Skip to content

Instantly share code, notes, and snippets.

@CMCDragonkai

CMCDragonkai/install-comodo-ssl-cert-for-nginx.rst

Forked from bradmontgomery/install-comodo-ssl-cert-for-nginx.rst
Last active May 9, 2024 22:48
Show Gist options
  • Save CMCDragonkai/23a8e8fbaabbdb3a07b3 to your computer and use it in GitHub Desktop.
Save CMCDragonkai/23a8e8fbaabbdb3a07b3 to your computer and use it in GitHub Desktop.
Download ZIP
Steps to install a Comodo PositiveSSL certificate with Nginx.
Raw
install-comodo-ssl-cert-for-nginx.rst

Setting up a SSL Cert from Comodo

I use Namecheap.com as a registrar, and they resale SSL Certs from a number of other companies, including Comodo.

These are the steps I went through to set up an SSL cert.

Purchase the cert

Prior to purchasing a cert, you need to generate a private key, and a CSR file (Certificate Signing Request). You'll be asked for the content of the CSR file when ordering the certificate.

openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr

This gives you two files:

  • example_com.key -- your Private key. You'll need this later to configure ngxinx.
  • example_com.csr -- Your CSR file.

Now, purchase the certificate [1], follow the steps on their site, and you should soon get an email with your PositiveSSL Certificate. It contains a zip file with the following:

  • Root CA Certificate - AddTrustExternalCARoot.crt
  • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
  • Your PositiveSSL Certificate - www_example_com.crt (or the subdomain you gave them)

Install the Commodo SSL cert

Combine everything for nginx [2]:

  1. Combine the above crt files into a bundle, leaving out the root certificate as clients will already have it installed (the order matters, here):

    cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt > www_example_com.pem

    You have to install the root certificate as well if it's a self signed root certificate. But on the web, browsers will already have public root certificates installed. The root certificate should be appended into the pem file.

  2. Store the bundle wherever nginx expects to find it:

    mkdir -p /etc/nginx/ssl/example_com/
mv ssl-bundle.crt /etc/nginx/ssl/example_com/

    Note that Apache doesn't use a fully compiled pem file, instead you need to load the domain certificate, and an intermediate compiled pem file. So that the pem file only contains the intermediate certificates. The root certificate is again unnecessary for production websites.

  3. Ensure your private key is somewhere nginx can read it, as well.:

    mv example_com.key /etc/nginx/ssl/example_com/

  4. Make sure your nginx config points to the right cert file and to the private key you generated earlier:

    server {
    listen 443;

    ssl on;
    ssl_certificate /etc/nginx/ssl/example_com/ssl-bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/example_com/example_com.key;

    # side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # ...

}

    Configuration code can be autogenerated from: https://mozilla.github.io/server-side-tls/ssl-config-generator/

  1. Restart nginx.
  2. Verify your site's SSL configuration using: openssl s_client -connect site.com:443 -showcerts.
[1]I purchased mine through Namecheap.com.
[2]Based on these instructions: http://goo.gl/4zJc8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment