3. Apache not reloaded: The Apache service was not reloaded or restarted after the configuration change. See Validate and reload Apache.

    4. Incorrect certificate path or stale files: Verify that the paths in the Apache configuration file point to the correct, up-to-date certificate files.

    5. Certificate missing on upstream services: If your domain routes through a Content Delivery Network (CDN), Server Load Balancer (SLB), or Web Application Firewall (WAF), install the certificate on those services too. See Certificate deployment locations when traffic passes through multiple Alibaba Cloud services.

    6. Multi-server deployment incomplete: If the domain's DNS resolves to multiple servers, install the certificate on every server.

    The browser shows "certificate name mismatch" or NET::ERR_CERT_COMMON_NAME_INVALID — what does this mean?

    The domain you are accessing does not match any domain in the certificate's Bound Domains. Check the domain coverage rules in Prerequisites, then purchase or update your certificate if needed.

    How do I update or replace an SSL certificate in Apache?

    1. Back up old files: Save copies of the existing .crt and .key files on the server.

    2. Download new files: Get the new certificate and private key from the SSL Certificate Management console.

    3. Replace files: Upload the new files to the same paths specified in your Apache configuration, overwriting the old ones.

    4. Reload Apache: Run sudo systemctl reload httpd (RHEL/CentOS) or sudo systemctl reload apache2 (Debian/Ubuntu) to apply the new certificate without downtime.