Last updated: Oct 31, 2025
Securing your Ubuntu server with SSL/TLS certificates is one of the most important steps you can take to protect data transmission, maintain user trust, and comply with security standards. Whether you’re running a public-facing website, hosting a private internal service, or managing APIs in production environments, SSL is no longer optional. Browsers such as Google Chrome, Firefox, and Safari require a valid SSL certificate before rendering sites securely. Search ranking engines even penalize unsecured websites.
In this guide, you’ll learn how to install SSL certificates in Ubuntu servers using both Apache and Nginx as web servers. This full walkthrough covers everything—from generating the CSR (Certificate Signing Request) to installing intermediate certificates, securing private keys, and verifying the installation using OpenSSL and browser-based tools.
By the end of this article, you’ll be able to install any valid SSL certificate issued by a trusted Certificate Authority (CA), including wildcard certificates and multi-domain certificates, on modern Ubuntu servers running Apache or Nginx.
Understanding SSL Certificates on Ubuntu Servers
SSL certificates are digital certificates that authenticate a server’s identity and enable encrypted connections using the HTTPS protocol. On Ubuntu servers, SSL certificates are installed at the web server level (e.g., Apache or Nginx) and may also be registered in the system’s trusted store for internal applications and services to trust them.
Each SSL certificate typically consists of the following:
- Private key: The secret key that must always stay secure on the server.
- CSR (Certificate Signing Request): A file generated from the private key, containing your organization’s info, submitted to the Certificate Authority (CA).
- Server certificate: The actual certificate signed by the CA (e.g., certificate.crt or certificate.pem).
- Intermediate certificate (CA bundle): Helps establish the certificate chain of trust back to the root CA.
- Root certificate: Stored in trusted certificate stores on client systems or browsers.
On Ubuntu, OpenSSL is commonly used to generate keys and CSRs, while the certificate files are stored under directories like /etc/ssl/certs/ and /etc/ssl/private/.
Understanding the certificate chain (server cert → intermediate → root) is crucial because if the full chain is not installed correctly, browsers will show errors like “certificate not trusted” or “incomplete certificate chain.”
Ubuntu does not trust third-party certificates by default unless they are installed as part of the OS or added manually to the trusted CA store.
Prerequisites and Environment Setup
Before installing an SSL certificate on Ubuntu, it’s important to have the following prerequisites in place:
- A server running Ubuntu 18.04, Ubuntu 20.04, or Ubuntu 22.04
- Shell access (SSH) to the server with sudo privileges
- A registered domain name (or wildcard domain)
- A web server installed — either Apache2 or Nginx
- OpenSSL installed (default on Ubuntu)
- Your certificate files downloaded from a trusted CA or provider (e.g., DigiCert, Sectigo, GoDaddy, Namecheap)
You can check your Ubuntu version with:
lsb_release -a
To confirm if Apache or Nginx is installed and running:
sudo systemctl status apache2
sudo systemctl status nginx
To check if OpenSSL is installed:
openssl version
If not installed, you can install it using:
sudo apt update && sudo apt install openssl -y
Generating a CSR and Private Key in Ubuntu
If you purchased an SSL certificate from a Certificate Authority (CA), the first step is generally to generate a CSR (Certificate Signing Request) and submit it to the CA. Along with the CSR, a private key file is also generated, which should be stored securely and never shared.
Run the following command to create a private key and CSR for your domain:
openssl req -new -newkey rsa:2048 -nodes -keyout your_domain.key -out your_domain.csr
You will be prompted to fill in certificate details such as:
- Country Name
- State
- Organization Name
- Domain Name (Common Name)
- Email Address
For wildcard domains, enter:
*.yourdomain.com
Once done, two files are created in your present directory:
your_domain.key– private keyyour_domain.csr– CSR to upload to CA
Submit the CSR to your certificate issuer. They will process it and provide certificate files such as:
certificate.crtoryour_domain.crtca_bundle.crtorintermediate.pem
Store these files and the private key in a secure location.
