Skip to content

Instantly share code, notes, and snippets.

@sonyarianto
Last active August 9, 2017 02:46
Show Gist options
  • Save sonyarianto/c8a08b64f7052e292f439fea56a715da to your computer and use it in GitHub Desktop.
Save sonyarianto/c8a08b64f7052e292f439fea56a715da to your computer and use it in GitHub Desktop.
Setting up a SSL Certificate from Comodo

Setting up a SSL Certificate from Comodo

I bought SSL Certs from DomainEsia.com and they resale SSL Certs from Comodo http://www.comodo.com/

These are the steps I went through to set up an SSL cert.

Purchase the certificate

Prior to purchasing a cert, you need to generate a private key, and a CSR file (Certificate Signing Request). You'll be asked for the content of the CSR file when ordering the certificate.

openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr

This gives you two files:

  • example_com.key -- your Private key. You'll need this later to configure ngxinx.
  • example_com.csr -- Your CSR file.

Now, purchase the certificate [1], follow the steps on their site, and you should soon get an email with your PositiveSSL Certificate. It contains a zip file with the following:

  • Root CA Certificate - AddTrustExternalCARoot.crt
  • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
  • Your PositiveSSL Certificate - www_example_com.crt (or the subdomain you gave them)

Install the Commodo SSL certificate

Combine everything for nginx:

  1. Combine the above crt files into a bundle (the order matters, here).
cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
  1. Combine the above crt files into a bundle for OCSP stapling feature (the order matters, here).
cat COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > full_chain.pem
  1. Store the bundle wherever nginx expects to find it.
mkdir -p /etc/nginx/ssl/example_com/
mv ssl-bundle.crt /etc/nginx/ssl/example_com/
mv full_chain.pem /etc/nginx/ssl/example_com/
  1. Ensure your private key is somewhere nginx can read it, as well.
mv example_com.key /etc/nginx/ssl/example_com/
  1. Make sure your nginx config points to the right cert file and to the private key you generated earlier.
    server {
        listen 443;

        ssl on;
        ssl_certificate /etc/nginx/ssl/example_com/ssl-bundle.crt;
        ssl_certificate_key /etc/nginx/ssl/example_com/example_com.key;

        # side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        # if you want stapling enabled
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/ssl/example_com/full_chain.pem;
    }
  1. Restart nginx (e.g. service nginx restart or systemctl restart nginx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment