Installing Comodo Positive SSL Certs on Apache and OpenSSL
Updated on 4/10/2014
The SSL industry is a big scam. All certificates are equally secure and what you’re really paying for is the name backing them. That’s why I always buy the cheapest certs I can get throughNamecheap whenever I buy a domain (I keep forgetting that StartSSL offers them for free). So I end up with a Comodo Positive SSL certificate. Okay cool. They send you a bunch of files and I always forget how to install them on Apache. So for my and everyone’s future reference, here’s how.
Update: Today, as I was fixing the Heartbleed vulnerability on a site at work, I was issued a new Comodo PositiveSSL certificate that was different than ones I had received in the past. The process is the same for the most part but there’s an extra file and they have different names. I will indicate the alternative versions of these in this write up for those who receive the new crt files.
The Setup
Before you go ahead and install the certificates you need to set up your virtual hosts and Apache configuration.
In /etc/apache2/ports.conf
add:
Then in your vhost file which is usually located at /etc/apache2/sites-available/yourdomain.com
add the following block:
This is where it gets tricky. Look at lines 3 – 5. Those are the certificate files you’ll need. When you get the files back from the SSL issuer you’ll need to point these lines at the correct files.
SSLCertificateFile
This is the actual SSL certificate. Comodo will name it after your domain. So just plop it in the correct directory /etc/apache2/ssl/
and make sure line 3 of your vhost file points to it.
SSLCertificateKeyFile
When you first generated your CSR to send to the commercial SSL issuer you should have gotten a key file. You just need to move it into the same folder as your SSL cert if it’s not there already and point line 4 of your vhost config to it.
SSLCACertificateFile
This is the bad one! It always trips me up. So here’s what the deal is. When Comodo sends you that zip file with 3 individual CRT files in it you need to combine a couple of them into one file. You can ignore the file named after your domain and just focus on the other two. You need to combine them into one file in a very specific order. You’ll want to do the one named something like “PositiveSSLCA-whatever.crt” before pasting the “AddTrustExternalCARoot.crt” file.
Run this command to generate a file that matches your vhost config, remembering to change the file names to whatever the SSL issuer has given you:
Update: The new intermediate certificates have new names. The AddTrustExternalCARoot.crt
file remains the same but there is both a new intermediate file and an original was is renamed. You may now have the following files:
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
To concatenate these files in the correct order you’ll run:
Technically the AddTrustExternalCARoot.crt
file is not needed but I have seen Apache complain when it isn’t present. You can always try to use a version that leaves that out and then add it in if your server complains.
Then just scp it to your server and you’ll be good to go. Make sure to restart Apache (sudo service apache2 restart
) before testing it out.
'APM' 카테고리의 다른 글
백업(Backup) 없는 MySQL 테이블 복구하기 (0) | 2015.03.23 |
---|---|
HTML 페이지에서 주석을 제거하는 정규식(PHP) (0) | 2014.12.29 |
How to save PHP Sessions to a database (0) | 2014.08.05 |
MySQL 원격 증분 백업 – Percona XtraBackup (0) | 2014.07.18 |
Mysql InnoDB – 테이블 당 테이블스페이스 사용하기 (0) | 2014.07.18 |
댓글