Skip to content

Instantly share code, notes, and snippets.

@gangsta
Last active August 19, 2024 06:45
Show Gist options
  • Save gangsta/9d011dc0da614db27d5b22ed2044799f to your computer and use it in GitHub Desktop.
Save gangsta/9d011dc0da614db27d5b22ed2044799f to your computer and use it in GitHub Desktop.
How to Setting Up a Comodo SSL Cert

How to Setting Up a Comodo SSL Cert

  • I advice you to buy SSL Certs from officially Comodo only , or some SSL reseller whose you trust.

These are the steps I went through to set up an SSL cert. Purchase the cert

Prior to purchasing a cert, you need to generate a private key, and a CSR file (Certificate Signing Request). You’ll be asked for the content of the CSR file when ordering the certificate:

openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr

This gives you two files:

example_com.key — your Private key. You’ll need this later to configure ngxinx.
example_com.csr — Your CSR file.

Now, purchase the certificate , follow the steps on their site, and you should soon get an email with your PositiveSSL Certificate. It contains a zip file with the following:

Root CA Certificate – AddTrustExternalCARoot.crt
Intermediate CA Certificate – COMODORSAAddTrustCA.crt
Intermediate CA Certificate – COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate – www_example_com.crt (or the subdomain you gave them)

Install the Commodo SSL cert

Combine everything for nginx:

Combine the above crt files into a bundle (the order matters, here):

    cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

Store the bundle wherever nginx expects to find it:

    mkdir -p /etc/nginx/ssl/example_com/
    mv ssl-bundle.crt /etc/nginx/ssl/example_com/

Ensure your private key is somewhere nginx can read it, as well.:

    mv example_com.key /etc/nginx/ssl/example_com/

Make sure your nginx config points to the right cert file and to the private key you generated earlier:

    server {
        listen 443;

        ssl on;
        ssl_certificate /etc/nginx/ssl/example_com/ssl-bundle.crt;
        ssl_certificate_key /etc/nginx/ssl/example_com/example_com.key;

        # side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        # ...

    }

Restart nginx.

For CA Bundle you need below steps.

For Comodo PositiveSSL CA certificates these are: AddTrustExternalCARoot.crt, COMODORSAAddTrustCA.crt and COMODORSADomainValidationSecureServerCA.crt

To combine them, run the following command in terminal:

$ cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt

If you have new version of Certificate use Below Documentation.

2019 Comodo Certificates

In case of Comodo certificates, you should receive the zip archive with *.crt and .ca-bundle files. Geotrust/Thawte/Symantec sends certificates in plain text. Simply save the certificates as txt files. Notepad will meet this demand. For Comodo PositiveSSL the files would appear like the ones below:

  • yourdomainname.crt
  • yourdomainname.ca-bundle

or you may receive the CA bundle in separate files as provided below:

  • SectigoRSADomainValidationSecureServerCA.crt

  • USERTrustRSAAddTrustCA.crt

  • AddTrustExternalCARoot.crt

Combine CA certificates in the single file.

If you received several CA certificates in separate files, you should combine them in the single file to make the CA bundle. You can also download a completed Bundle file here .

For Comodo PositiveSSL CA certificates in 2019 these are: AddTrustExternalCARoot.crt, USERTrustRSAAddTrustCA.crt and SectigoRSADomainValidationSecureServerCA.crt

To combine them, run the following command in terminal:

$ cat SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAddTrustCA.crt AddTrustExternalCARoot.crt >> CA_bundle.crt

For Nginx

$ cat www_example_com.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAddTrustCA.crt AddTrustExternalCARoot.crt >> ssl_bundle.crt

How do I verify that a private key matches a certificate? (OpenSSL)

How do I verify that a private key matches a certificate?

To verify that a private key matches its certificate you need to compare the modulus of the certificate against the modulus of the private key.

Please follow the below command to view the modulus of the certificate.

openssl x509 -noout -modulus -in server.crt | openssl md5

Now you will receive the modulus something like a77c7953ea5283056a0c9ad75b274b96

Please follow the below command to view the modulus of the private key.

openssl rsa -noout -modulus -in myserver.key | openssl md5

Now you should get the modulus as same as certificate modulus above. i.e a77c7953ea5283056a0c9ad75b274b96

For CA bundle run below command

openssl verify -CAfile CA_bundle.crt www_example_com.crt

How to Convert .pem to .cert with OpenSSL

openssl x509 -outform der -in your-cert.pem -out your-cert.crt

How to Create .pem file including Certificate and Private Key

  • How to create a self-signed PEM file:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
  • How to create a PEM filefrom existing certificate files that form a chain:

(optional) Remove the password from the Private Key by following the steps listed below:

openssl rsa -in server.key -out nopassword.key

Note: Enter the pass phrase of the Private Key.

