• "We Worship One Thing: Technology"

Certificate Issuance and Implementation

  • Home
  • Docs
  • Certificate Issuance and Implementation

Certificate Issuance and Implementation

7 min read

Technical Tutorial

How to Install a PEM-Format SSL Certificate
on Ubuntu 24 + Apache + WordPress

A general tutorial for installing a PEM-format SSL certificate issued by a Certificate Authority (CA) management console
into an Ubuntu 24 + Apache + WordPress environment.

Ubuntu 24
Apache
WordPress
PEM SSL

Disclaimer #

This article is a technical tutorial explaining the general procedure for installing an SSL certificate (PEM format) in an Ubuntu 24 + Apache + WordPress environment.

The content provided is based on information available at the time of writing, but behavior and configuration methods may vary depending on specific environments, configurations, certificate types, CA specifications, middleware versions, etc.

Overview #

This article is a general tutorial for installing a PEM-format SSL certificate issued by a Certificate Authority (CA) management console
(the type displayed in a text box on the screen)
into a Ubuntu 24 + Apache + WordPress site.

Whether the certificate is EV, OV, or DV, the server installation procedure is essentially the same.

Prerequisites #

  • OS: Ubuntu 24 (with root or sudo privileges)
  • Web server: Apache (apache2) is running
  • CMS: WordPress is running under Apache
  • Certificate: The Server Certificate has been issued by the CA
  • Intermediate certificate: The Intermediate Certificate (Intermediate / CA Bundle) is available from the CA
  • Important: You have retained the Private Key used when creating the CSR (if lost, reissuance is required)

Certificate Format Issued in CA Console (Display Like Attachment) #

In the CA management console, the following block (PEM) may be displayed in a text box. Copy this block from beginning to end and save it to the server.

-----BEGIN CERTIFICATE-----
(long alphanumeric string)
-----END CERTIFICATE-----

Note

  • Copy including the BEGIN/END lines.
  • It may work even if line breaks are corrupted, but it is safest to paste as displayed whenever possible.
  • Be careful not to paste the Private Key (BEGIN PRIVATE KEY).

Installation Overview #

  1. Save certificate files to the designated location
  2. Prepare the intermediate certificate (chain)
  3. Create fullchain (server certificate + intermediate)
  4. Verify that the private key and certificate match
  5. Configure Apache HTTPS VirtualHost (including 80 → 443 redirect)
  6. Reload Apache and organize WordPress URL / mixed content
  7. Functional verification (chain, redirect, certificate information)

Step 1Place Certificate Files (Server Certificate) #

A typical placement example for Ubuntu (can be modified according to operational policy).

Storage Location (Example) #

  • Private key (existing): /etc/ssl/private/example.com.key
  • Server certificate: /etc/ssl/certs/example.com.crt
  • Intermediate certificate: /etc/ssl/certs/intermediate-ca.pem
  • Fullchain: /etc/ssl/certs/example.com.fullchain.pem

Create Directory and Permissions #

sudo mkdir -p /etc/ssl/private /etc/ssl/certs
sudo chmod 700 /etc/ssl/private

Save CA Console Certificate (PEM) to File #

Paste and save the certificate block from the text box in the CA console to /etc/ssl/certs/example.com.crt.

sudo nano /etc/ssl/certs/example.com.crt
sudo chmod 644 /etc/ssl/certs/example.com.crt

Example for automatic local save:

sudo tee /etc/ssl/certs/example.com.crt >/dev/null <<'EOF'
-----BEGIN CERTIFICATE-----
(paste certificate content here)
-----END CERTIFICATE-----
EOF
sudo chmod 644 /etc/ssl/certs/example.com.crt

Step 2Prepare Intermediate Certificate (CA Bundle / Intermediate) #

Most CAs provide an Intermediate Certificate (or CA Bundle) separately from the server certificate. Without this, some devices may display “untrusted” warnings.

Save Intermediate Certificate (Example) #

Save the intermediate certificate(s) obtained from the CA in PEM format to the following location.

sudo nano /etc/ssl/certs/intermediate-ca.pem
sudo chmod 644 /etc/ssl/certs/intermediate-ca.pem

When there are multiple intermediates #

If the CA Bundle contains multiple intermediate certificates, combine them into one file in the order specified by the CA (typically in ascending order toward the root).

Step 3Create the fullchain (server certificate + intermediate) #

For Apache, it is common practice to specify a fullchain (server certificate + intermediate) as the certificate file.

sudo cat /etc/ssl/certs/example.com.crt \
  /etc/ssl/certs/intermediate-ca.pem \
  | sudo tee /etc/ssl/certs/example.com.fullchain.pem >/dev/null

sudo chmod 644 /etc/ssl/certs/example.com.fullchain.pem

Step 4Verify that the private key and certificate match (important) #

If the certificate and private key do not match, HTTPS will not work properly even if you configure Apache. Be sure to verify this.

