Apache SSL Configuration

Secure your Apache server with SSL/TLS.

Apache remains one of the most used web servers. Its SSL configuration is flexible but can be complex with many options.

An optimal configuration combines security and compatibility. Too strict, you block old clients. Too permissive, you're vulnerable.

This guide gives you a modern, balanced configuration to achieve an A+ on SSL Labs.

Apache SSL Modules

Necessary components:

  • mod_ssl: the main module for SSL/TLS in Apache.
  • VirtualHost :443: HTTPS site configuration.
  • SSLCertificateFile: directive for the certificate.
  • SSLCertificateKeyFile: directive for the private key.

Modern Configuration Benefits

Why optimize your configuration:

  • Maximum security: protection against known attacks.
  • Performance: modern ciphers = faster.
  • Compatibility: balanced configuration for all clients.
  • A+ score: excellent result on SSL Labs.

Configuration Steps

SSL setup on Apache:

  1. Enable mod_ssl: a2enmod ssl && systemctl restart apache2.
  2. Configure VirtualHost: create or edit the configuration file.
  3. Place certificates: copy cert.pem, privkey.pem and chain.pem.
  4. Test and reload: apachectl configtest && systemctl reload apache2.

Optimized Configuration

Modern HTTPS VirtualHost:

<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

    # Modern protocols
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder off

    # HSTS
    Header always set Strict-Transport-Security "max-age=63072000"

    # OCSP Stapling
    SSLUseStapling on
    SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
</VirtualHost>

# HTTP to HTTPS redirect
<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>

This configuration disables old protocols and enables HSTS + OCSP stapling.

Best Practices

Optimize your Apache configuration:

  • Disable SSLv3/TLS1.0/1.1: these protocols have known vulnerabilities.
  • Enable HSTS: forces browsers to use HTTPS.
  • OCSP Stapling: improves performance and privacy.
  • Test regularly: use SSL Labs to verify your score.

Apache SSL Checklist

  • mod_ssl enabled
  • Certificates in place
  • Modern protocols only
  • HSTS enabled
  • OCSP Stapling configured
  • A+ score on SSL Labs

Frequently Asked Questions

How to check if mod_ssl is active?

apachectl -M | grep ssl or a2query -m ssl.

Error "SSLCertificateFile not found"?

Check the certificate path and permissions.

Should I include intermediate certificate?

Use fullchain.pem which includes your cert + intermediates.

How to force HTTPS?

Redirect permanent in VirtualHost :80 or HSTS.

Apache won't start after change?

Use apachectl configtest to see the error.

How to renew without downtime?

Replace files and do systemctl reload (not restart).

Secure Apache

A modern Apache SSL configuration protects your users and improves your SEO ranking.

Monitor your certificate expiration with MoniTao to avoid interruptions.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing