Apache httpd Linux/Unix

• Create a CSR
• Installation

---

Copy the Digital Server Certificate to a file

You will receive an e-mail from Trustwave^® with the certificate attached to the e-mail. The filename will be similar to www_yourdomain_com.cer. Copy this file to your server and place it in the directory where you will keep your certificates.

We recommend copying the certificate text to the clipboard and pasting the certificate text into a text editor (like vi, nano, or pico) or using FTP to upload it to your server.

Place the Digital Server Certificate and key into folders

You will need to move the private key (which you created in the CSR step previously) and the new certificate into a secure folder. We recommend making the private key readable only by root.

In this example, we will use /etc/ssl/crt/ as our folder for private keys and certificates. The private key will be called private.key and the certificate will be called www_yourdomain_com.cer.

Edit the Apache configuration

To finish the installation, you will need to edit the global Apache configuration file (usually called "httpd.conf") or a virtual host file, depending on your server's configuration. If you are not sure where to look, try using the locate command to find httpd.conf.

Once you locate the file, add the following two lines:

SSLCertificateFile /etc/ssl/crt/www_yourdomain_com.cer
SSLCertificateKeyFile /etc/ssl/crt/private.key

Save your configuration file.

Restart Apache

For Apache to use your newly installed certificate, you will need to restart Apache. Normally this can be done with apachectl restart, /etc/init.d/httpd restart, or /etc/init.d/apache restart.

Note: If you can reach your site via "https://", but are getting an "Untrusted Issuer" message, view the details of the certificate. If the certificate shows "Issued By: Trustwave Organization Validation CA, Level 2" or "Issued By: Trustwave Domain Validation CA, Level 1", then it is likely that you need to install a Trustwave^® Intermediate certificate.

Installing your Trustwave^® Intermediate certificate through Apache

VERY IMPORTANT: In the e-mail you received from Trustwave^® when your certificate was issued, there is a ZIP file. Within that ZIP file is a file named "chain.cer". Extract this file from the .zip file and place it in the same location as your signed Digital Server certificate. If you do not see the "chain.cer" file, but are certain that your certificate requires an Intermediate, then you may download the necessary certificate from the following URL and save it in the same location as your signed certificate:

DOWNLOAD INTERMEDIATE/CHAIN FILE - This link will bring you to the "Download Root Certificates" page on ssl.trustwave.com.

Select the type of certificate you obtained (Extended Validation, Organization Validation, or Domain Validation) and select the PEM format, and then click the "Download Intermediate Certificate" button.

The Intermediate comes as either a ".cer" or ".crt" extension. Technically speaking; the ".cer" and ".crt" extensions are one in the same. If your instance of Apache requires that you use ".crt" files, then you can simply rename a ".cer" file to ".crt"

Note: At this point, you should have a file named "chain.cer", "evca2.crt", "ovca2.crt", or "dvca2.crt". Moving forward, this FAQ will refer to this file as the intermediate file.

Editing the httpd.conf or ssl.conf file

Open your httpd.conf file (some installations keep the SSL section separately in the ssl.conf file) using a text editor and locate the host section for the site that will be secured by the Certificate.

Your host section will need to contain the following directives:

"SSLCertificateChainFile" - Set this attribute to point to the intermediate file.

"SSLCertificateFile" - Set this attribute to point to the end entity certificate (the "[yourdomain].cer" file you received from Trustwave^®)

"SSLCertificateKeyFile" - Set this attribute to point to the private key that was generated with your CSR.

Save the changes to the file and quit the text editor

Restart Apache using apachectl restart, /etc/init.d/httpd restart, or /etc/init.d/apache restart.