How to Install an SSL/TLS Certificate on Apache, Nginx, and IIS

Securing your website is extremely important, and one of the first things you have to do to make your site safer is to install an SSL/TLS certificate. SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), protect the data sent between your website and its visitors.

By using our guide you will learn how to install an SSL/TLS certificate on two popular web servers: Apache and Nginx. We will cover the benefits of SSL/TLS certificates, how to generate and install them, testing for vulnerabilities, automating renewals, and troubleshooting.

SSL/TLS Benefits

Before we dive into the technical steps, let’s understand why it’s so important to install an SSL/TLS certificate on your website.

Encryption: after you install an SSL/TLS certificate, the data exchanged between your website and users will be encrypted, making it unreadable to hackers.
Authentication: it ensures that users are connected to the legitimate website and not an impostor. Keep in mind that impostors can install an SSL/TLS certificate too, so users should always double-check that they are visiting the correct domain.
Data integrity: SSL/TLS prevents data from being altered during transfer, so even if someone manages to intercept it, the data won’t be altered.
SEO boost: search engines like Google favor secure sites, so if you install an SSL/TLS certificate you will potentially improve your search rankings.
User trust: a secure connection builds trust, indicated by the padlock icon in browsers, which encourages users to interact with your site. Nowadays it is mandatory to install an SSL/TLS certificate on your website if you want your users to trust it, otherwise, your site will be marked as unsafe by your browser.

How to get an SSL/TLS certificate

To install an SSL/TLS certificate, you’ll need to get one first, so start by following these steps.

Choose your certificate type

Certificates can be free or paid. For basic websites, a free certificate from Let’s Encrypt is often sufficient. For e-commerce or enterprise sites, consider paid certificates offering higher levels of validation and security features. You can get a paid certificate from certificate authorities (CA) like Digicert, Globalsign, Sectigo, etc.

On this occasion, we will see what are the steps to install a paid certificate. If you want to install a free one please check below under the Let’s Encrypt section.

Generate a CSR (Certificate Signing Request)

The next step to install an SSL/TLS certificate is to create a Certificate Signing Request (CSR), which contains your site’s information and is needed to obtain an SSL certificate. Here’s how to create a CSR:

Open your terminal or connect to your server using SSH.

Create a few directories to store your certificate files:

mkdir -p /etc/ssl/{crt,key,csr}

Run the following command, replacing “domain.com” with your real domain name:

openssl req -new -newkey rsa:2048 -nodes -keyout /etc/ssl/key/domain.com.key -out /etc/ssl/csr/domain.com.csr

Answer the prompts with your site’s details (country, state, domain name, etc.).

Two files will be created: the CSR file located in /etc/ssl/csr/domain.com.csr, and the KEY file located in /etc/ssl/key/domain.com.key
Keep the .key file secure; it is your private key.

Submit the CSR to the certificate authority (CA)

Submit the CSR file to a CA, also called certificate issuer. There are many of them, for example Digicert, Globalsign, Sectigo, etc. They will verify your information and issue the SSL certificate. They will request a verification of your domain, so make sure to follow their instructions.

Receive and download the certificate

Once approved, the CA will provide your certificate files, which will be used to install an SSL/TLS certificate on your site. These files typically include:

Your site’s certificate (usually named domain.com.crt).
Intermediate certificates (these are bundles that establish trust, they may be named ca-bundle.crt or something similar).
A single file that contains both the certificate and the intermediate certificate, usually called fullchain.crt

How to install an SSL/TLS certificate on Apache

With your SSL certificate files ready, it’s time to install an SSL/TLS certificate on your Apache webserver.

Before doing anything, make sure to enable the Apache SSL module.

If you’re running Ubuntu, the SSL module usually comes enabled by default, but just in case make sure that it is enabled. You can enable it with this command:

a2enmod ssl

Then simply restart Apache:

systemctl restart apache2

If you’re running Almalinux or a RHEL-based distro, install it this way:

dnf install mod_ssl

Now it’s time to upload the certificate files to the server. You can do this using an FTP account or tools like rsync. Place your certificate files (domain.com.crt and ca-bundle.crt) in the following directory: /etc/ssl/crt

Edit your site’s Apache configuration file. On modern distros, this is usually located under /etc/apache2/sites-available/

Open it using a text editor like nano:

nano /etc/apache2/sites-available/yourdomain.com.conf

Add or update the following lines:

<VirtualHost :443>
ServerAdmin [email protected]
ServerName yourdomain.com
DocumentRoot /var/www/html

SSLEngine on
SSLCertificateFile /etc/ssl/crt/domain.com.crt
SSLCertificateKeyFile /etc/ssl/key/domain.com.key
SSLCertificateChainFile /etc/ssl/crt/ca-bundle.crt

<Directory /var/www/html>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Make sure to replace “yourdomain.com” with the correct domain, and set the correct path for your DocumentRoot (where your website content is located).

Save and close the file, and test your Apache config:

apachectl configtest

If your config is ok then restart Apache:

systemctl restart apache2

To check your certificate, visit your site using “https://yourdomain.com” to make sure it loads securely. The browser should show a padlock or similar icon, which indicates a secure connection.

Install an SSL/TLS certificate on Nginx

Next, let’s set up SSL/TLS on an Nginx server. First off, ensure that Nginx is compiled with SSL support. Most modern installations include it by default. To verify this, run:

nginx -V

Look for “–with-http_ssl_module” in the output.

Now upload the certificate files to your server. This step is similar to the one we wrote for Apache, so you can do this using an FTP account or tools like rsync. Place your fullchain.crt file in the following directory: /etc/ssl/crt

And rename it to “domain.com.crt”.

