Installing Comodo PositiveSSL Certificate Bundled with Root and Intermediate CA Certificates on Apache

Posted: 2014-09-06 22:10:05

The problem with basic domain-validation certificates is they tend to have multiple “Intermediate CA” certificates that have to be bundled together and included into the setup, and the provided instructions on how to use those 3 additional certificate files is often missing, outdated, or just wrong. I think this is done by design, to get you to spend more on the more expensive extended validation certs (that don’t need multiple intermediary certs).

Aside from that, the basic low-end “domain validation” certs win on 3 fronts:

Here is how to install the most common certificate on the market, the Comodo PositiveSSL Certificate bundled with Root and Intermediate CA Certificates on Apache.

These instructions can be used on WampDeveloper Pro, on any other WAMP (Xampp, WampServer, etc) or Apache setup, and on Linux – with just some path changes. The fictitious domain used in this example is www.example.com.

Open the command line with elevated privileges (e.g., right-click cmd.exe and select ‘Run as admin’). And change to the website’s \certs folder:

C:
cd \WampDeveloper\Websites\www.example.com\certs\

1. Generate a 2048 bit private key named www_example_com.key.

openssl genrsa -out www_example_com.key 2048

2. Generate a Certificate Signing Request (csr) file named www_example_com.csr.

openssl req -new -sha256 -key www_example_com.key -out www_example_com.csr -config C:\WampDeveloper\Config\Apache\openssl.cnf

* Update the above line with the correct openssl “-config ...” path… On your WampDeveloper installation, update path for your drive letter. On other WAMPs, update the full path. And on Linux, leave that part out.

For “Common Name” enter:
www.example.com

For all other fields enter:
.

The “.” means empty / no value. Because you are purchasing a simple “domain validation” certificate, all other fields will get erased.

* If you specify the “www” host on the domain.name (as above), Comodo will issue the certificate for both: www.example.com and example.com

This is an example that I’ve entered for www.devside.net (where I filled out all the un-needed extra info / except for the city):

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:NC
Locality Name (eg, city) [Default City]:.
Organization Name (eg, company) [Default Company Ltd]:DeveloperSide.NET
Organizational Unit Name (eg, section) []:DeveloperSide.NET
Common Name (eg, your name or your server's hostname) []:www.devside.net
Email Address []:admin@devside.net

Make sure to also input the dot “.” for these two fields, to generate a valid CSR:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.

3. Open the “Certificate Signing Request” file www_example_com.csr and copy/paste its entire (full) contents into the proper box when activating the SSL Certificate you have purchased.

4. After the confirmation process, you’ll receive an email with an attached zip file named “www_example_com.zip”.
A. Save this file to some location.
B. Right click this file, select Properties. Click button: Unblock (or Windows won’t allow you to extract the certs due to security issues).
C. Extract the contents of the zip into the website’s \certs folder.

5. If the zip file does not contain the needed CA (Certificate Authority) Intermediate Certificates Bundle file (“www_example_com.ca-bundle”), create it yourself from the chain of intermediate certs:

copy /B COMODORSADomainValidationSecureServerCA.crt + COMODORSAAddTrustCA.crt + AddTrustExternalCARoot.crt PositiveSSL.ca-bundle

For Linux, this command would instead be:

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > PositiveSSL.ca-bundle

This will create a file named PositiveSSL.ca-bundle containing the 3 CA (Certificate Authority) intermediate certificates, all in the proper order (that Apache + mod_ssl / openssl expect).

Each of the above intermediate certificates basically validates the one next to it (though in reverse order as stored in the file).

The authority chain starts with the root CA certificate that your Browser has on file, goes through all the provided CA intermediate certs, and finally ends with the public certificate file.

The actual validation check happens in the reverse order, starting with the public cert and going up, but that is not important except to note it is the reason for the “reverse” order of how the intermediate certs are stored in the bundle file.

6. Configure the website’s SSL VirtualHost file to use the private key, public certificate, and the bundled intermediate certificates chain file.

Edit the website’s SSL VirtualHost file:
C:\WampDeveloper\Vhosts\www.example.com.ssl.vh.conf

Update existing SSLCertificateFile and SSLCertificateKeyFile paths with the proper file names. And add in the SSLCertificateChainFile directive + path.

SSLCertificateFile "C:/WampDeveloper/Websites/www.example.com/certs/www_example_com.crt"
SSLCertificateKeyFile "C:/WampDeveloper/Websites/www.example.com/certs/www_example_com.key"
SSLCertificateChainFile "C:/WampDeveloper/Websites/www.example.com/certs/PositiveSSL.ca-bundle"

Save VirtualHost file.

7. Restart Apache.

Check your website –

PositiveSSL-Bundled-Chain