The problem with basic domain-validation certificates is they tend to have multiple “Intermediate CA” certificates that have to be bundled together and included into the setup, and the provided instructions on how to use those 3 additional certificate files is often missing, outdated, or just wrong. I think this is done by design, to get you to spend more on the more expensive extended validation certs (that don’t need multiple intermediary certs).
Aside from that, the basic low-end “domain validation” certs win on 3 fronts:
- They cost $10 instead of $300.
- They are very easy to get since the “validation” step (to prove who you are) is basically opening an email sent to the domain name (firstname.lastname@example.org) and clicking the provided link.
- They tend to have faster/more-responsive page load times, since the Browser does not download the Certificate Revocation List (CRL) or perform a check of the certificate status (via OCSP), either of which can add an additional .5-2 seconds before the page is displayed (this is why Amazon does not use an EV “green bar” cert).
Here is how to install the most common certificate on the market, the Comodo PositiveSSL Certificate bundled with Root and Intermediate CA Certificates on Apache.
These instructions can be used on WampDeveloper Pro, on any other WAMP (Xampp, WampServer, etc) or Apache setup, and on Linux – with just some path changes. The fictitious domain used in this example is www.example.com.
Open the command line with elevated privileges (e.g., right-click cmd.exe and select ‘Run as admin’). And change to the website’s \certs folder:
C: cd \WampDeveloper\Websites\www.example.com\certs\
1. Generate a 2048 bit private key named
openssl genrsa -out www_example_com.key 2048
2. Generate a Certificate Signing Request (csr) file named
openssl req -new -sha256 -key www_example_com.key -out www_example_com.csr -config C:\WampDeveloper\Config\Apache\openssl.cnf
* Update the above line with the correct openssl “
-config ...” path… On your WampDeveloper installation, update path for your drive letter. On other WAMPs, update the full path. And on Linux, leave that part out.
For “Common Name” enter:
For all other fields enter:
The “.” means empty / no value. Because you are purchasing a simple “domain validation” certificate, all other fields will get erased.
* If you specify the “www” host on the domain.name (as above), Comodo will issue the certificate for both: www.example.com and example.com
This is an example that I’ve entered for www.devside.net (where I filled out all the un-needed extra info / except for the city):
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) :NC Locality Name (eg, city) [Default City]:. Organization Name (eg, company) [Default Company Ltd]:DeveloperSide.NET Organizational Unit Name (eg, section) :DeveloperSide.NET Common Name (eg, your name or your server's hostname) :www.devside.net Email Address :email@example.com
Make sure to also input the dot “.” for these two fields, to generate a valid CSR:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password :. An optional company name :.
3. Open the “Certificate Signing Request” file
www_example_com.csr and copy/paste its entire (full) contents into the proper box when activating the SSL Certificate you have purchased.
4. After the confirmation process, you’ll receive an email with an attached zip file named “www_example_com.zip”.
A. Save this file to some location.
B. Right click this file, select Properties. Click button: Unblock (or Windows won’t allow you to extract the certs due to security issues).
C. Extract the contents of the zip into the website’s
5. If the zip file does not contain the needed CA (Certificate Authority) Intermediate Certificates Bundle file (“www_example_com.ca-bundle”), create it yourself from the chain of intermediate certs:
copy /B COMODORSADomainValidationSecureServerCA.crt + COMODORSAAddTrustCA.crt + AddTrustExternalCARoot.crt PositiveSSL.ca-bundle
For Linux, this command would instead be:
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > PositiveSSL.ca-bundle
This will create a file named
PositiveSSL.ca-bundle containing the 3 CA (Certificate Authority) intermediate certificates, all in the proper order (that Apache + mod_ssl / openssl expect).
Each of the above intermediate certificates basically validates the one next to it (though in reverse order as stored in the file).
The authority chain starts with the root CA certificate that your Browser has on file, goes through all the provided CA intermediate certs, and finally ends with the public certificate file.
The actual validation check happens in the reverse order, starting with the public cert and going up, but that is not important except to note it is the reason for the “reverse” order of how the intermediate certs are stored in the bundle file.
6. Configure the website’s SSL VirtualHost file to use the private key, public certificate, and the bundled intermediate certificates chain file.
Edit the website’s SSL VirtualHost file:
SSLCertificateKeyFile paths with the proper file names. And add in the
SSLCertificateChainFile directive + path.
SSLCertificateFile "C:/WampDeveloper/Websites/www.example.com/certs/www_example_com.crt" SSLCertificateKeyFile "C:/WampDeveloper/Websites/www.example.com/certs/www_example_com.key" SSLCertificateChainFile "C:/WampDeveloper/Websites/www.example.com/certs/PositiveSSL.ca-bundle"
Save VirtualHost file.
7. Restart Apache.
Check your website –