Once you have a obtained a signed digital certificate, you need to install it and set up SSL to use your certificate and private key instead of the default.

When you got your certificate, you most likely saved it to a file on your local computer. You will need to copy the file onto your Virtual Private Server via FTP. Be sure to copy the file using ASCII format to avoid corrupting the file. Copy the file to the /usr/local/certs/ directory with the name example.com.cert (using your domain name).

If your signing authority provided you with a Certificate Authority file, you should also copy it to the /usr/local/certs/ directory.

Once the certificate is on your server, make sure your Private Key, which you generated at the same time as you generated the CSR, is still in the /usr/local/certs/ directory with the name example.com.key. Make sure to keep a copy of the Private Key in a different location as well so if you make a mistake you don't lose your Private Key. You may want to create a directory on your Virtual Private Server and store a copy of both your Private Key and the Certificate until you are certain that the new certificate is working properly.

With both files in place, connect to your Virtual Private Server via SSH or Telnet, su to root, and run the following command:

# cd /usr/local/certs
# openssl rsa -in example.com.key -out example.com.key

This command removes the default encryption on your key, and makes it usable by the Apache Web Server. You can tell if your Private Key has been decrypted or not by looking at the file. When your key was generated, the first few lines should have looked similar to the following.

Proc-Type: 4,ENCRYPTED


After decrypting your key, the key should have changed to look similar to the following.


Edit your /www/conf/httpd.conf file to use your certificate file by adding the following to the main section (or appropriate virtual host, if it has a unique IP address) of your httpd.conf file:

SSLCertificateFile /usr/local/certs/example.com.cert
SSLCertificateKeyFile /usr/local/certs/example.com.key

If your Signing Authority tells you an intermediate certificate is required, you must add a directive for that as well, next to the above two lines:

SSLCACertificateFile /usr/local/certs/intermediate.cert

Once you have added the certificate directives to your httpd.conf file, you need to run restart_apache to make Apache restart so it can use the new certificate.

Check to make sure the new certificate is working by connecting to the domain your certificate is set up to use via HTTPS. For example, if your domain name was www.example.com, you would type the following into your browser's address or location bar:


If the page loads without any errors, find the lock icon on your browser and click on it (depending on your browser, you may need to double-click). This will bring up the certificate information, or a window that lets you view certificate information. Check to see that the certificate is using the correct domain name and has the correct information.

If you intend to use your SSL certificate with e-mail as well, you will need to make links so that the POP and IMAP servers will be able to find the file as well:

# ln /usr/local/certs/example.com.pem /usr/local/certs/imapd.pem

# ln /usr/local/certs/example.com.pem /usr/local/certs/ipop3d.pem

You can now configure your e-mail client to use SSL.

If you get an error trying to view the page, see the Troubleshooting Certificate Installation Problems page to help you get the certificate working.

Please note: the information on this page applies to ITS web hosting plans. It may or may not apply to other environments. If you are looking for a feature described here, or better support from your hosting provider, please consider hosting your site with ITS!

1555 N Naperville/Wheaton Road, Suite 107
Naperville, IL 60563
phone 630.420.2550
fax 630.420.2771