This post tells you how to install SSL certificates on an Apache v-hosts running on Ubuntu 12.04 or higher. It assumes you’re logged in as root. Before we begin, let’s grab an SSL certificate for $9.00 from NameCheap.

After You Complete This Tutorial

To get the maximum benefit from your new cert, be sure to read our post on Securing SSL Against Common Exploits after completing this tutorial.

First, navigate to Apache’s SSL folder:

$ cd /etc/ssl/private

Then generate the keys for the Certificate Signing Request (CSR) by running the following command:

$ openssl genrsa -out server.key 2048

What Did We Just Do? Here’s the Explanation:

The above command uses OpenSSL to generate a 2048 bit encryption key and stores it in a file called server.key. The associated key has a Secure Hashing Algorithm (SHA) certificate signature that is 256 bits long. Hence, we have created a SHA-256 certificate signature. In the security world, this “signature” is also referred to as a “hash value” or a “digest”.

The CSR is used to generate the SSL certificate based on information you provide during in its questionnaire. It is a hash of certificate parameters sent to the company that issues the certificate. The company that issues (and digitally signs) a certificate is called a Certificate Authority (CA).

To create the CSR, run the following command:

$ openssl req -new -key server.key -out server.csr

You will be prompted to enter Company Name, Site Name, Email Id, etc. For Extended Validation (EV) certs all fields are required except email address. For non-EV certs you’ll need specify the common name at the minimum.

What’s a Common Name?

For our purposes, the is common name just a fancy term for the actual web address (e.g., you want to protect and run SSL on. If you want to run SSL on both and (i.e., without the ‘www’), preface your domain name with www. If you don’t care for the www prefix, just enter

WWW vs No WWW Prefix

NOTE: If you create a CSR with the www prefix (e.g.,, non-www versions of your site will also function with SSL. However, visits to this non-www URL will produce an RSA warning in your log files. For the sake of ‘cleanliness’, we prefer to leave off the www prefix.

Here’s what the CSR generation process looks like:

Generating a 2048 bit RSA private key
writing new private key to 'server.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Delaware
Locality Name (eg, city) []:Wilmington
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Living Wholesome LLC
Organizational Unit Name (eg, section) []: Code Sport IO
Common Name (eg, YOUR name) []
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Heads Up

NOTE: Once you fill out the main questionnaire, ignore the ‘extra’ attribute questions. That is, do not enter email address, challenge password or optional company name when generating the CSR. Just press enter to skip these questions.

Your CSR will now be generated and stored in the server.csr file.

In this example, the CA is the site where we purchased our certificate. In this case we’re using Namecheap which is acting as reseller. Paste the contents of your CSR file into your CA’s form for processing. The CA will use this CSR file and issue the certificate.

TODO – Housekeeping Items: Rename Your server.key File

Rename your key file to the common name you chose in the CSR generation process in Step 2. So, if you chose your common name as, at the command line you would type mv server.key to rename the file.

Place the .crt file (provided by the CA) in /etc/ssl/certs/ directory. Make sure the .key file is in /etc/ssl/private/ directory.

To ensure that the .crt and .key files don’t have other readable permissions, as it can lead to an exploit, we’ll execute the following command to protect the key by removing readable permissions from all users except root:

$ chmod 400 /etc/ssl/private/

And, execute the following command to protect the signed certificate:

$ chmod 400 /etc/ssl/certs/

Updating Certificate Chain Files

CAs will typically supply a chain certificate. It is installed to validate the full chain from the root CA down to the specific Organization Unit of the CA that issues a branded website certificate. This Super User answer gives a good explanation.

Comodo Certificates

Step 1: Create the intermediate certificate chain.

    Comodo certs come with a root and 2 intermediate certs in their zip file. You do not need to include the root since it is already embedded in the client’s browser. To install the intermediate certificate chain, first stack the contents of the following files into a new file using a text editor:

  1. COMODORSADomainValidationSecureServerCA.crt
  2. COMODORSAAddTrustCA.crt

    Do not add any newlines or spaces. The new file should have this structure:

    COMODORSADomainValidationSecureServerCA.crt hash content is here
    COMODORSAAddTrustCA.crt hash content is here
    -----END CERTIFICATE----- 

Steps 2 and 3: Save the file as comodo-chain-bundle.crt and upload the file your server’s /etc/ssl/certs/ folder.

Step 4: Make sure the file only has read permissions granted to root:

    $ chmod 400 /etc/ssl/certs/comodo-chain-bundle.crt

That’s it! You’re done configuring your chain file!

Copy the site’s original v-host file (e.g. to and then edit it using nano:

$ cd /etc/apache2/sites-available/
$ cp
$ nano

Next, edit the following lines so it operates properly with SSL:

  1. In the first line, <VirtualHost *:80>, change :80 to :443 so it will look like: <VirtualHost *:443>
  2. Now, at the bottom of the file, just above the </VirtualHost> line, add the following:
#SSL Directives

SSLEngine on
SSLCertificateFile /etc/ssl/certs/<>.crt
SSLCertificateKeyFile /etc/ssl/private/<>.key
SSLCertificateChainFile /etc/ssl/certs/<comodo-chain-bundle>.crt

After you’ve done this you’ll need to enable your site. Invoke the following commands to enable mod_ssl, the new VirtualHost you created, and restart Apache.

$ sudo a2enmod ssl
$ sudo a2ensite
$ sudo service apache2 restart

Now when you navigate to the site via https:// you should be able to successfully connect!