Install Your PositiveSSL Certificate on Apache Mod_SSL / OpenSSL

To help illustrate the installation process, we’ll use /etc/ssl/crt/, and refer to the private key as “private.key” and the public key as “yourdomainname.crt.

Phase One: Copy Your SSL Certificate to File

  • You will receive an email from PositiveSSL with the SSL certificate attached (yourdomainname.crt). When viewed in a text editor, your SSL certificate will look something like this:
-----BEGIN CERTIFICATE-----
MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAAhAF
UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNlVTMSAw
(.......)
E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6
K99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS/16S36ITclu4AADEAAAAAAAAA
-----END CERTIFICATE-----
  • Copy your SSL certificate into the directory where you’ll be holding your SSL certificates. Both the public and private key files will already be in this directory. We recommend that you make the directory that contains the private key file only readable by root.

Phase Two: Install the Intermediate SSL Certificate

  • Install the chain certificate (intermediates) in order for browsers to trust your SSL certificate. In addition to the SSL certificate (yourdomainname.crt), three other certificates — UTN-USERFirst-Hardware.crt, AddTrustUTNServerCA.crt and PositiveSSLCA.crt — are also attached to the email from PositiveSSL. Apache users will only need the intermediates AddTrustUTNServerCA.crt and PositiveSSLCA.crt certificates.
  • Create a bundle file by adding both certificates’ text to a text editor file — PositiveSSLCA.crt first, then AddTrustUTNServerCA.crt. Save the file as “ca.txt.”
  • In the httpd.conf file on the Virtual Host settings for your site, complete the following:
  • 1. Copy the ca.txt file to the same directory as httpd.conf (this contains all of the CA certificates in the chain).
  • 2. Add the following line to SSL section of the httpd.conf (assuming /etc/httpd/conf is the directory to where you have copied the ca.txt file). If the line already exists, edit it to this:
SSLCACertificateFile /etc/httpd/conf/ca.txt

If you’re using a different location and SSL certificate file names, you’ll need to change the path and file name to reflect your server.

  • The SSL section of the updated httpd.conf file should now look something like this, depending on the naming and directories used:
SSLCertificateFile /etc/ssl/crt/yourdomainname.crt
SSLCertificateKeyFile /etc/ssl/crt/private.key
SSLCACertificateFile /etc/httpd/conf/ca.txt
  • Save your httpd.conf file and restart Apache.