How to Convert an HTTP Website to HTTPS Using a Third-Party SSL Certificate (Apache 2 Guide)
Securing your website with HTTPS is essential for trust, SEO, and protecting user data. Many hosting providers sell SSL certificates, but you may prefer purchasing SSL from a third-party Certificate Authority (CA). This guide walks through the full process of converting an HTTP website to HTTPS on Apache 2 when using a certificate purchased outside your hosting provider.
The steps apply whether you want full HTTPS redirection or prefer keeping both HTTP and HTTPS accessible.
1. Choose and Purchase Your SSL Certificate
You can purchase an SSL certificate from any trusted CA, including:
- Sectigo (Comodo)
- DigiCert
- GlobalSign
- RapidSSL
- GoDaddy
- Namecheap SSL Store
- SSLs.com
During purchase, you’ll be asked for your domain name and often a CSR (Certificate Signing Request), which you will generate on your own server.
2. Generate the Private Key and CSR (On Your Server)
Always generate your private key on your own server so it never leaves your environment.
openssl genrsa -out yourdomain.key 2048
openssl req -new -key yourdomain.key -out yourdomain.csr
The CSR creation process will ask for:
- Country
- State/Province
- Organization
- Common Name (CN) → must match yourdomain.com
- Email address
The Common Name must match the exact domain for which the certificate is being issued.
3. Send CSR to the Certificate Authority
Upload or paste your CSR into the CA’s order panel.
The CA will verify you control the domain by using one of these methods:
- Email validation (admin@domain.com, webmaster@domain.com, etc.)
- DNS TXT record
- HTTP file upload (placing a verification file on your site)
Once validated, the CA provides:
yourdomain.crt(your SSL certificate)- One or more intermediate certificates (CA bundle)
4. Upload the Certificates to Your Apache Server
Move the certificate files into secure locations:
/etc/ssl/certs/yourdomain.crt
/etc/ssl/certs/intermediate.crt
/etc/ssl/private/yourdomain.key
Set proper permissions:
chmod 600 /etc/ssl/private/yourdomain.key
5. Configure Apache for HTTPS
Create or edit an SSL VirtualHost:
/etc/apache2/sites-available/yourdomain-ssl.conf
<VirtualHost *:443>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
DocumentRoot /var/www/yourdomain
SSLEngine on
SSLCertificateFile /etc/ssl/certs/yourdomain.crt
SSLCertificateKeyFile /etc/ssl/private/yourdomain.key
SSLCertificateChainFile /etc/ssl/certs/intermediate.crt
<Directory /var/www/yourdomain>
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/yourdomain-ssl-error.log
CustomLog ${APACHE_LOG_DIR}/yourdomain-ssl-access.log combined
</VirtualHost>
Enable necessary modules and site config:
a2enmod ssl
a2ensite yourdomain-ssl.conf
systemctl reload apache2
Your site is now accessible over HTTPS.
6. Redirect HTTP to HTTPS (Recommended)
To automatically redirect all visitors to HTTPS, update your port 80 VirtualHost:
<VirtualHost *:80>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
Redirect "/" "https://yourdomain.com/"
</VirtualHost>
Or use .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Want to Keep HTTP Accessible?
If your environment requires both HTTP and HTTPS (e.g., IoT devices or legacy APIs), simply skip the redirect step. Apache can serve both:
http://yourdomain.com(insecure)https://yourdomain.com(secure)
7. Restart Apache
systemctl restart apache2
8. Test the SSL Setup
Use free tools to verify the installation:
- SSL Labs Server Test
- Qualys SSL Checker
- WhyNoPadlock.com
Check for:
- Certificate validity
- Chain correctness
- Supported TLS versions
- Cipher strength
- Mixed-content warnings
Quick Summary (Cheat Sheet)
- Buy SSL from a third-party CA
- Generate private key + CSR
- Verify domain ownership
- Install certificate + chain + key
- Configure Apache HTTPS VirtualHost
- Redirect HTTP → HTTPS (optional)
- Restart server
- Test your setup
From ChatGPT as is. Looks to be correct.
