Feature #70

Add SSL Certificate to ISPConfig Host on Ubuntu Server

Added by Daniel Curtis about 11 years ago. Updated about 9 years ago.

Web Server
Target version:
Start date:
Due date:
% Done:


Estimated time:
2.00 h
Spent time:


Before Beginning

ISPConfig has the ability to create "self-signed" certificates from the administration panel. This can be found at Sites-><_site-name_>->SSL. Creating a "self-signed" certificate from the administration panel is as easy as filling out the State, Locality, Organization, Organization Unit, Country, and Domain; then setting the "*Create Certificate*" from the SSL Action field. This action can also be done from the command-line as such:

cd /var/www/
openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout -out

This will generate a Private Key (KEY) and a Certificate Signing Request (CSR)

If there is need for a legitimate SSL Certificate, the generated Certificate Signing Request (CSR) will be required to be sent to the Certificate Authority (CA) for signing. An SSL Certificate (CRT) will be sent back.

Setting Up The Certificate

If the CSR was generated using the administration panel, there is already a "self-signed" certificate in place, it isn't too important, but for safe measure backup the previous SSL Certificate. This will require sudo or root access:

mv /var/www/ /var/www/

Create the new SSL Certificate:

vi /var/www/

Copy the contents of the SSL Certificate that was sent back from the Certificate Authority and paste it into the file.

Setting Up StartSSL Root and Intermediate CA (Optional)

Next download StartSSL's Root CA and the Class1 Intermediate Server CA:

cd /var/www/

(If you use a Class2 certificate, please download instead of

Rename both files:

mv ca.pem

(Adjust the second command if you use a Class2 certificate.)

Some services require a .pem file:

cat > startssl.chain.class1.server.crt
cat ispserver.{key,crt} startssl.chain.class1.server.crt > ispserver.pem
chmod 600 ispserver.pem

(again, make sure you adjust the commands if you use a Class2 certificate)

Configure Apache to Use SSL Certificate

Open /etc/apache2/sites-available/

vi /etc/apache2/sites-available/

Add the line SSLCertificateChainFile /var/www/ to the # SSL Configuration section (please be aware that you have to re-add that line whenever you update ISPConfig!):

  # SSL Configuration
  SSLEngine On
  SSLCertificateFile /var/www/
  SSLCertificateKeyFile /var/www/
  ## must be re-added after an ISPConfig update!!!
  SSLCertificateChainFile /var/www/

(Adjust this if you use a Class2 certificate.)

Restart Apache afterwards:

/etc/init.d/apache2 restart


Updated by Daniel Curtis about 11 years ago

  • Estimated time set to 2.00 h

Instead of using the same StartSSL Intermediate CA file for each host use a symbolic link, as you only need one real copy between all hosts.

cd /var/www/
ln -s /usr/local/ispconfig/interface/ssl/


Updated by Daniel Curtis about 10 years ago

  • Project changed from Website Hosting to 57

Updated by Daniel Curtis about 9 years ago

  • Project changed from 57 to GNU/Linux Administration
  • Category set to Web Server

Also available in: Atom PDF