Installing Comodo PositiveSSL Certificate Bundled with Root and Intermediate CA Certificates on Apache

The problem with basic domain-validation certificates is they tend to have multiple “Intermediate CA” certificates that have to be bundled together and included into the setup, and the provided instructions on how to use those 3 additional certificate files is often missing, outdated, or just wrong. I think this is done by design, to get you to spend more on the more expensive extended validation certs (that don’t need multiple intermediary certs).

Aside from that, the basic low-end “domain validation” certs win on 3 fronts:

  • They cost $10 instead of $300.
  • They are very easy to get since the “validation” step (to prove who you are) is basically opening an email sent to the domain name (admin@domain.name) and clicking the provided link.
  • They tend to have faster/more-responsive page load times, since the Browser does not download the Certificate Revocation List (CRL) or perform a check of the certificate status (via OCSP), either of which can add an additional .5-2 seconds before the page is displayed (this is why Amazon does not use an EV “green bar” cert).

Here is how to install the most common certificate on the market, the Comodo PositiveSSL Certificate bundled with Root and Intermediate CA Certificates on Apache.

These instructions can be used on WampDeveloper Pro, on any other WAMP (Xampp, WampServer, etc) or Apache setup, and on Linux – with just some path changes. The fictitious domain used in this example is www.example.com.

Open the command line with elevated privileges (e.g., right-click cmd.exe and select ‘Run as admin’). And change to the website’s \certs folder:

C:
cd \WampDeveloper\Websites\www.example.com\certs\

1. Generate a 2048 bit private key named www_example_com.key.

openssl genrsa -out www_example_com.key 2048

2. Generate a Certificate Signing Request (csr) file named www_example_com.csr.

openssl req -new -sha256 -key www_example_com.key -out www_example_com.csr -config C:\WampDeveloper\Config\Apache\openssl.cnf

* Update the above line with the correct openssl “-config ...” path… On your WampDeveloper installation, update path for your drive letter. On other WAMPs, update the full path. And on Linux, leave that part out.

For “Common Name” enter:
www.example.com

For all other fields enter:
.

The “.” means empty / no value. Because you are purchasing a simple “domain validation” certificate, all other fields will get erased.

* If you specify the “www” host on the domain.name (as above), Comodo will issue the certificate for both: www.example.com and example.com

This is an example that I’ve entered for www.devside.net (where I filled out all the un-needed extra info / except for the city):

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:NC
Locality Name (eg, city) [Default City]:.
Organization Name (eg, company) [Default Company Ltd]:DeveloperSide.NET
Organizational Unit Name (eg, section) []:DeveloperSide.NET
Common Name (eg, your name or your server's hostname) []:www.devside.net
Email Address []:admin@devside.net

Make sure to also input the dot “.” for these two fields, to generate a valid CSR:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.

3. Open the “Certificate Signing Request” file www_example_com.csr and copy/paste its entire (full) contents into the proper box when activating the SSL Certificate you have purchased.

4. After the confirmation process, you’ll receive an email with an attached zip file named “www_example_com.zip”.
A. Save this file to some location.
B. Right click this file, select Properties. Click button: Unblock (or Windows won’t allow you to extract the certs due to security issues).
C. Extract the contents of the zip into the website’s \certs folder.

5. If the zip file does not contain the needed CA (Certificate Authority) Intermediate Certificates Bundle file (“www_example_com.ca-bundle”), create it yourself from the chain of intermediate certs:

copy /B COMODORSADomainValidationSecureServerCA.crt + COMODORSAAddTrustCA.crt + AddTrustExternalCARoot.crt PositiveSSL.ca-bundle

For Linux, this command would instead be:

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > PositiveSSL.ca-bundle

This will create a file named PositiveSSL.ca-bundle containing the 3 CA (Certificate Authority) intermediate certificates, all in the proper order (that Apache + mod_ssl / openssl expect).

Each of the above intermediate certificates basically validates the one next to it (though in reverse order as stored in the file).

The authority chain starts with the root CA certificate that your Browser has on file, goes through all the provided CA intermediate certs, and finally ends with the public certificate file.

The actual validation check happens in the reverse order, starting with the public cert and going up, but that is not important except to note it is the reason for the “reverse” order of how the intermediate certs are stored in the bundle file.

6. Configure the website’s SSL VirtualHost file to use the private key, public certificate, and the bundled intermediate certificates chain file.

Edit the website’s SSL VirtualHost file:
C:\WampDeveloper\Vhosts\www.example.com.ssl.vh.conf

Update existing SSLCertificateFile and SSLCertificateKeyFile paths with the proper file names. And add in the SSLCertificateChainFile directive + path.

