Comodo seems to change the way it issues SSL certificates every other day. I’ve written in the past on how to install SSL certificates on both Apache and Nginx but last night I bought yet another Comodo PositiveSSL certificate and once again I had to figure out how to properly install it along with the chain certificates. Here’s the most recent version of how to install a Comodo Positive SSL certificate on a server running Nginx.
In the past Comodo would send you a root certificate, some chain certs, and your website’s certificate. With Nginx, you can get away with simply referencing your key file and your domain’s certificate without referencing the chain and browsers would accept it just fine. The problem is that the SSL Labs test will cap your grade at B if you don’t include the chain certificates.
So now we need to update, yet again, how to install Comodo’s SSL certificate on Nginx.
The files
You’ll be sent two files when you buy a Positive SSL certificate now: a .ca-bundle
file which includes the certificate chain, and a yourdomain.crt
certificate which is your site’s SSL certificate. Up until recently you could have ignored the .ca-bundle
file and just focused on the .crt
file but now SSL Labs says that including the chain is important so here are the new steps:
You have to concatenate the ca-bundle
file with your crt
file before installation.
When you first created your CSR you should have been left with a .key
file and a .csr
file on your server. Make sure to run sudo chmod 400 mysite.com.key
to set proper permissions on your key file.
Next, you need to concatenate your certificate file with the chain file. The command for this is:
1
|
|
This will leave you with a new, third file called my.domain.com.crt
. Upload this file to your server (I put mine in /etc/ssl/localcerts/
) and then, with ssl
enabled in your server configuration file, add the following lines to this file:
1 2 |
|
You should also set the proper permissions on your certificate file by running sudo chmod 400 /etc/ssl/localcerts/my.domain.com.crt
Test your configuration by running sudo nginx -t
. If Nginx says all is well then restart your server with sudo service nginx restart
and you’ll be good to go.
I don’t know why Comodo seems to be so inconsistent with the number and names of certificate files that they send out but for $9 I’m not going to complain. So that’s the latest way to install Comodo’s PositiveSSL certificate on Nginx if they send you a zip file filled with a .crt
and .ca-bundle
Not what you were looking for?
I’ve written about how to install other variations of Comodo’s PositiveSSl certificate for both Apache and Nginx. Here are those articles if this one doesn’t apply to you:
Comments