Configuring SSL for Apache on Debian or Ubuntu

Submitted by Will Jackson on Sun, 04/22/2012 - 2:47pm


Manually configuring SSL for Apache can be tricky for the beginner or those coming from a shared hosting where everything is handled from a control panel such as cPanel or Webmin.  The following tutorial will guide you through the steps required for configuring SSL on a Debian based operating system such as Ubuntu, Debian Mint, or good old vanilla Debian.  The operating system used for this tutorial was Debian 6 Squeeze, and the SSL certificate was supplied by

First thing we should do is navigate to the directory on the filesystem that contains all of our secure certificates.  If you’re using Debian or Ubuntu, this directory typically can be found at /etc/ssl/certs/, but before we go any further we should go ahead and elevate our permissions to root.

As root, Navigate to /path/to/certs         

Note: Default for Debian and Ubuntu is /etc/ssl/certs/
$ cd /path/to/certs        

To generate .CSR key to be signed by provider with Apache 2 and OpenSSL use the following command:

$ openssl req -new -newkey rsa:2048 -nodes -keyout -out

 Below are explanations for the values that you should provide.

Country Code: For this question, we will want to supply the 2-digit ISO abbreviation for your country.  If you’re in the United States, then your 2-digit ISO abbreviation will be US.
State or Province Name: This should be the full name of the state or province where your organization is located.  Do not abbreviate the name, you must use the full name.
Locality Name(city): This will be the town or city where your organization is located.  If your location is basedin Mountain View, CA, then your locality name would be Mountain View.
Organization Name: This should be the legal name of your organization.  If your organization is Example, LLC, then your CSR’s organization should be Example, LLC.
Organization Unit: This value should reflect the section of the section of your organization, such as accounting, marketing, billing, Information Technology, etc.
Common Name: This would be the fully qualified domain name for your website, for example if your website is then your CSR’s common name should be
Email Address: An email address that can be used to contact your organization.
Note: You will be prompted to supply ‘extra’ attributes.  It is in most cases advised to leave these fields  blank, you can do so by just pressing enter at the prompt.

Once the files have been generated, we will need to print the the contents of by using the cat command.  This will generate an encrypted signature preceded by -----BEGIN CERTIFICATE REQUEST-----

and followed by -----BEGIN CERTIFICATE REQUEST-----, we will need to copy the contents of the file in its entirety into your ssl providers web ui.

Once you submit the contents of your file, you will be able to download a package containing (2) files:, and provider_bundle.crt.”  

Note: If you’re using GoDaddy your “provider_bundle.crt” file may be called either “gd_bundle.crt” or “sf_bundle.crt.”

Download and unzip the signed certificate, and move the contents of the .zip file into /path/to/certs.

Once both files have been placed in the /path/to/certs directory, you then must next modify your Apache Virtual Host to reflect the signed certificate.

If your are adding SSL encryption to a pre-existing site, odds are you already have the first Virtual Host entry, however for this tutorial we will focus on the second entry for port 443.  Below is an example of how your the virtual host file for your website should appear:

<VirtualHost *:80>
     DocumentRoot /path/to/
     ErrorLog /path/to/
     CustomLog /path/to/ combined

<VirtualHost *:443>
     SSLEngine On
     SSLCertificateFile /path/to/certs/
     SSLCertificateKeyFile /path/to/certs/example.key
     SSLCACertificateFile /path/to/certs/sf_bundle.crt

     DocumentRoot /srv/www/
     ErrorLog /path/to/
     CustomLog /path/to/ combined

Enable SSL Module

$ a2enmod ssl

Reload Apache to Update the Changes

$ /etc/init.d/apache2 reload