Skip to content

Instantly share code, notes, and snippets.

@dpapathanasiou

dpapathanasiou/ComodoSSL_HOWTO.md

Last active March 11, 2023 12:15
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dpapathanasiou/be4b074e4be626f5749a to your computer and use it in GitHub Desktop.
Save dpapathanasiou/be4b074e4be626f5749a to your computer and use it in GitHub Desktop.
Download ZIP
Installing Comodo SSL Certificates
Raw
ComodoSSL_HOWTO.md

Create the Certificate Signing Request (CSR) file

openssl req -nodes -newkey rsa:4096 -keyout example_com.key -out example_com.csr

Prepare the Bundle file

Unzip the file Comodo sends back and create a single certificate bundle file.

This is the tricky part: if the sequence of .crt files is wrong, browsers will give not trusted and no issuer chain was provided errors.

unzip example_com.zip
cat example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > example_com.ca-bundle

Install the certificate and key files, then cleanup

mv example_com.ca-bundle /etc/ssl/certs
mv example_com.crt /etc/ssl/certs
mv example_com.csr /etc/ssl/private
mv example_com.key /etc/ssl/private
rm *.crt

Update the http server configuration

For Apache2

Uncomment these lines in httpd.conf:

#LoadModule ssl_module modules/mod_ssl.so
#Include conf/extra/httpd-default.conf

Then, uncomment and change these lines in extra/httpd-default.conf:

SSLCertificateFile "/etc/ssl/certs/example_com.crt"
SSLCertificateKeyFile "/etc/ssl/private/example_com.key"
SSLCertificateChainFile "/etc/ssl/certs/example_com.ca-bundle"
# disable SSLv3 support (POODLE exploit)
SSLProtocol All -SSLv2 -SSLv3

Confirm the configuration before restarting:

apachectl configtest

It should say:

Syntax OK

Which means it's safe to restart:

apachectl restart

For nginx

Add these lines to /etc/nginx/conf.d/default.conf:

   listen   443 ssl;
   ssl_certificate       /etc/ssl/certs/example_com.ca-bundle;
   ssl_certificate_key   /etc/ssl/private/example_com.key;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # disable SSLv3 support (POODLE exploit)

Confirm the configuration before restarting:

/etc/init.d/nginx configtest

It should say:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Which means it's safe to restart:

/etc/init.d/nginx restart

Confirm the configuration

SSL Server Test

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment