Installing Comodo Positive SSL Certs on Apache and OpenSSL

Updated 4/10/2014: Include new Comodo certificate names

Updated 2/9/2015: Include best practice for root certificate usage

The SSL industry is a big scam. All certificates are equally secure and what you’re really paying for is the name backing them. That’s why I always buy the cheapest certs I can get through Namecheap whenever I buy a domain (I keep forgetting that StartSSL offers them for free). So I end up with a Comodo Positive SSL certificate. Okay cool. They send you a bunch of files and I always forget how to install them on Apache. So for my and everyone’s future reference, here’s how.

Update: Today, as I was fixing the Heartbleed vulnerability on a site at work, I was issued a new Comodo PositiveSSL certificate that was different than ones I had received in the past. The process is the same for the most part but there’s an extra file and they have different names. I will indicate the alternative versions of these in this write up for those who receive the new crt files.

Update 2: After having gone through this a number of times now, I’m updating this article to be generally better all around and include more up to date information about the new Comodo PositiveSSL certificates and Apache configuration.

The Setup

Before you go ahead and install the certificates you need to set up your virtual hosts and Apache configuration.

If you are running Apache 2.2 (if you’re using Ubuntu 12.10 or earlier then you are):

In /etc/apache2/ports.conf add:

# Replace IP with your own and make sure you keep it at port 443

If you’re running Apache 2.4 (Ubuntu 14.04 uses this version): Do not add the line above to your ports.conf file. Starting in Apache 2.4 this line is deprecated and is implied simply by having a Virtual host config like below. In future versions of Apache adding the above line to your ports file will cause Apache to fail to start.

Then in your vhost file which is usually located at /etc/apache2/sites-available/ add the following block:

     SSLEngine On
     SSLCertificateFile /etc/apache2/ssl/
     SSLCertificateKeyFile /etc/apache2/ssl/
     SSLCACertificateFile /etc/apache2/ssl/

     DocumentRoot /var/www/
     ErrorLog /var/www/
     CustomLog /var/www/ combined

This is where it gets tricky. Look at lines 3 – 5. Those are the certificate files you’ll need. When you get the files back from the SSL issuer you’ll need to point these lines at the correct files.


This is the actual SSL certificate. Comodo will name it after your domain. So just plop it in the correct directory /etc/apache2/ssl/ and make sure line 3 of your vhost file points to it.


When you first generated your CSR to send to the commercial SSL issuer you should have gotten a key file. You just need to move it into the same folder as your SSL cert if it’s not there already and point line 4 of your vhost config to it.


This is the bad one! It always trips me up. So here’s what the deal is. When Comodo sends you that zip file with 3 (or 4) individual CRT files in it you need to combine a couple of them into one file. You can ignore the file named after your domain and just focus on the other two. You need to combine them into one file in a very specific order. You’ll want to do the one named something like “PositiveSSLCA-whatever.crt” before pasting the “AddTrustExternalCARoot.crt” file.

Run this command to generate a file that matches your vhost config, remembering to change the file names to whatever the SSL issuer has given you:

cat PositiveSSLCA.crt AddTrustExternalCARoot.crt >

Update: The new intermediate certificates have new names. The AddTrustExternalCARoot.crt file remains the same but there is both a new intermediate file and an original was is renamed. You may now have the following files:

  • COMODORSADomainValidationSecureServerCA.crt
  • COMODORSAAddTrustCA.crt

To concatenate these files in the correct order you’ll run:

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt  >

Technically the AddTrustExternalCARoot.crt file is not needed but some people have noted that older versions of Apache require you to use it. You can always try to use a version that leaves that out and then add it in if your server complains. To add the root to your chain just ass AddTrustExternalCARoot.crt as the final argument before > Again, it is highly recommended that you do not use the CA root file in your chained certificate.

Then just scp your domain’s SSL certificate and the chain file we created just now to your server and you’ll be good to go. Make sure to restart Apache (sudo service apache2 restart) before testing it out.

Highlights, Server administration, Web development

« HTTP Status Code Explanations Fix Heartbleed Bug (Ubuntu) »