Install an SSL certificate on an Apache server - Certificate Management Service

Enable HTTPS on an Apache server (Linux) by installing a single-domain, multi-domain, or wildcard SSL certificate. This topic covers certificate file preparation, mod_ssl and VirtualHost configuration, and post-deployment verification.

Important

If you have questions, contact your account manager for assistance.

Usage notes

Before you begin, ensure you meet the following requirements:

Certificate status: Your SSL certificate is issued by a trusted certificate authority (CA). If the certificate is About to Expire or Expired, first renew the SSL certificate.
Domain name matching: Ensure the certificate matches all domain names you intend to secure. To add or modify domains, see Append and replace domain names.
- Exact-match domain name: Applies only to the specified domain.
  - example.com protects only example.com.
  - www.example.com protects only www.example.com.
- Wildcard domain name: Applies only to its first-level subdomains.
  - *.example.com applies to first-level subdomains such as www.example.com and a.example.com.
  - *.example.com does not protect the root domain example.com or multi-level subdomains such as a.b.example.com.
Note
To protect multi-level subdomains, the Bound Domains field must contain the exact domain, such as a.b.example.com, or a corresponding wildcard domain, such as *.b.example.com.
Server permissions: You need a root account or an account with sudo privileges.
DNS resolution: The domain's DNS record is configured and resolves to the server's public IP address.

Procedure

Step 1: Prepare the certificate files

Go to the SSL Certificate Management page. In the Actions column for the target certificate, click Download Certificate. On the Download tab, download the certificate for which the Server Type is Apache.
Extract the downloaded certificate package:
- If you have the certificate file (<bound_domain_name>_public.crt), the certificate chain file (<bound_domain_name>_chain.crt), and the private key file (<bound_domain_name>.key), store them in a secure location because they are required for future deployments.
- If the package contains only the certificate file (<bound_domain_name>_public.crt) and the certificate chain file (<bound_domain_name>_chain.crt) but not the private key file (<bound_domain_name>.key), you must deploy them with your locally saved private key file.
  Note
  If you use a tool such as OpenSSL or Keytool to generate a Certificate Signing Request (CSR) file when applying for the certificate, the private key file is saved only locally. The downloaded certificate package does not include the private key. If the private key is lost, the certificate is unusable. You must purchase an official certificate again and generate a new CSR and private key.
Upload the extracted certificate file, certificate chain file, and private key file to the server, and store them in a secure external directory, such as /etc/ssl/cert.
Note
You can use the local file upload feature of a remote logon tool, such as PuTTY, XShell, or WinSCP, to upload files. If you are using an Alibaba Cloud Elastic Compute Service (ECS) instance, for more information about how to upload files, see Upload or download files.

Step 2: Configure the system and network environment

Ensure your security group and system firewall allow inbound traffic on the HTTPS port (443).

Run the following command in the server terminal to check if port 443 is open:
RHEL/CentOS
```
command -v nc > /dev/null 2>&1 || sudo yum install -y nc
# Replace <your_server_public_ip> with your server's actual public IP address.
sudo ss -tlnp | grep -q ':443 ' || sudo nc -l 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443
```
If the output is Ncat: Connected to <The public IP address of the current server>:443, port 443 is open. Otherwise, open port 443 in the security group and firewall.
Debian/Ubuntu
```
command -v nc > /dev/null 2>&1 || sudo apt-get install -y netcat
# Replace <your_server_public_ip> with your server's actual public IP address.
sudo ss -tlnp | grep -q ':443 ' || sudo nc -l -p 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443
```
If the output is Connection to <public IP address of the current server> port [tcp/https] succeeded! or [<public IP address of the current server>] 443 (https) open, port 443 is open. Otherwise, open port 443 in the security group and firewall.
Open port 443 in your security group configuration.
Important
If your server is deployed on a cloud platform, ensure its security group allows inbound traffic on TCP port 443. Otherwise, the service will be inaccessible. The following steps use Alibaba Cloud Elastic Compute Service (ECS) as an example. For other cloud platforms, refer to their official documentation.
Go to the Elastic Compute Service instance page, click the target instance name to go to the instance details page. Refer to Add a security group rule to add a new rule in the Security Group with the Action set to Allow, Protocol Type to Custom TCP, Destination Port Range to HTTPS(443), and Authorization Object to All IPv4 Addresses.

Open port 443 in your firewall.

