How to install an SSL certificate (instructions)?

Apache – Installation SSL certificate and intermediate certificates

    1. In order to install an SSL certificate you need the following files:
      • the file containing the server certificate: yourDomainName .crt,
      • the file containing the private key,
      • the file containing the intermediate certificates (intermediate/ca-bundle) relevant to the ordered SSL certificate.
      1. Download ca-bundle based on the function of the SHA-2:

Download ca-bundle based on the function of the SHA-1:

Place the file on the server which makes your website available, in the relevant directories.

Usual settings:

      • the previously generated ssl.key private key needs to be placed in the /etc/ssl/ssl.key directory. Note: Only Apache can have access permission to this directory.
      • The yourDomainName.crt and ca-bundle files should be moved to /etc/ssl/ssl.crt directory.

Important: The above paths serve only as examples. Your server may have different ones — some modification may be required.

      1. Edit the SSL configuration file for the web server with a text editor.

Important: This file location varies depending on the web server configuration.
For Apache server:

      • Fedora/CentOS/RHEL: /etc/httpd/conf/httpd.conf
      • Debian and Debian based: /etc/apache2/apache2.conf

Common file names for SSL configuration:

    • httpd-ssl.conf
    • ssl.conf
    • or in the directory: /etc/apache2/sites-enabled/
  1. In the VirtualHost configuration of the website to be encrypted, you should add (if there are none) the following entries:
    • SSLEngine on
    • SSLCertificateKeyFile /etc/ssl/ssl.key/server.key
    • SSLCertificateFile /etc/ssl/ssl.crt/yourDomainName.crt
    • SSLCertificateChainFile /etc/ssl/ssl.crt/yourDomainName.ca-bundle (with Apache 1.x SSLCertificateChainFile instead of SSLCACertificateFile should be used)

    Important: The above paths serve only as examples. Your server may have different ones — some modification may be required.

    1. Additional configuration:
      • SSLProtocol all
      • in Apache 2.4 enabling SSLv3 and TLSv1 protocols and optionally TLSv1.1 and TLSv1.2 (in OpenSSL 1.0.1 and higher).
      • in Apache 2.2. a SSLProtocol All -SSLv2. directive should be used. The -SSLv2 parameter disables the obsolete SSLv2 protocol support.
    2. SSLHonorCipherOrder On – server enforcement of the ciphers use order
    3. SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS – setting priority for the strong ciphers while at the same time disabling the weak and obsolete ones.
      1. Save changes to the configuration file
      2. Restart the server with the following commands:
        • Debian or Ubuntu distributions: /etc/init.d/apache2 restart
        • Red Hat/Fedora/CentOS distributions: apachectl restart
        • other commands: /usr/sbin/httpsd restart or /etc/init.d/apache restart

IIS 7 – Installation SSL certificate

Server certificate installation

  1. On receipt of an email with the SSL certificate for the server, copy it into any text editor and save the file with the .cer extension (e.g.www_moja_domena.cer).
  2. In order to „close” previously generated CSR requests on the IIS and upload the SSL certificate received, go to the Internet Information Services (IIS) Manager, and from the left menu select your server name. From the centre panel click the Server Certificates icon, then from the Actions right-hand panel select Complete Certificate Request.
  3. Select the file that contains the server certificate issued. In the Friendly name: box enter a friendly name for the certificate, which will help you to identify it, e.g. www.moja-domena.pl. Confirm it with the OK button.
  4. The issued server certificate will be displayed in the Server Certificates centre panel.

Linking the certificate to a website

  1. Click on the website name (Default Web Site), then from the Actions menu select Bindings…
  2. In the Site Bindings window which will be displayed click Add….
  3. In the Add Site Bindings window from the Type: dropdown list select https, then from the SSL certificate: dropdown list select the certificate which you will use for your website. The list displayed includes certificates with their own private keys.
  4. With the changes confirmed, the Site Bindings window should look like this:

MMC console configuration

  1. Launch the MMC (Microsoft Management Console) console. From the File menu select Add/Remove Snap-in…
  2. Then, from the list of available snap-ins, select Certificates and click on the Add > button.
  3. Select Computer account and click on Next>.
  4. Select Local computer and click on Finish.

IIS 7 – Installation of intermediate certificates

Intermediate authority certificates are very important for the SSL certificate to work correctly. They should be installed on the web server, so that the web browser can verify the SSL certificate issuer in the correct manner.

Note: Actions described in this manual should be performed only if there are no certificates installed on the Windows 2008/2012 server system.

Installation of Intermediate certificates

  1. 1. For a Commercial SSL certificate or its MultiDomain/Wildcard option, the following intermediate certificate should be downloaded and installed on the server:

SHA-2

Authority key – Certum Domain Validation CA SHA2 (the key is available in different formats):

SHA-1

Authority key – Certum Level II CA SHA-1 (the key is available in different formats):

For a Trusted SSL certificate or its MultiDomain/Wildcard option, the following intermediate certificate should be downloaded and installed on the server: Authority key – Certum Level IV CA SHA-2 (the key is available in different formats):

Authority key – Certum Level IV CA SHA-1 (the key is available in different formats):

For a Premium EV SSL certificate or its MultiDomain/Wildcard option, the following intermediate certificate should be downloaded and installed on the server

SHA-2

  1. Authority key – Certum Extended Validation CA (the key is available in different formats):

SHA-1

  1. Authority key – Certum Extended Validation CA SHA-1 (the key is available in different formats):
  2. Authority key – Certum Trusted Network CA (Cross Certum CTNCA and Certum CA)
    CER

Installation of intermediate certificates on a server – step by step

From the Certificates (Local Computer) tree expand the Intermediate Certification Authorities branch. Select the Certificates item, right-click and from the menu select All Tasks -> Import…

  1. In the Certificate Import Wizard click Next.

  • Select the file with an intermediate certificate and click Next.
  • Select a target location where the certificate will be stored. Select Place all certificates in the following store. The Certificate store: box should indicate Intermediate Certification Authorities.
  • Select the file with an intermediate certificate and click Next.
  • If you want to install intermediate certificates for certificates of other types, repeat the above steps (from points 2 to 6).
  • Restart the IIS service.

 

Note: In some cases changes in the IIS configuration may not be visible after the service restart. If this is the case, you should restart the Windows operating system.

Reissue – 30 days guarantee for exchanging the SSL certificate: free of charge

What is „reissue”?

It is a repeated issue of a certificate with the end of validity date of the certificate maintained. A certificate reissued using this mechanism is completely free.

This mechanism is used in the following situations:

  • The SSL certificate was changed from the SHA-1 algorithm to the SHA-2 algorithm,
  • The private key was lost,
  • The SSL certificate was lost,
  • The SSL certificate and the private key do not match,
  • The certificate or the key were removed from the server,
  • The owner of the SSL wants to replace it with a new one for any other reason.

Note – important information for users!

The reissue mechanism causes the original SSL certificate to be automatically Revoked by the Certum Certification Authority at least 14 days of the reissue of the certificate. Therefore, we suggest that you install the newly issued SSL certificate on your server instead of the original certificate. At the same time, the newly issued certificate will become the base certificate.

How to use the mechanism Reissue
Download PDF

Was this helpful?

How can we improve it?

The instructions did not lead me to solve the problemThe article is written in a difficult language for meOther

What others?

Didn’t find the answer to your question?

contact1

Ask our consultant

Get advice from our consultants