openssl req -nodes -newkey rsa:4096 -keyout example_com.key -out example_com.csrUnzip the file Comodo sends back and create a single certificate bundle file.
This is the tricky part: if the sequence of .crt files is wrong, browsers will give not trusted and no issuer chain was provided errors.
unzip example_com.zip
cat example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > example_com.ca-bundlemv example_com.ca-bundle /etc/ssl/certs
mv example_com.crt /etc/ssl/certs
mv example_com.csr /etc/ssl/private
mv example_com.key /etc/ssl/private
rm *.crtUncomment these lines in httpd.conf:
#LoadModule ssl_module modules/mod_ssl.so
#Include conf/extra/httpd-default.confThen, uncomment and change these lines in extra/httpd-default.conf:
SSLCertificateFile "/etc/ssl/certs/example_com.crt"
SSLCertificateKeyFile "/etc/ssl/private/example_com.key"
SSLCertificateChainFile "/etc/ssl/certs/example_com.ca-bundle"
# disable SSLv3 support (POODLE exploit)
SSLProtocol All -SSLv2 -SSLv3Confirm the configuration before restarting:
apachectl configtestIt should say:
Syntax OKWhich means it's safe to restart:
apachectl restartAdd these lines to /etc/nginx/conf.d/default.conf:
listen 443 ssl;
ssl_certificate /etc/ssl/certs/example_com.ca-bundle;
ssl_certificate_key /etc/ssl/private/example_com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # disable SSLv3 support (POODLE exploit)Confirm the configuration before restarting:
/etc/init.d/nginx configtestIt should say:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successfulWhich means it's safe to restart:
/etc/init.d/nginx restart