Run the following command to identify the active firewall service on your system:

if command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet firewalld; then
    echo "firewalld"
elif command -v ufw >/dev/null 2>&1 && sudo ufw status | grep -qw active; then
    echo "ufw"
elif command -v nft >/dev/null 2>&1 && sudo nft list ruleset 2>/dev/null | grep -q 'table'; then
    echo "nftables"
elif command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet iptables; then
    echo "iptables"
elif command -v iptables >/dev/null 2>&1 && sudo iptables -L 2>/dev/null | grep -qE 'REJECT|DROP|ACCEPT'; then
    echo "iptables"
else
    echo "none"
fi

If the output is none, no further action is required. Otherwise, run the corresponding command below based on the output (firewalld, ufw, nftables, or iptables) to open port 443:

firewalld

sudo firewall-cmd --permanent --add-port=443/tcp && sudo firewall-cmd --reload

ufw

sudo ufw allow 443/tcp

nftables

sudo nft add table inet filter 2>/dev/null
sudo nft add chain inet filter input '{ type filter hook input priority 0; }' 2>/dev/null
sudo nft add rule inet filter input tcp dport 443 counter accept 2>/dev/null

iptables

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

To ensure the iptables rules persist after a system reboot, run the following commands:

RHEL/CentOS

sudo yum install -y iptables-services
sudo service iptables save

Debian/Ubuntu

sudo apt-get install -y iptables-persistent
sudo iptables-save | sudo tee /etc/iptables/rules.v4 >/dev/null

Step 3: Install the certificate on the Apache server

Confirm that the SSL module is enabled.
1. Run the following command to check if the mod_ssl.so module is installed successfully:
  RHEL/CentOS
```
httpd -M | grep 'ssl_module'
```
  Debian/Ubuntu
```
apachectl -M | grep 'ssl_module'
```
  If the module is installed and loaded, you will see output similar to the following, which indicates that ssl_module is a shared module:
```
ssl_module (shared)
```
2. If the module is not installed, run the appropriate command for your Linux distribution to install the mod_ssl.so module and enable the SSL feature.
  RHEL/CentOS
```
sudo yum install -y mod_ssl
# For newer versions (8.0+):
sudo dnf install -y mod_ssl
```
  Debian/Ubuntu
```
# Enable the SSL module (usually pre-installed)
sudo a2enmod ssl
```
Run the following command to check your Apache version.
RHEL/CentOS
```
httpd -v
```
Debian/Ubuntu
```
apache2 -v
```

Based on your Apache version, modify the configuration file.

Apache 2.4.8 and later (Recommended)

Combine the certificate files

Run the following command to combine the extracted certificate file (domain_name_public.crt) and certificate chain file (domain_name_chain.crt) into a single file.

# Append the content of the certificate chain file to the server certificate file to create a complete certificate chain file.
cat domain_name_public.crt domain_name_chain.crt > domain_name_fullchain.pem

After combination, you will have two files: domain_name_fullchain.pem and domain_name.key.

Modify the configuration file

Edit the SSL virtual host configuration file.
Note
The configuration file is usually located at /etc/httpd/conf.d/ssl.conf or /etc/apache2/sites-available/your-site-ssl.conf.
```
vim /etc/httpd/conf.d/ssl.conf
```

Locate the SSL-related parameters and modify the certificate configuration.

<VirtualHost *:443>
    
    # Replace example.com with the domain name you want to secure.
    ServerName example.com
    
    # Certificate file. Use the path to the combined certificate file.
    SSLCertificateFile /etc/ssl/cert/domain_name_fullchain.pem
    
    # Private key file. Replace with the path to your actual private key file.
    SSLCertificateKeyFile /etc/ssl/cert/domain_name.key
    
    # Other configurations
    # ...
    
</VirtualHost>

Apache 2.4.7 and earlier

Prepare the certificate files

Make sure that the certificate directory contains the following three files: the certificate file (domain_name_public.crt), the certificate chain file (domain_name_chain.crt), and the private key file (domain_name.key).

Modify the configuration file

Edit the SSL virtual host configuration file.
Note
The configuration file is usually located at /etc/httpd/conf.d/ssl.conf or /etc/apache2/sites-available/your-site-ssl.conf.
```
vim /etc/httpd/conf.d/ssl.conf
```

Locate the SSL-related parameters and modify the certificate configuration.

