Skip to content

Instantly share code, notes, and snippets.

@hero9
Forked from gangsta/SSL.md
Created January 9, 2019 05:09
Show Gist options
  • Save hero9/ac43bb64d444056f5bce26aaa6d7e50a to your computer and use it in GitHub Desktop.
Save hero9/ac43bb64d444056f5bce26aaa6d7e50a to your computer and use it in GitHub Desktop.
How to Setting Up a Comodo SSL Cert

How to Setting Up a Comodo SSL Cert

I advice you to buy SSL Certs from officially Comodo only , or some SSL reseller whose you trust.

These are the steps I went through to set up an SSL cert. Purchase the cert

Prior to purchasing a cert, you need to generate a private key, and a CSR file (Certificate Signing Request). You’ll be asked for the content of the CSR file when ordering the certificate.

openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr

This gives you two files:

example_com.key — your Private key. You’ll need this later to configure ngxinx.
example_com.csr — Your CSR file.

Now, purchase the certificate , follow the steps on their site, and you should soon get an email with your PositiveSSL Certificate. It contains a zip file with the following:

Root CA Certificate – AddTrustExternalCARoot.crt
Intermediate CA Certificate – COMODORSAAddTrustCA.crt
Intermediate CA Certificate – COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate – www_example_com.crt (or the subdomain you gave them)

Install the Commodo SSL cert

Combine everything for nginx :

Combine the above crt files into a bundle (the order matters, here):

cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

Store the bundle wherever nginx expects to find it:

mkdir -p /etc/nginx/ssl/example_com/
mv ssl-bundle.crt /etc/nginx/ssl/example_com/

Ensure your private key is somewhere nginx can read it, as well.:

mv example_com.key /etc/nginx/ssl/example_com/

Make sure your nginx config points to the right cert file and to the private key you generated earlier:

server {
    listen 443;

    ssl on;
    ssl_certificate /etc/nginx/ssl/example_com/ssl-bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/example_com/example_com.key;

    # side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # ...

}

Restart nginx.

Original Documentation you can find here.

openssl verify bundle.crt my.key

Upload the certificate files on the server where your web-site is hosted.

In case of Comodo certificates, you should receive the zip archive with *.crt and .ca-bundle files. Geotrust/Thawte/Symantec sends certificates in plain text. Simply save the certificates as txt files. Notepad will meet this demand. For Comodo PositiveSSL the files would appear like the ones below:

yourdomainname.crt yourdomainname.ca-bundle

or you may receive the CA bundle in separate files as provided below:

COMODORSADomainValidationSecureServerCA.crt

COMODORSAAddTrustCA.crt

AddTrustExternalCARoot.crt Combine CA certificates in the single file.

If you received several CA certificates in separate files, you should combine them in the single file to make the CA bundle. You can also download a completed Bundle file here .

For Comodo PositiveSSL CA certificates these are: AddTrustExternalCARoot.crt, COMODORSAAddTrustCA.crt and COMODORSADomainValidationSecureServerCA.crt

To combine them, run the following command in terminal:

$ cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt

How do I verify that a private key matches a certificate? (OpenSSL)

How do I verify that a private key matches a certificate?

To verify that a private key matches its certificate you need to compare the modulus of the certificate against the modulus of the private key.

Please follow the below command to view the modulus of the certificate. openssl x509 -noout -modulus -in server.crt | openssl md5

Now you will receive the modulus something like a77c7953ea5283056a0c9ad75b274b96

Please follow the below command to view the modulus of the private key. openssl rsa -noout -modulus -in myserver.key | openssl md5

Now you should get the modulus as same as certificate modulus above. i.e a77c7953ea5283056a0c9ad75b274b96

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment