Installing Comodo Positive SSL Certs on Apache and OpenSSL

Installing Comodo Positive SSL Certs on Apache and OpenSSL

Published Apr 4th, 2014

Updated on 4/10/2014

The SSL industry is a big scam. All certificates are equally secure and what you’re really paying for is the name backing them. That’s why I always buy the cheapest certs I can get throughNamecheap whenever I buy a domain (I keep forgetting that StartSSL offers them for free). So I end up with a Comodo Positive SSL certificate. Okay cool. They send you a bunch of files and I always forget how to install them on Apache. So for my and everyone’s future reference, here’s how.

Update: Today, as I was fixing the Heartbleed vulnerability on a site at work, I was issued a new Comodo PositiveSSL certificate that was different than ones I had received in the past. The process is the same for the most part but there’s an extra file and they have different names. I will indicate the alternative versions of these in this write up for those who receive the new crt files.

The Setup

Before you go ahead and install the certificates you need to set up your virtual hosts and Apache configuration.

In /etc/apache2/ports.conf add:

1 2	# Replace IP with your own and make sure you keep it at port 443 NameVirtualHost 12.34.56.78:443

Then in your vhost file which is usually located at /etc/apache2/sites-available/yourdomain.com add the following block:

1 2 3 4 5 6 7 8 9 10 11 12

<VirtualHost 12.34.56.78:443> SSLEngine On SSLCertificateFile /etc/apache2/ssl/yourdomain.com.crt SSLCertificateKeyFile /etc/apache2/ssl/yourdomain.com.key SSLCACertificateFile /etc/apache2/ssl/yourdomain.com.cer ServerAdmin info@yourdomain.com ServerName www.yourdomain.com DocumentRoot /var/www/yourdomain.com/public_html/ ErrorLog /var/www/yourdomain.com/logs/error.log CustomLog /var/www/yourdomain.com/logs/access.log combined </VirtualHost>

This is where it gets tricky. Look at lines 3 – 5. Those are the certificate files you’ll need. When you get the files back from the SSL issuer you’ll need to point these lines at the correct files.

SSLCertificateFile

This is the actual SSL certificate. Comodo will name it after your domain. So just plop it in the correct directory /etc/apache2/ssl/ and make sure line 3 of your vhost file points to it.

SSLCertificateKeyFile

When you first generated your CSR to send to the commercial SSL issuer you should have gotten a key file. You just need to move it into the same folder as your SSL cert if it’s not there already and point line 4 of your vhost config to it.

SSLCACertificateFile

This is the bad one! It always trips me up. So here’s what the deal is. When Comodo sends you that zip file with 3 individual CRT files in it you need to combine a couple of them into one file. You can ignore the file named after your domain and just focus on the other two. You need to combine them into one file in a very specific order. You’ll want to do the one named something like “PositiveSSLCA-whatever.crt” before pasting the “AddTrustExternalCARoot.crt” file.

Run this command to generate a file that matches your vhost config, remembering to change the file names to whatever the SSL issuer has given you:

1	cat PositiveSSLCA.crt AddTrustExternalCARoot.crt > yourdomain.com.cer

Update: The new intermediate certificates have new names. The AddTrustExternalCARoot.crtfile remains the same but there is both a new intermediate file and an original was is renamed. You may now have the following files:

• COMODORSADomainValidationSecureServerCA.crt
• COMODORSAAddTrustCA.crt

To concatenate these files in the correct order you’ll run:

1	cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > yourdomain.com.cer

Technically the AddTrustExternalCARoot.crt file is not needed but I have seen Apache complain when it isn’t present. You can always try to use a version that leaves that out and then add it in if your server complains.

Then just scp it to your server and you’ll be good to go. Make sure to restart Apache (sudo service apache2 restart) before testing it out.