EV SSL Certificate Installation in Apache
Apache Server EV SSL Certificate Installation
As soon as your EV certificate is approved, it will be sent to the email address you entered during the order process. The certificate files will all be included in a .zip attachment. The EV certificate can also be downloaded from your DigiCert Customer account inside the "EV Certificate Manager" area.
Copy the Certificate files to your server.
Download the zip file containing all of the certificates. This will contain one root certificate (TrustRoot.crt), two Intermediate (DigiCertCA.crt and DigiCertCA2.crt), and a Primary EV Certificate (your_domain_name.crt). Copy them to your server in the same directory that you have your key file in. As a security precaution, you can make them readable only by root.
Find the Apache config file to edit.
The location and name of this file varies from server to server, especially if you use a special interface to manage your server configuration.
Apache configuration files are usually found in /etc/httpd. The main configuration file is often named httpd.conf. In some cases the <VirtualHost> blocks will be at the bottom of this httpd.conf file. Sometimes you will find the <VirtualHost> blocks in their own files under a directory like /etc/httpd/vhosts.d/ or /etc/httpd/sites/ or in a file called ssl.conf.
Once you open the file in a text editor, find the <VirtualHost> blocks that contain the settings for your website.
Identify the SSL <VirtualHost> block to configure
If you need your site to be accessible through both secure (https) and non-secure (http) connections, you will need a virtual host for each type of connection. Make a copy of the existing non-secure virtual host and configure it for SSL as described in step 5.
To set up your site to only be accessible securely, configure the existing virtual host for SSL as described in step 5.
Configure the <VirtualHost> block for the SSL-enabled site.
Below is a simple example of a virtual host configured for SSL. The bold parts must be added for SSL configuration:
<VirtualHost 192.168.0.1:443> DocumentRoot /var/www/html2 ServerName www.yourdomain.com SSLEngine on SSLCertificateFile /path/to/your_domain_name.crt SSLCertificateKeyFile /path/to/your_private.key SSLCertificateChainFile /path/to/DigiCertCA.crt </VirtualHost>
Adjust the file names to match your certificate files:
- SSLCertificateFile should be your DigiCert certificate file (eg. your_domain_name.crt).
- SSLCertificateKeyFile should be the key file generated when you created the CSR.
- SSLCertificateChainFile should be DigiCertCA.crt
Test your Apache config before restarting.
It is always best to check your Apache config files for any errors before restarting, because Apache will not start again if your config files have syntax errors. Run the following command: (it is apache2ctl on some systems)
Install your EV site seal (Required)
The DigiCert EV Site Seal enables all versions of Internet Explorer 7 to display a Green URL bar. It should be displayed on a webpage that visitors view before they go to any of your secure pages. To collect your site seal code, return to your DigiCert Account and click on your order number. Then click on the "Get Site Seal" button. You can select the type of seal that you want and click the "Generate Site Seal HTML code" button. Copy and paste the site seal code into the HTML for your website where you would like the site seal to be displayed.
***Troubleshooting Tip: Internet Explorer 7 also requires that the phishing filter be turned ON in order to turn the address bar green.
You can use apachectl commands to stop and start Apache with SSL support:
Note: If SSL doesn't work when you restart, try using "apachectl startssl" instead of "apachectl start". If support for SSL only loads with "apachectl startssl" you should change the apache startup configuration to include SSL support using the regular "apachectl start" command so that you don't have to run the "apachectl startssl" in the case of a server reboot. You can usually do this by removing the <IfDefine SSL> and </IfDefine> tags that enclose your SSL configuration.
Test your SSL site with a browser.
For best results close your web browser first and re-launch it. Go to your site using its https secure URL. Be sure to test with more than just Internet Explorer because IE can automatically download intermediate certificates but other browsers will give an error if all the certificates aren't installed properly.
If your site is public, you can also use our Server Certificate Tester which can detect common problems.
If you receive a "not trusted" warning, view the certificate to see if it is the certificate you expect. Check the Subject, Issuer, and Valid To fields. If the SSL Certificate is issued by DigiCert, then your SSLCertificateChainFile is not correctly configured.
If you do not see the certificate you expect then you may have another SSL <VirtualHost> block before the one you recently configured. Name based virtual hosts are not possible with https unless you use the same certificate for all virtual hosts (eg. a wildcard certificate, or a unified communications certificate) It is not a limitation of Apache, but of the SSL protocol. Because Apache must send a certificate during the SSL handshake, before it receives the HTTP request which contains the Host header, Apache always sends the SSLCertificateFile from the first <VirtualHost> block that matches the ip and port of the request.
EV SSL Certificates :: Apache
How to install your EV SSL Digital Certificate to your Apache server.