Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Setting up a SSL Certificate from Comodo

Setting up a SSL Certificate from Comodo

I bought SSL Certs from DomainEsia.com and they resale SSL Certs from Comodo http://www.comodo.com/

These are the steps I went through to set up an SSL cert.

Purchase the certificate

Prior to purchasing a cert, you need to generate a private key, and a CSR file (Certificate Signing Request). You'll be asked for the content of the CSR file when ordering the certificate.

openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr

This gives you two files:

  • example_com.key -- your Private key. You'll need this later to configure ngxinx.
  • example_com.csr -- Your CSR file.

Now, purchase the certificate [1], follow the steps on their site, and you should soon get an email with your PositiveSSL Certificate. It contains a zip file with the following:

  • Root CA Certificate - AddTrustExternalCARoot.crt
  • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
  • Your PositiveSSL Certificate - www_example_com.crt (or the subdomain you gave them)

Install the Commodo SSL certificate

Combine everything for nginx:

  1. Combine the above crt files into a bundle (the order matters, here).
cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
  1. Combine the above crt files into a bundle for OCSP stapling feature (the order matters, here).
cat COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > full_chain.pem
  1. Store the bundle wherever nginx expects to find it.
mkdir -p /etc/nginx/ssl/example_com/
mv ssl-bundle.crt /etc/nginx/ssl/example_com/
mv full_chain.pem /etc/nginx/ssl/example_com/
  1. Ensure your private key is somewhere nginx can read it, as well.
mv example_com.key /etc/nginx/ssl/example_com/
  1. Make sure your nginx config points to the right cert file and to the private key you generated earlier.
    server {
        listen 443;

        ssl on;
        ssl_certificate /etc/nginx/ssl/example_com/ssl-bundle.crt;
        ssl_certificate_key /etc/nginx/ssl/example_com/example_com.key;

        # side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        # if you want stapling enabled
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/ssl/example_com/full_chain.pem;
    }
  1. Restart nginx (e.g. service nginx restart or systemctl restart nginx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.