SSLCertificateFile "C:/WampDeveloper/Websites/www.example.com/certs/www_example_com.crt"
SSLCertificateKeyFile "C:/WampDeveloper/Websites/www.example.com/certs/www_example_com.key"
SSLCertificateChainFile "C:/WampDeveloper/Websites/www.example.com/certs/PositiveSSL.ca-bundle"

Save VirtualHost file.

7. Restart Apache.

Check your website –

PositiveSSL-Bundled-Chain

18 thoughts on “Installing Comodo PositiveSSL Certificate Bundled with Root and Intermediate CA Certificates on Apache”

  1. You can test your installed certs (on publicly facing websites) from here:
    https://www.ssllabs.com/ssltest/

    Also, you can find the path that the CA intermediate certs take by starting with your public certificate file and following the chain…

    openssl x509 -noout -text -in www_domain_name.crt
        Authority Information Access:
        CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
    openssl x509 -noout -text -in COMODORSADomainValidationSecureServerCA.crt
        Authority Information Access:
        CA Issuers - URI:http://crt.comodoca.com/COMODORSAAddTrustCA.crt
    openssl x509 -noout -text -in COMODORSAAddTrustCA.crt
        Full Name:
            URI:http://crl.usertrust.com/AddTrustExternalCARoot.crl

    This shows that the dependence chain is:

    1. Root: AddTrustExternalCARoot.crt
    2. Intermediate 1: COMODORSAAddTrustCA.crt
    3. Intermediate 2: COMODORSADomainValidationSecureServerCA.crt
    4. End-Entity/Domain Certificate: www_domain_name.crt

    * The the root CA certificate your Browser most-likely already has on file, and probably is not really needed in the bundle file. But you might as well include it.

    1. The order of both the Windows and Linux concatenation commands are correct… The first CA cert in the bundle file is the lowest cert, and the file is built down with higher CA certs.

      The problem is with the textual description of the validation order right underneath. It’s not top to bottom, but the other way around.

      I’ve corrected it. Thanks!

  2. When I did it this way, I received a ‘Contains Anchor’ warning from Qualys’ SSL tester. It said that the AddTrustExternalCARoot certificate was both sent by the server, and in local store, so I removed that cert from the bundle, and used the new bundle. Qualys then reported no certificate chaining issues.

    1. You are correct.

      The root CA cert is unwanted / as the OS and Browser must already have it in its store, to be able to validate all the certs in its chain… And including it in the bundle will have no effect – i.e., if the OS or Browser does not have the root CA cert in the store already, it will not trust it or its chain.

  3. The problem with basic domain-validation certificates is they tend to have multiple “Intermediate CA” certificates that have to be bundled together and included into the setup, and the provided instruction on how to use those 3 additional certificate files is often missing, outdated, or just wrong. I think this is done by design, to get you to spend more on the more expensive extended validation certs (that don’t need multiple intermediary certs).

    That’s not quite fair statement since Comodo EV certificates also have CA bundle with 2 intermediate certs. This occurred historically as one CA was acquired by another at some time and a necessity to issue an extra intermediate certificate appeared.

    However, the number of certificates in chain can be easily messed up if a root cert, which is not obligatory one, has not been installed in the chain. Thus, one can think that there is 1 intermediate + 1 root cert. In fact, those are 2 intermediates. That works for Comodo certs.

    Which is intermediate and which is root can be easily checked with any online SSL decoder, like this one. The root one will have the same Issuer and Common name fields values as it is a self-signed cert by nature.

  4. Thanks for this. Saved me hours (probably days)!
    I was adding a cert to a Ubuntu 14.04 Bitnami/Magento Stack on Azure
    Note:

    “Edit the website’s SSL VirtualHost file:
    C:\WampDeveloper\Vhosts\www.example.com.ssl.vh.conf”

    For me this file was:
    /opt/bitnami/apache2/conf/bitnami/bitnami.conf

    I hope this helps someone
    Thanks again
    Colin

  5. Hey thanks for this dude, it’s crazy ssls.com don’t give proper instructions how to install these PositiveSSL certs, ssls.com RapidSSL only has one intermediate cert and is a few bucks more (easier to install).

  6. For the Domain Control Validation step –

    A Domain Control Validation (DCV) method is necessary for security purposes. The Certificate Authority uses the DCV to verify that the person placing the request owns the domain and/or is authorized to use it.

    You have 3 options:

    • Email
    • HTTP-based
    • DNS-based

    Use DCV Method “Email” for the simplest validation method of receiving an emailed link to click.

  7. Comodo PositiveSSL is now sending you the already created bundle file named “www_example_com.ca-bundle”. So you can now skip the bundling step unless you want to do it yourself.

Leave a Reply to Pete Long Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>