Installing SSL Certificates on Apache in Ubuntu
Apache is one of the most widely used web servers on Ubuntu, and it is relatively simple to add SSL certificates manually using its site configuration files.
Step 1: Copy Certificate Files to the Server
Move your files to:
/etc/ssl/certs/
And your private key to:
/etc/ssl/private/
Example:
sudo cp your_domain.crt /etc/ssl/certs/
sudo cp ca_bundle.crt /etc/ssl/certs/
sudo cp your_domain.key /etc/ssl/private/
Set proper file permissions:
sudo chmod 600 /etc/ssl/private/your_domain.key
Step 2: Enable SSL and Apache Modules
sudo a2enmod ssl
sudo a2enmod headers
Step 3: Edit Virtual Host Configuration
Open your Apache configuration file:
sudo nano /etc/apache2/sites-available/your_domain.conf
Update your VirtualHost block like:
<VirtualHost *:443>
ServerName yourdomain.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/your_domain.crt
SSLCertificateKeyFile /etc/ssl/private/your_domain.key
SSLCertificateChainFile /etc/ssl/certs/ca_bundle.crt
<Directory /var/www/html>
AllowOverride All
</Directory>
</VirtualHost>
Step 4: Restart Apache
sudo systemctl restart apache2
You can verify the configuration using:
sudo apache2ctl configtest
Installing SSL Certificates on Nginx in Ubuntu
Nginx uses SSL directives in its server blocks instead of VirtualHost files like Apache.
Step 1: Copy Certificate Files
Move your certificate files into /etc/ssl/ as with Apache.
Step 2: Modify Nginx Configuration
Edit your server block:
sudo nano /etc/nginx/sites-available/your_domain
Update with:
server {
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /etc/ssl/certs/your_domain.crt;
ssl_certificate_key /etc/ssl/private/your_domain.key;
ssl_trusted_certificate /etc/ssl/certs/ca_bundle.crt;
root /var/www/html;
index index.html index.htm;
}
Step 3: Test and Restart Nginx
Validate configuration:
sudo nginx -t
Restart:
sudo systemctl restart nginx
Nginx does not use SSLCertificateChainFile like Apache. Instead, the full certificate chain can be included in the ssl_certificate file itself, or passed as a separate “trusted” option.
Install Intermediate and CA Certificates in Ubuntu System
Sometimes you may need to install CA or intermediate certificates globally on Ubuntu, especially if you’re building server-to-server trusted communication or handling internal root CAs.
Add CA using update-ca-certificates
- Copy the root or CA certificate to:
sudo cp rootCA.crt /usr/local/share/ca-certificates/
- Update CA store:
sudo update-ca-certificates
- Confirm install:
grep -R "rootCA" /etc/ssl/certs/
This updates both OpenSSL and system trust stores used by curl, wget, Python, and other utilities.
Testing Your SSL Certificate Installation
Once you’ve installed your SSL certificate, it’s important to verify it properly before going live.
Using OpenSSL:
openssl s_client -connect yourdomain.com:443
This will show the certificate chain and whether it is trusted.
Using Curl:
curl -Iv https://yourdomain.com
This helps confirm Nginx or Apache are serving SSL properly.
Using Browser:
Open https://yourdomain.com in Chrome or Firefox and inspect the certificate under the lock icon.
Use Qualys SSL Labs:
Test here:
https://www.ssllabs.com/ssltest/
This helps grade your SSL setup and exposes any chain issues or weak configurations.
Troubleshooting Common SSL Errors in Ubuntu
“SSL certificate not trusted”
Cause: Missing or incorrect intermediate certificate
Fix: Install CA bundle properly in your web server
“Incomplete certificate chain”
Cause: Server cert issued without intermediate cert
Fix: Concatenate server + intermediate PEM files into fullchain.pem
“Invalid private key or PEM mismatch”
Cause: Private key does not match certificate
Fix: Regenerate CSR with new key and request new cert
“Failed to restart Apache/Nginx after SSL configuration”
Run:
sudo apache2ctl configtest
sudo nginx -t
Look for typos in cert/key paths and resolve ownership/permissions
Optional: Install Free SSL Certificate with Let’s Encrypt in Ubuntu
Let’s Encrypt provides free, browser-trusted SSL certificates and can be installed automatically using Certbot.
Install Certbot
sudo apt install certbot python3-certbot-nginx
Install SSL for Nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
Auto-Renew
Certbot installs cron timers automatically, you can verify with:
systemctl list-timers | grep certbot
SSL Security Best Practices for Ubuntu Servers
- Enforce HTTPS using redirect rules
- Disable SSLv3 and TLS 1.0/1.1
- Enable HSTS (Strict Transport Security)
- Configure secure cipher suites (AES-GCM, TLS_ECDHE)
- Enable OCSP Stapling in Nginx
- Audit certificate expiry dates regularly
- Avoid shared private key reuse across multiple machines
Conclusion
Installing an SSL certificate on an Ubuntu server is more than just copying files and updating configuration. It requires understanding how SSL works, placing files in the right location, ensuring the certificate chain is valid, and confirming correct configuration through thorough testing.
Whether you’re using Apache, Nginx, or plan to automate with tools like Certbot, the goal is always the same: ensuring a trusted, encrypted connection between your server and all its users.
Secure your environment now, test it thoroughly — and your server will not only pass browser validation but also give users (and Google) confidence in your platform.
FAQs
1. What is the difference between a private key and a CSR?
A private key is a confidential file used to encrypt data and generate digital signatures for authentication. A CSR (Certificate Signing Request) is a public file generated from the private key and contains details about the domain or organization. The CSR is submitted to a Certificate Authority (CA) to request an SSL certificate, while the private key must remain secure on the server.
2. Where do SSL certificates go in Ubuntu?
SSL certificates are usually stored in /etc/ssl/certs/, while private keys are stored in /etc/ssl/private/. These paths are referenced in your Apache or Nginx configuration to activate the SSL certificate.
3. Why is my SSL certificate still showing “Not Secure” after installation?
This often happens due to an incomplete certificate chain, missing intermediate certificate, mismatched private key, or outdated browser cache. Make sure the CA bundle (ca_bundle.crt) is properly installed, and verify the certificate chain with a tool like SSL Labs.
4. How do I test if the SSL certificate is installed correctly on Ubuntu?
Use OpenSSL on the command line:
This shows the full certificate chain and whether it’s trusted. You can also run curl -Iv https://yourdomain.com or use a browser or external tool like SSL Labs.
5. What’s the difference between PEM, CRT, and CER files?
They are often the same format (Base64-encoded certificates) but with different file extensions depending on usage. PEM is common in Linux environments, while CRT or CER may be issued by your CA. They are interchangeable in most cases as long as properly formatted.
6. Can I install a wildcard SSL certificate in Ubuntu?
Yes. Wildcard certificates (*.yourdomain.com) are supported and are installed the same way as single-domain certificates. The only difference is during CSR generation, where you specify *.domain.com as the Common Name (CN).
7. How do I renew an SSL certificate in Ubuntu?
For manually installed certificates, you need to generate a new CSR, reissue the certificate from your CA, and replace the certificate files in your server config. For Let’s Encrypt users, renewal is automatic through Certbot.
8. How do I install multiple SSL certificates for different domains in Ubuntu?
You need to configure each domain in its own VirtualHost (Apache) or server block (Nginx), and specify different certificate and key paths. Modern servers support SNI (Server Name Indication), which allows multiple certificates on one IP address.
9. Why does Apache or Nginx fail to restart after adding SSL lines?
This usually indicates incorrect paths, missing certificate files, or a misconfiguration in the SSL block. Always run sudo apache2ctl configtest or sudo nginx -t to validate before restarting.
10. Do I need to install a root certificate in Ubuntu?
In most cases, no. Ubuntu already comes with a system-wide trusted CA store. You only need to install a root certificate if you’re using a custom/internal CA or self-signed certificate.
