Another Way to Install PositiveSSL Certs on Nginx

Comodo seems to change the way it issues SSL certificates every other day. I’ve written in the past on how to install SSL certificates on both Apache and Nginx but last night I bought yet another Comodo PositiveSSL certificate and once again I had to figure out how to properly install it along with the chain certificates. Here’s the most recent version of how to install a Comodo Positive SSL certificate on a server running Nginx.

In the past Comodo would send you a root certificate, some chain certs, and your website’s certificate. With Nginx, you can get away with simply referencing your key file and your domain’s certificate without referencing the chain and browsers would accept it just fine. The problem is that the SSL Labs test will cap your grade at B if you don’t include the chain certificates.

So now we need to update, yet again, how to install Comodo’s SSL certificate on Nginx.

The files

You’ll be sent two files when you buy a Positive SSL certificate now: a .ca-bundle file which includes the certificate chain, and a yourdomain.crt certificate which is your site’s SSL certificate. Up until recently you could have ignored the .ca-bundle file and just focused on the .crt file but now SSL Labs says that including the chain is important so here are the new steps:

You have to concatenate the ca-bundle file with your crt file before installation.

When you first created your CSR you should have been left with a .key file and a .csr file on your server. Make sure to run sudo chmod 400 mysite.com.key to set proper permissions on your key file.

Next, you need to concatenate your certificate file with the chain file. The command for this is:

1
cat my_domain_com.crt my_domain_com.ca-bundle > my.domain.com.crt

This will leave you with a new, third file called my.domain.com.crt. Upload this file to your server (I put mine in /etc/ssl/localcerts/) and then, with ssl enabled in your server configuration file, add the following lines to this file:

1
2
ssl_certificate /etc/ssl/localcerts/my.domain.com.crt;
ssl_certificate_key /etc/ssl/localcerts/my.domain.com.key;

You should also set the proper permissions on your certificate file by running sudo chmod 400 /etc/ssl/localcerts/my.domain.com.crt

Test your configuration by running sudo nginx -t. If Nginx says all is well then restart your server with sudo service nginx restart and you’ll be good to go.

I don’t know why Comodo seems to be so inconsistent with the number and names of certificate files that they send out but for $9 I’m not going to complain. So that’s the latest way to install Comodo’s PositiveSSL certificate on Nginx if they send you a zip file filled with a .crt and .ca-bundle

Not what you were looking for?

I’ve written about how to install other variations of Comodo’s PositiveSSl certificate for both Apache and Nginx. Here are those articles if this one doesn’t apply to you:

Servers, System administration

« Being a Developer Is Not About Writing Code The Catfish Coder Strikes Again »

Comments