Verification method A: For RSA keys (modulus comparison) #

openssl x509 -noout -modulus -in /etc/ssl/certs/example.com.crt | openssl md5
openssl rsa  -noout -modulus -in /etc/ssl/private/example.com.key | openssl md5

If the two MD5 hashes are identical, they match.

Verification method B: Key type agnostic (public key SHA256 comparison) #

# Certificate → Public key → SHA256
openssl x509 -in /etc/ssl/certs/example.com.crt -pubkey -noout \
  | openssl pkey -pubin -outform DER \
  | openssl sha256

# Private key → Public key → SHA256
openssl pkey -in /etc/ssl/private/example.com.key -pubout -outform DER \
  | openssl sha256

If the two SHA256 hashes are identical, they match.

If they do not match #

  • It is highly likely that the CSR was created with a different private key.
  • If you cannot find the correct private key, you will need to request a reissue from the CA and recreate the CSR with the correct key.

Step 5Enable HTTPS in Apache #

Enable required modules #

sudo a2enmod ssl
sudo a2enmod headers
sudo a2enmod rewrite
sudo systemctl reload apache2

Verify that port 443 is being listened on #

Typically, Listen 443 is included in /etc/apache2/ports.conf. Check as needed.

Step 6Apache VirtualHost configuration (443 + 80→443 redirect) #

As an example, we will create and deploy a site configuration file for example.com.

Create a site configuration file (example) #

sudo nano /etc/apache2/sites-available/example.com.conf

Configuration example (WordPress assumed) #

※ Replace example.com and DocumentRoot in the code with your actual environment.

<VirtualHost *:80>
    ServerName example.com

    # Permanent redirect from HTTP to HTTPS
    RewriteEngine On
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName example.com

    DocumentRoot /var/www/example.com/public

    # For WordPress (when using .htaccess)
    <Directory /var/www/example.com/public>
        AllowOverride All
        Require all granted
    </Directory>

    SSLEngine on

    # Specify fullchain (server certificate + intermediate)
    SSLCertificateFile      /etc/ssl/certs/example.com.fullchain.pem
    SSLCertificateKeyFile   /etc/ssl/private/example.com.key

    # Recommended: enable as needed (prioritize confirming operation first)
    # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

    ErrorLog ${APACHE_LOG_DIR}/example.com-ssl-error.log
    CustomLog ${APACHE_LOG_DIR}/example.com-ssl-access.log combined
</VirtualHost>
</IfModule>

Enable the site #

sudo a2ensite example.com.conf

Test configuration → Reload #

sudo apache2ctl configtest
sudo systemctl reload apache2

To check which VirtualHosts are enabled:

sudo apache2ctl -S

Step 7Enable HTTPS in WordPress #

Unify Site URL to https #

  • WordPress Dashboard → Settings → General
  • Set both “WordPress Address (URL)” and “Site Address (URL)” to https://example.com

Mixed Content Mitigation #

  • If images, CSS, or JS remain as http://, the lock icon may not appear.
  • Use DB replacement, theme settings, or plugins to unify to https:// (backup before operation recommended).

Step 8Verification #

HTTPS Connectivity (curl) #

curl -I https://example.com/
curl -I http://example.com/

Expected:

  • https://example.com/ returns 200 / 301 or other normal response
  • http://example.com/ returns 301 and redirects to https

Certificate Chain Verification (openssl) #

echo | openssl s_client -connect example.com:443 -servername example.com -showcerts

Browser Verification #

  • No certificate errors displayed
  • Certificate details show expected values for issued to / expiration / SAN, etc.

Common Issues and Solutions #

Certificate is correct but shows “Not Trusted” #

  • The intermediate certificate (CA Bundle) may not be provided or included in the fullchain.
  • Verify that SSLCertificateFile points to the fullchain.

Apache Fails on Start / Reload with SSL Error #

  • Private key path may be incorrect, permissions inappropriate, or key and certificate may be mismatched.
  • Re-run the match verification from “Step 4”.

Redirect Loop Occurs #

  • WordPress side (siteurl / home) and Apache side (80 → 443) may be conflicting in duplicate.
  • If using a CDN / reverse proxy like Cloudflare, SSL mode settings may also affect behavior.

Rollback (Revert) #

  • Before implementation, backing up Apache site configuration files and certificate-related files is recommended.
  • If issues arise, disable the relevant site and reload.
sudo a2dissite example.com.conf
sudo apache2ctl configtest
sudo systemctl reload apache2

Operations Notes (Renewal/Reissue) #

  • Basic renewal/reissue process: New CSR → Renew/reissue at CA → Replace fullchain → Apache reload
  • Suspected private key compromise: Revoke → Create CSR with new key → Reissue
  • Do not modify certificate files; save issued materials (PEM) accurately
Updated on 2026年6月9日

What are your feelings

  • Happy
  • Normal
  • Sad
目次
Services
Integration
Resources

©2020 BESTNET.LLC . All Rights Reserved.

Linkedin-in