  • Combine the private key, public certificate and any 3rd party intermediate certificate files:
cat nopassword.key > server.pem
cat server.crt >> server.pem

Note: Repeat this step as needed for third-party certificate chain files, bundles, etc:

cat intermediate.crt >> server.pem
  • Always remember First Key => Cert => Intermediate

How to create a PFX file from existing certificate files and key.

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt

Breaking down the command:

openssl – the command for executing OpenSSL
pkcs12 – the file utility for PKCS#12 files in OpenSSL
  -export -out certificate.pfx – export and save the PFX file as certificate.pfx
  -inkey privateKey.key – use the private key file privateKey.key as the private key to combine with the certificate.
  -in certificate.crt – use certificate.crt as the certificate the private key will be combined with.
  -certfile more.crt – This is optional, this is if you have any additional certificates you would like to include in the PFX file.

Note: After entering the command, you will be prompted to enter and verify an export password to protect the PFX file. Remember this password! You will need it when you wish to export the certificates and key.

@berstend
Copy link

berstend commented Feb 13, 2019

Lifesaver! Thanks @gangsta 👍 Couldn't figure out the correct order of the new Commodo certs 😄

@berstend
Copy link

berstend commented Feb 13, 2019

Tip: To make SSL Labs happy (Chain issues: Contains anchor) remove the root cert from the chain (it's shipped with the browsers):

cat domain_com.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAddTrustCA.crt > tls.crt

image

@gangsta
Copy link
Author

gangsta commented Mar 11, 2019

@berstend Thanks for comment and useful Tip 😉 👍

@kaoz70
Copy link

kaoz70 commented Oct 21, 2019

When receiving certificates from COMODO, they will give you a My_CA_Bundle.cs-bundle file, this file WILL NOT WORK on Nginx, you will have to do the certificate bundling via the console command as mentioned here for Nginx

@gangsta
Copy link
Author

gangsta commented Oct 21, 2019

Thanks for sharing @kaoz70 👍

@insinfo
Copy link

insinfo commented Oct 9, 2021

update 2021

cat domain_com.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAAACA.crt >> domain_com_chained.crt

@gangsta
Copy link
Author

gangsta commented Oct 11, 2021

update 2021

cat domain_com.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAAACA.crt >> domain_com_chained.crt

thanks for update, I'll add to document

@afanjul
Copy link

afanjul commented Jan 3, 2022

Could you please update your GIST with the last SECTIGO certificates they provide?
AAACertificateServices.crt
SectigoRSADomainValidationSecureServerCA.crt
domain_com.crt
USERTrustRSAAAACA.crt

Probably you could add the OCSP Stappling options for Nginx too (using the ssl_trusted_certificate param)

and maybe with the @berstend suggestion? Althought according to Sectigo instrucctions, to be able to use "ssl_stapling_verify" you must use the intermediate and root certificates in your merged bundle file.

thanks

@khasan4bd
Copy link

hi, you also might need to add a little step for how to copy the certificates (zip folder received via email from the CA) from the local machine to the nginx server using the scp command (scp filename.zip user@server: ). Because this is also need to be done as part of the process to combine the certificates and store them within the server. users like me (as a newbie) find it difficult to navigate on how to copy the certificates from local machine to server.

@smotrikov
Copy link

smotrikov commented Aug 10, 2022

Could you please update your GIST with the last SECTIGO certificates they provide? AAACertificateServices.crt SectigoRSADomainValidationSecureServerCA.crt domain_com.crt USERTrustRSAAAACA.crt

Probably you could add the OCSP Stappling options for Nginx too (using the ssl_trusted_certificate param)

and maybe with the @berstend suggestion? Althought according to Sectigo instrucctions, to be able to use "ssl_stapling_verify" you must use the intermediate and root certificates in your merged bundle file.

thanks

Try this
cat domain_com.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAAACA.crt AAACertificateServices.crt >> bundle.crt

@sapiensliberty
Copy link

Excelente, me funcionó de maravilla con Sectigo SSL. Muchas Gracias.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment