Install an SSL certificate on an Apache server (Windows) - Certificate Management Service

When a website uses the unencrypted HTTP protocol, user data is vulnerable to interception. Browsers also display a Not Secure warning, which can damage user trust and business security. Deploying an SSL certificate on your Apache server on Windows enables encrypted HTTPS communication. This topic explains how to install an SSL certificate on an Apache server on Windows and verify the HTTPS configuration.

Usage notes

Before you begin, make sure that you meet the following requirements:

Certificate status: You have an SSL certificate issued by a trusted certificate authority. If the certificate is about to expire or has expired, you must first renew the SSL certificate.
Domain name matching: Make sure that the certificate matches all domain names that you want to secure. To add or modify domain names, you can Purchase a commercial certificate or Append and replace domain names.
- Exact-match domain name: Applies only to the specified domain.
  - example.com protects only example.com.
  - www.example.com protects only www.example.com.
- Wildcard domain name: Applies only to its first-level subdomains.
  - *.example.com applies to first-level subdomains such as www.example.com and a.example.com.
  - *.example.com does not protect the root domain example.com or multi-level subdomains such as a.b.example.com.
Note
To match multi-level subdomains, the Bound Domains field must contain the exact domain, such as a.b.example.com, or a corresponding wildcard domain, such as *.b.example.com.
Server permissions: You must use the Administrator account or an account with administrator permissions.
Domain name resolution: The domain's DNS record is configured and resolves to the server's public IP address.
Environment dependencies: This topic uses Windows Server 2025 and Apache 2.x as an example. The example installation directory for Apache is C:\Apache24.
Note
Deployment procedures may vary depending on the version of your operating system or Web Server.

Procedure

Step 1: Prepare the SSL certificate

Go to the SSL Certificate Management page. In the Actions column of the target certificate, click Download. On the Download tab, download the certificate for the Apache Server Type.
Unzip the downloaded certificate package:
- If the package contains a certificate file (<YOUR_DOMAIN_NAME>_public.crt), an intermediate certificate file (<YOUR_DOMAIN_NAME>_chain.crt), and a private key file (<YOUR_DOMAIN_NAME>.key), securely store these files. You will need them for deployment.
- If the package contains only a certificate file (<YOUR_DOMAIN_NAME>_public.crt) and an intermediate certificate file (<YOUR_DOMAIN_NAME>_chain.crt) but not a private key file (<YOUR_DOMAIN_NAME>.key), you must deploy the certificate with the private key file that you saved locally.
  Note
  If you used a tool such as OpenSSL or Keytool to generate the CSR file when you requested the certificate, the private key file is saved locally and is not included in the downloaded certificate package. If the private key is lost, the certificate cannot be used. You must purchase an official certificate and generate a new CSR and private key.
Upload the certificate file, intermediate certificate file, and private key file to the server and store them in a secure external directory. This topic uses D:\cert as an example.
Note
The following steps use an Alibaba Cloud ECS instance as an example. For other types of servers, refer to their official documentation.
1. Go to ECS console - Instances. In the top navigation bar, select the target region and resource group.
2. Locate the target instance. Click Connect and select Sign in now. Log on to the server desktop as prompted.
3. In the lower-left corner of the server, click the Start menu. Find and open This PC.
4. Under Redirected drives and folders, double-click workbench On ***. Drag the certificate files from your local machine to this directory, and then right-click the folder and select Refresh.
5. Copy the certificate files to the D:\cert directory.
  Important
  When you reconnect to or exit the instance, workbench automatically clears all uploaded files from the Redirected drives and folders directory to save space. This directory is for file transfer only. Do not save your files here.

Step 2: Configure the system and network environment

Open port 443 in the security group.
Important
If your server is deployed on a cloud platform, make sure that its security group allows inbound access on TCP port 443. Otherwise, the service cannot be accessed from the Internet. The following steps use Alibaba Cloud ECS as an example. For other cloud platforms, see their official documentation.
1. Go to the ECS instance page, select the region where the target ECS instance is located, and click the instance name to go to the instance details page.
2. Click Security Group > All Intranet Inbound Rules, and make sure that a rule exists with the following settings: Authorization Policy is set to Allow, Protocol Type is TCP, Destination Port Range is HTTPS (443), and Authorization Object is set to Anywhere (0.0.0.0/0).
3. If the preceding rule does not exist, see Add a security group rule to add the corresponding rule to the target security group.
Open port 443 in the server firewall.
1. Log on to the Windows server, click the Start menu in the lower-left corner, and open Control Panel.
2. Click System And Security > Windows Firewall > Check Firewall Status.
3. If the firewall is off, as shown in the following figure, no further action is required.
4. If the firewall is on, follow these steps to allow the HTTPS rule.
  1. In the left navigation pane, click Advanced Settings > Inbound Rules, and check for an inbound rule where the Protocol is TCP, the Local Port is 443, and the Action is Block.
  2. If such a rule exists, right-click it and select Properties. On the General tab, change the setting to Allow The Connection and click Apply.
  3. For more information about firewall configurations, see Configure firewall rules.

Step 3: Deploy the certificate on the Apache server

Run Command Prompt (cmd.exe) as an administrator and perform the following operations:

Go to the Apache installation directory and run the following command to check the Apache version.

# In the command line, go to the Apache installation directory and run the command using a relative path.
.\httpd.exe -v

Modify the configuration file based on your Apache version.

Apache 2.4.8 and later

Combine the certificate files.
If an intermediate certificate exists, you must append the server certificate file (domain_name_public.crt) and the intermediate certificate file (domain_name_chain.crt) to create a complete certificate chain file (domain_name_fullchain.pem).
```
# Append the content of the intermediate certificate file to the server certificate file to form a complete certificate chain file.
copy /b domain_name_public.crt + domain_name_chain.crt domain_name_fullchain.pem
```
After combining, you need only two files: domain_name_fullchain.pem and domain_name.key.

Modify the configuration file.

Open the target configuration file (for example, httpd-ssl.conf) and add the following configuration:

<VirtualHost *:443>
    
    # Replace example.com with the domain name that is bound to your certificate.
    ServerName example.com
    
    # Enable the SSL engine.
    SSLEngine on
    
    # Certificate file. Use the path to the actual combined certificate file (domain_name_fullchain.pem).
    # If no intermediate certificate file exists, use the path of the server certificate file (domain_name_public.crt).
    SSLCertificateFile D:\cert\domain_name_fullchain.pem
    
    # Private key file. Replace this with the actual path of your private key file.
    SSLCertificateKeyFile D:\cert\domain_name.key
    
    # Other configurations.
    # ...
    
</VirtualHost>

Apache 2.4.7 and earlier

Open the target configuration file (for example, httpd-ssl.conf) and add the following configuration:

<VirtualHost *:443>
    
    # Replace example.com with the domain name bound to your certificate.
    ServerName example.com
    
    # Enable the SSL engine.
    SSLEngine on
    
    # Certificate file. Replace this with the actual path of your certificate file.
    SSLCertificateFile D:\cert\domain_name_public.crt
    
    # Certificate chain file (specified separately). Replace this with the actual path of your intermediate certificate file.
    # If there is no intermediate certificate, you do not need to configure this directive.
    SSLCertificateChainFile D:\cert\domain_name_chain.crt
    
    # Private key file. Replace this with the actual path of your private key file.
    SSLCertificateKeyFile D:\cert\domain_name.key
    
    # Other configurations.
    # ...
    
</VirtualHost>

Optional: Set up automatic redirection from HTTP to HTTPS.
In the target configuration file, modify the <VirtualHost> for your domain and add the Rewrite directives:
```
<VirtualHost *:80>
    ServerName example.com
    RewriteEngine On
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</VirtualHost>
```
After you complete and save the configuration changes, navigate to the bin directory of your Apache installation and run the following command to check for syntax errors.
```
.\httpd.exe -t
```
If Syntax OK is returned, the configuration is correct. If an error is reported, check the configuration file based on the error message.
Restart the Apache service.
If the syntax is correct, run the following command to restart the service and apply the SSL configuration.
```
.\httpd.exe -k restart
```
Note
You can also find and restart the Apache service in Windows Services management (services.msc).

