Using digital IDs in the web server Apache

The Web server Apache needs as PEM files:

  1. the unencrypted private key in /path/to/key.pem

  2. the server certificate in /path/to/cert.pem

  3. the intermediate CA certificates in /path/to/chain.pem

You can give three different files or a single file containg keys and certificates in this order. Names and paths can be chosen freely.

With the configuration statements below can be indicated which files are to be used:

SSLCertificateKeyFile   /path/to/key.pem

SSLCertificateFile      /path/to/cert.pem

SSLCertificateChainFile /path/to/chain.pem

We furthermore recommend the following settings:

Deactivate insecure SSL/TLS protocols:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Deactivate insecure encryption methods and prefer the best methods[1][3]:


SSLHonorCipherOrder on

or, even stricter[2][3], according to the recommendation of the DFN-PKI team:


SSLHonorCipherOrder on

The above line SSLCipherSuite "..." only works for connections with TLS 1.2 (and older if not deactivated).
Ciphers for connections with TLS 1.3 could be customized with an additional line SSLCipherSuite TLSv1.3 "..." if necessary.

Activate OCSP stapling (please use the same path as with SSLSessionCache):

SSLUseStapling on

SSLStaplingReturnResponderErrors off

SSLStaplingCache shmcb:/..../..../sslstaplingcache(512000)


[1] As a practical test over several days in the university's web server park has shown, all clients that support TLS 1.2 can handle at least one of these encryption methods, so nobody is locked out.

[2] As a practical test over several days in the university's web server park has shown, this tightening of the rules affects only 0,7 % of all accesses, all from outdated systems with known security problems.

[3] Apache uses the OpenSSL writing of the names. The original names are: