How to install your SSL Cert

  1. SSH or telnet to your server

  2. Make a directory for the SSL keys:
    mkdir ~/ssl 
    and go to that directory (where the CSR, Cert and PrivateKey are to be stored):
    cd ~/ssl 

  3. Issue command:
    openssl req -new > ssl.csr 

  4. Make entries as requested. Remeber your pass phrase (write it down if need be), it must be 4 letters or longer. Spell out the State/Province name. Organization Name is your Company name.
    Unit name (like IT, or Web) is the division of the company doing the Web/SSL work. Remember that "COMMON NAME" refers to the domain name that you want show on the Cert and to use when accessing your site using SSL (ie OR OR OR * E-mail address is the address you want the signing company to send renewal and update notices to. Just leave the challenge password and optional company name blank unless the signing company needs something specific filled in for them.

  5. The CSR is now in a file called ssl.csr in this directory (~/ssl/ssl.csr), because you can use this CSR to make renewals to your Cert in years to come you might want to make a backup to your PC. You will need to cut and paste the CSR into a webpage when ordering your Cert from your signing company, so just run the following command to display your CSR:
    more ssl.csr 
    Cut and paste everything shown, including the "BEGIN" and "END" lines and all the dashes.

  6. The server put your Private Key that goes with the CSR into a file called privkey.pem (which will be written over if you re-run the openssl command above).

  7. The CSR you generated can now be used to obtain an SSL Cert from a signing company, follow the directions on the signing companies site (see and for the major signing companies).

  8. Once you have the Cert copy it to your server as ~/ssl/ssl.cert (if using ftp make sure to NOT upload in Binary, that will cause problems).

  9. Now you will need to encrypt the Private Key to the new Cert. Simply run this command:
    openssl rsa -in privkey.pem -out 
    The pass phrase is the one you input in step 4

  10. You are now set to load the SSL keys into the Apache Web Servers memory. Run the following commands:
    sslctrl installpkey < 
    sslctrl installcert < ssl.cert
    sslctrl installcsr < ssl.csr
    sslctrl enable 

  11. Check/test your website to see if the correct information is given for your SSL Cert. Go to and check the SSL Cert information (click the lock symbol on your browser and select view details). It should no longer list * as whom the Cert belongs to, but instead it should have your domain.