Step 4: Verify the deployment

Access your domain over HTTPS in a web browser. For example, https://yourdomain. Replace yourdomain with your actual domain.
If a lock icon appears in the browser's address bar, the certificate is deployed successfully. If you encounter access errors or the lock icon does not appear, clear your browser cache or try again in incognito (privacy) mode.
Starting from version 117, the icon in the Chrome address bar has been replaced with a new icon. Click this icon to view the lock information.

Note

If the issue persists, see FAQ for troubleshooting.

Going live

When you deploy to a production environment, follow these best practices to enhance security, stability, and maintainability:

Run as a non-administrator user:
Create a dedicated, low-privilege system user for the application. Never run the application with an account that has administrator privileges.
Note
A recommended approach is to configure SSL at the gateway layer. This involves deploying the certificate on a Server Load Balancer (SLB). The gateway terminates the HTTPS traffic and forwards the decrypted HTTP traffic to the backend application.
Externalize credential management:
Never hard-code passwords or other sensitive information in your code or configuration files. Use environment variables, Vault, or a cloud provider's key management service to inject credentials.
Enforce HTTP to HTTPS redirection:
Redirect all HTTP traffic to HTTPS to prevent man-in-the-middle attacks.
Configure modern TLS protocols:
Disable old and insecure protocols (such as SSLv3, TLSv1.0, and TLSv1.1) in your server configuration. Enable only TLSv1.2 and TLSv1.3.
Monitor certificates and automate renewal:
After you deploy the certificate, enable domain monitoring. Alibaba Cloud automatically checks the certificate validity period and sends renewal reminders before expiration to help you renew in a timely manner and avoid service interruption. For detailed instructions, see Purchase and enable public domain name monitoring.

FAQ

Why is my certificate not working or HTTPS inaccessible after installation or update?

This issue is often caused by one of the following configuration problems. Check them in order:

Port 443 blocked: The server's security group or firewall does not have port 443 open. See Configure the system and network environment.
Domain mismatch: The domain you are accessing is not listed in the certificate's Bound Domains. See Domain name matching.
Apache service not restarted: The Apache service was not restarted after the Apache configuration file was modified. See Restart the Apache service.
Incorrect certificate configuration: The certificate files were not correctly replaced, or the Apache configuration does not correctly specify the certificate path. You can check whether the Apache configuration file and the certificate files used are valid and up to date.
Missing certificate on other services: If your domain uses services such as a Content Delivery Network (CDN), Server Load Balancer (SLB), or Web Application Firewall (WAF), the certificate must also be installed on those services. See Certificate deployment locations when traffic passes through multiple Alibaba Cloud services to complete the setup.
Incomplete deployment on multiple servers: If your domain's DNS resolves to multiple servers, the certificate must be installed on all of them.

Note

For further troubleshooting, see Resolve certificate deployment issues based on browser error messages and SSL certificate deployment troubleshooting guide.

What is the correct way to update an SSL certificate on an Apache server?

To update an existing SSL certificate on Apache, you should replace the old certificate files with the new ones and then restart the service.

Follow these steps:

Back up existing files: Before making any changes, back up the original certificate files (.crt or .pem) and the private key file (.key) from your server.
Download and upload the new certificate: Obtain the new certificate files from your SSL Certificate Service console. Upload them to your server, overwriting the old files.
Ensure the new files have the exact same names and are placed in the same directory as the old ones, so you don't need to change your Apache configuration file.
Restart the Apache service: To apply the new certificate, restart the Apache service. You can do this by running .\httpd.exe -k restart from the bin directory of your Apache installation.