<VirtualHost *:443>
    
    # Replace example.com with the domain name that is bound to your certificate.
    ServerName example.com
    
    # Certificate file. Replace with the path to your certificate file.
    SSLCertificateFile /etc/ssl/cert/domain_name_public.crt
    
    # Certificate chain file (specified separately). Replace with the path to your certificate chain file.
    SSLCertificateChainFile /etc/ssl/cert/domain_name_chain.crt
    
    # Private key file. Replace with the path to your private key file.
    SSLCertificateKeyFile /etc/ssl/cert/domain_name.key
    
    # Other configurations
    # ...
    
</VirtualHost>

Check whether the syntax of the configuration file is correct. If the output is Syntax OK, the syntax is correct and you can proceed.
RHEL/CentOS
```
sudo httpd -t
```
Debian/Ubuntu
```
sudo apache2ctl -t
```

Reload or restart the Apache service.

RHEL/CentOS

# Use reload (graceful reload, recommended).
sudo systemctl reload httpd

# Use restart (force restart).
sudo systemctl restart httpd

Debian/Ubuntu

# Use reload (graceful reload, recommended).
sudo systemctl reload apache2

# Use restart (force restart).
sudo systemctl restart apache2

Step 4: Verify the installation

Access your domain over HTTPS in a web browser. For example, https://yourdomain.com. Replace yourdomain.com with your actual domain.
If a lock icon appears in the browser's address bar, the certificate is deployed successfully. If you encounter access errors or the lock icon does not appear, clear your browser cache or try again in incognito (privacy) mode.
Starting from version 117, the icon in the Chrome address bar has been replaced with a new icon. Click this icon to view the lock information.

Note

If you still have issues, see the FAQ section for troubleshooting.

Going live

When deploying to a production environment, follow these best practices to enhance security, stability, and maintainability:

Run as a non-administrator user:
Create a dedicated, low-privilege system user for the application. Never run the application with an account that has administrator privileges.
Note
A recommended approach is to configure SSL at the gateway layer. This involves deploying the certificate on a Server Load Balancer (SLB). The gateway terminates the HTTPS traffic and forwards the decrypted HTTP traffic to the backend application.
Externalize credential management:
Never hard-code passwords or other sensitive information in your code or configuration files. Use environment variables, Vault, or a cloud provider's key management service to inject credentials.
Enforce HTTP to HTTPS redirection:
Redirect all HTTP traffic to HTTPS to prevent man-in-the-middle attacks.
Configure modern TLS protocols:
Disable old and insecure protocols (such as SSLv3, TLSv1.0, and TLSv1.1) in your server configuration. Enable only TLSv1.2 and TLSv1.3.
Monitor certificates and automate renewal:
After deploying the certificate, enable domain monitoring. Alibaba Cloud automatically checks the certificate validity period and sends renewal reminders before expiration to help you avoid service disruptions. For more information, see Purchase and enable public domain name monitoring.

FAQ

Why is my certificate not working or HTTPS inaccessible after installation or update?

This issue is often caused by one of the following configuration problems. Check them in order:

Port 443 blocked: The server's security group or firewall does not have port 443 open. See Configure the system and network environment.
Domain mismatch: The domain you are accessing is not listed in the certificate's Bound Domains. See Domain Name Matching.
Apache or Apache2 not restarted or reloaded: The Apache or Apache2 service was not restarted or reloaded after the configuration file was modified. See Reload or restart the Apache service.
Incorrect certificate configuration: The certificate file was not replaced correctly, or the certificate path is incorrect in the Apache configuration. Verify that the Apache configuration file and the certificate file are the latest and valid.
Missing certificate on other services: If your domain uses services such as a Content Delivery Network (CDN), Server Load Balancer (SLB), or Web Application Firewall (WAF), the certificate must also be installed on those services. See Certificate deployment locations when traffic passes through multiple Alibaba Cloud services to complete the setup.
Incomplete deployment on multiple servers: If your domain's DNS resolves to multiple servers, the certificate must be installed on all of them.

Note

For further troubleshooting, see Resolve certificate deployment issues based on browser error messages and SSL certificate deployment troubleshooting guide.

Why does the browser report a "certificate name mismatch" or "NET::ERR_CERT_COMMON_NAME_INVALID" error?

The domain name that you are accessing does not match the domain name bound to the certificate. For more information, see Domain name matching.

What is the correct way to update or replace an SSL certificate in Apache?

Back up old files: Back up the existing certificate (.crt) and private key (.key) files on the server.
Get new files: Download the new certificate and private key files from your Certificate Management Service console.
Replace files: Upload the new files to your server, overwriting the old ones. Ensure the new files have the exact same path and filename as the ones specified in your Apache configuration.
Restart or reload Apache: Restart or reload the Apache service to apply the new certificate.