Install SSL Certificate on Apache

Install SSL Certificate on Apache

Overview

To secure connections on your server, it is essential to install an SSL certificate on your Apache server. Doing this ensures that all communication between VergeCloud and your backend infrastructure is encrypted, protected from interception, and safe from tampering. When SSL is configured correctly, both the integrity and confidentiality of the data flowing through your environment are maintained, which is especially important for applications handling user information, authentication, API communication, or internal services that must remain private. Setting up SSL is not only a good practice; in many environments it has become a requirement to meet compliance standards and security guidelines

Prepare the Certificate and Private Key

The first step is preparing the SSL certificate and private key. You can either use your own SSL certificate issued by a Certificate Authority or generate a free Origin certificate directly from the VergeCloud dashboard. VergeCloud provides a simple and reliable way to generate Origin SSL certificates designed specifically for securing connections between VergeCloud and your origin server. You can find this option under SSL/TLS → Origin Server inside the dashboard. Generating a certificate here ensures compatibility with VergeCloud’s system and avoids many common configuration problems.

Once the certificate and private key are generated, download them securely to your local environment. The private key must always stay confidential because it is the most sensitive component of the SSL setup. Anyone with access to your private key could potentially impersonate your server, so treat it with great care. 

Upload to Server

After obtaining your certificate and private key, upload both files to a secure directory on your server. A commonly used directory structure would look like this:

/etc/ssl/vergecloud/certificate.crt
/etc/ssl/vergecloud/private.key

Make sure the directory you choose is protected and not accessible by unauthorized users. Using a consistent and clear folder structure helps avoid confusion during configuration changes or certificate renewals. When transferring the files from your local machine to the server, use secure methods such as SCP or SFTP. Avoid uploading sensitive certificate files through unsecured web interfaces, public file-sharing tools, or any environment that might expose them to unauthorized access.

Redirect HTTP to HTTPS

To ensure all incoming traffic uses HTTPS, configure an HTTP virtual host that forces a redirect. This prevents users from accidentally accessing the unencrypted version of your site. Add the following virtual host to your Apache configuration:

<VirtualHost *:80>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
Redirect permanent https://yourdomain.com/
</VirtualHost>

This redirect ensures that even if a visitor enters the HTTP version of your domain or if an old link pointing to HTTP still exists somewhere, all traffic will automatically be routed to the secure HTTPS site.

Update Apache Configuration

Next, update your existing SSL virtual host file or create a new one, typically stored at:

/etc/apache2/sites-available/yourdomain-ssl.conf

Inside this file, add the following configuration:

<VirtualHost *:443>
ServerName yourdomain.com
ServerAlias www.yourdomain.com

SSLEngine on  
SSLCertificateFile /etc/ssl/vergecloud/certificate.crt  
SSLCertificateKeyFile /etc/ssl/vergecloud/private.key  

SSLProtocol TLSv1.2 TLSv1.3  
SSLCipherSuite HIGH:!aNULL:!MD5  
SSLHonorCipherOrder on  

ProxyPass / http://localhost:3000/  
ProxyPassReverse / http://localhost:3000/  
</VirtualHost>

This configuration enables SSL, points Apache to your certificate files, and defines secure protocols and ciphers for better protection. TLSv1.2 and TLSv1.3 are modern and secure, and the chosen cipher suite avoids weaker algorithms. The ProxyPass and ProxyPassReverse directives are commonly used when your backend application runs on another port, such as Node.js or another service listening on port 3000.

Reload Apache

After completing your configuration changes, enable the SSL module, enable the site configuration, and reload Apache:

sudo a2enmod ssl
sudo a2ensite yourdomain-ssl.conf
sudo systemctl reload apache2

If any syntax errors exist in your configuration, Apache will warn you so you can correct them before applying changes.

Testing/Validation

To test your SSL setup and confirm that the certificate is being served correctly, run:

openssl s_client -connect yourdomain.com:443

This command displays certificate details, helps you confirm that the correct certificate is loaded, and checks that the SSL handshake completes without issues.

Considerations

Private key security is extremely important. Set the permissions on your private key file to 600 so that only the Apache user (typically www-data) can access it. Never commit SSL certificates or private keys to any version control system such as Git. VergeCloud’s Origin certificates are valid for 90 days, so you must renew them before expiration. After downloading the renewed certificate and key, replace the existing files on your server and reload Apache to apply the new certificate.

    • Related Articles

    • Origin SSL Certificate

      Overview VergeCloud provides the ability to generate free SSL certificates specifically for origin servers. These certificates are designed to secure the communication between VergeCloud’s edge network and your web infrastructure. By deploying an ...

    • Install SSL Certificate on HAProxy

      Overview To secure connections on your server, you need to install an SSL certificate on your HAProxy instance. This ensures encrypted traffic between VergeCloud and your backend services. Because HAProxy commonly sits as the entry point in front of ...

    • Install SSL Certificate on IIS

      Overview Securing your application hosted on Windows Server is an essential step to ensure that all communications between VergeCloud and your server remain encrypted and protected. Installing an SSL certificate in Internet Information Services, or ...

    • Install SSL Certificate on Traefik

      Overview To secure connections on your server, you need to install an SSL certificate on your Traefik instance. This ensures encrypted traffic between VergeCloud and your backend services. When SSL is properly configured in Traefik, all incoming and ...

    • Install SSL Certificate on NGINX webserver

      Overview To secure connections between VergeCloud and your backend, you must install an SSL certificate on your NGINX server. This is one of the most important steps in ensuring that all data passing between VergeCloud and your server remains ...