Apache Server EV SSL Certificate Installation

As soon as your EV certificate is approved, it will be sent to the email address you entered during the order process. The certificate files will all be included in a .zip attachment. 

  1. Copy the Certificate files to your server.

    e-mail sent by E-Tuğra will contain one root certificate (TrustRoot.crt), Intermediate (E-Tuğra_root.crt), and a Primary EV Certificate (your_domain_name.crt). Copy them to your server in the same directory that you have your key file in. As a security precaution, you can make them readable only by root.

  2. Find the Apache config file to edit.

    The location and name of this file varies from server to server, especially if you use a special interface to manage your server configuration.

    Apache configuration files are usually found in /etc/httpd. The main configuration file is often named httpd.conf. In some cases the <VirtualHost> blocks will be at the bottom of this httpd.conf file. Sometimes you will find the <VirtualHost> blocks in their own files under a directory like /etc/httpd/vhosts.d/ or /etc/httpd/sites/ or in a file called ssl.conf.

    Once you open the file in a text editor, find the <VirtualHost> blocks that contain the settings for your website.

  3. Identify the SSL <VirtualHost> block to configure

    If you need your site to be accessible through both secure (https) and non-secure (http) connections, you will need a virtual host for each type of connection. Make a copy of the existing non-secure virtual host and configure it for SSL as described in step 5.

    To set up your site to only be accessible securely, configure the existing virtual host for SSL as described in step 5.

  4. Configure the <VirtualHost> block for the SSL-enabled site.

    Below is a simple example of a virtual host configured for SSL. The bold parts must be added for SSL configuration:

    DocumentRoot /var/www/html2
    ServerName www.yourdomain.com
    SSLEngine on
    SSLCertificateFile /path/to/your_domain_name.crt
    SSLCertificateKeyFile /path/to/your_private.key
    SSLCertificateChainFile /path/to/E-Tuğra_root.crt

    Adjust the file names to match your certificate files:

    • SSLCertificateFile should be your E-Tugra_root certificate file (eg. your_domain_name.crt).
    • SSLCertificateKeyFile should be the key file generated when you created the CSR.
    • SSLCertificateChainFile should be E-Tugra_root.crt
  5. Test your Apache config before restarting.

    It is always best to check your Apache config files for any errors before restarting, because Apache will not start again if your config files have syntax errors. Run the following command: (it is apache2ctl on some systems)

    apachectl configtest

    ***Troubleshooting Tip: Internet Explorer 7 also requires that the phishing filter be turned ON in order to turn the address bar green.

  6. Restart Apache.

    You can use apachectl commands to stop and start Apache with SSL support:

    apachectl stop 
    apachectl start

    Note: If SSL doesn't work when you restart, try using "apachectl startssl" instead of "apachectl start". If support for SSL only loads with "apachectl startssl" you should change the apache startup configuration to include SSL support using the regular "apachectl start" command so that you don't have to run the "apachectl startssl" in the case of a server reboot. You can usually do this by removing the <IfDefine SSL> and </IfDefine> tags that enclose your SSL configuration.

  7. Test your SSL site with a browser.

    For best results close your web browser first and re-launch it. Go to your site using its https secure URL. Be sure to test with more than just Internet Explorer because IE can automatically download intermediate certificates but other browsers will give an error if all the certificates aren't installed properly.

    Troubleshooting tips:

    If you receive a "not trusted" warning, view the certificate to see if it is the certificate you expect. Check the Subject, Issuer, and Valid To fields. If the SSL Certificate is issued by E-Tuğra, then your SSLCertificateChainFile is not correctly configured.

    If you do not see the certificate you expect then you may have another SSL <VirtualHost> block before the one you recently configured. Name based virtual hosts are not possible with https unless you use the same certificate for all virtual hosts (eg. a wildcard certificate, or a unified communications certificate) It is not a limitation of Apache, but of the SSL protocol. Because Apache must send a certificate during the SSL handshake, before it receives the HTTP request which contains the Host header, Apache always sends the SSLCertificateFile from the first <VirtualHost> block that matches the ip and port of the request.