Edit the Nginx configuration file for your site, usually found in “/etc/nginx/conf.d”
Open it with a text editor like nano, vim or your favorite one:

nano /etc/nginx/conf.d/yourdomain.com.conf

Add or update the following lines in the file’s “server” block:

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name yourdomain.com;

ssl_certificate /etc/ssl/crt/domain.com.crt;
ssl_certificate_key /etc/ssl/key/domain.com.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;

}

Save and close the file.

Check the Nginx configuration for errors:

nginx -t

If there are no errors, restart Nginx:

systemctl restart nginx

Now that you know how to install an SSL/TLS certificate on Nginx, it’s time to test your SSL. Visit your site using “https://yourdomain.com” to ensure it loads securely.

Installing an SSL/TLS certificate on IIS

On a server running Windows, the steps are a bit different in comparison to those running Linux. First, we will generate a CSR.

Open the IIS Manager and select your server node.
Double-click on Server Certificates and select Create Certificate Request.
Fill in the details for your certificate (Common Name, Organization, etc.).
Save the CSR to a file, and submit it to the Certificate Authority.

After receiving the SSL certificate from the CA, upload it to the server and follow these steps:

Access the IIS Manager and select your server.
Double-click on Server Certificates and then click on Complete Certificate Request.
Load the SSL certificate file that you received from your CA.
Enter a friendly name for the certificate (this is used to identify it within IIS).
Complete the installation to load the certificate on the webserver.

Now, you need to bind the new SSL certificate to your site:

Once again, open the IIS Manager and select the site where you want to configure the SSL.
Click Bindings and then click Add.
Set the Type to https.
Choose the correct IP address (or set it to All Unassigned).
Set the Port to 443 (which is the default port for the HTTPS protocol).
Now from the SSL certificate dropdown, select the SSL certificate you installed earlier.
Save the new settings and restart IIS.

Testing an SSL/TLS certificate for vulnerabilities

This isn’t over, once you install an SSL/TLS certificate you have to test it for vulnerabilities. The fastest and simplest way to do this is by following these steps:

Access our webserver security test.
Input your domain in the box.
Tick the two checks named “Clear cache” and “Follow redirects”.
Click the scan button.
Now simply wait 20-30 seconds for the scan to finish and scroll down to SSL/TLS Analysis. There you can check the date of the SSL/TLS certificate expiration, the issuer, the supported versions of the SSL/TLS protocol, and the cipher suite used. If you get a “Failed” in red in any of them then you may need to update your current certificate or the webserver settings. The ones with a “Passed” in green are good to go.

Automating certificate renewal with Let’s Encrypt

Let’s Encrypt offers free SSL certificates with a validity of 90 days. Let’s see how to install an SSL/TLS certificate completely free, and how to automate the renewal.

Install Certbot

Certbot is a tool used to obtain and renew Let’s Encrypt certificates automatically. Before being able to install an SSL/TLS certificate for free, we need to install Certbot. Let’s see how to do this in common distros like Almalinux and Ubuntu.

To install Certbot on Almalinux, start by installing the EPEL repository:

dnf install epel-release

If you’re running Apache, then install Certbot this way:

dnf install certbot python3-certbot-apache

However, if you’re running Nginx, run this:

dnf install certbot python3-certbot-nginx

If you’re running Ubuntu, update your package lists before installing Certbot:

apt-get update

Proceed to install the Certbot tool for Apache:

apt-get install certbot python3-certbot-apache

Or for Nginx:

apt-get install certbot python3-certbot-nginx

Install an SSL/TLS certificate for free using Certbot

And now is where the magic happens, thanks to Certbot it’s super easy to install an SSL/TLS certificate completely free.

To get a certificate for Apache, run:

certbot --apache

For Nginx, use:

certbot --nginx

Certbot will guide you through a series of prompts to configure and obtain the certificate.

Automate the renewal

Certbot automatically installs a cron job to renew certificates. To verify, list your cron jobs:

crontab -l

Look for a line similar to this one:

0 12 * * * /usr/bin/certbot renew --quiet

This runs the renewal process once per day, which should be more than enough.

If you want to test the renewal process, then you can simulate a renewal to ensure it works, simply run this command:

certbot renew --dry-run

Troubleshooting common SSL/TLS issues

Despite our careful setup, you might encounter issues. Here are some common SSL/TLS problems and their solutions:

Browser shows a “Not secure” warning: to solve this, make sure that your SSL certificate is correctly installed and not expired. Check if the certificate matches your domain and includes all necessary intermediate certificates.
Mixed content warning: mixed content occurs when secure (https) and non-secure (http) resources are loaded together. Update all links in your website to use https.
Certificate mismatch: in this case, you have to verify that the domain name in your SSL certificate matches the domain in your web server configuration. Reissue the certificate if needed.
Outdated protocols or ciphers: make sure to disable any old versions of the SSL/TLS protocol, and also remove weak cipher suites in your server configuration. On its wiki, Mozilla provides a list of modern and intermediate ciphers.
General configuration errors: in this case, we suggest checking your web server’s error logs to diagnose issues. Use configuration testing commands (“apachectl configtest” for Apache or “nginx -t” for Nginx) to catch errors in your settings.

Conclusion

It’s not an easy task to install an SSL/TLS certificate, fortunately, our guide has covered everything you need, from generating the CSR, to picking a CA and installing the certificate on a webserver.

If you install an SSL/TLS certificate then you will have secured your website and your users’ data. It doesn’t matter if you install a free certificate or a paid one, just make sure that a valid one is running on your site, and use our scanner to check for any vulnerabilities.

Table of Contents