Let’s face it, with all of the security breaches these days, encryption is becoming a standard on the internet. With modern servers having multiple 8 and 12 core CPUs, the overhead generated by implementing SSL is negligible. I always buy my SSL certificates from Comodo PositiveSSL through Namecheap. The reason for this is you can get a signed SSL certificate with 99.9% compatibility for only $9.00 per year.
There is one annoyance though. Comodo doesn’t have good documentation on installing these certificates. Their documentation mentions creating a “bundle” out of two CA certificates; however, four are provided in the zip they send you. In addition, on of the ones they mention isn’t even included! To make this process easier, we documented the steps all the way from the initial certificate request through installing it in your Apache instance.
Begin by generating your certificate request. If you do not have openssl installed, it will be in most package managers. For example “yum install openssl”. You will be asked to fill out some information about your organization. It’s very important to answer these questions correctly or it could delay having your certificate signed. We recommend leaving the challenge password blank, or you will need to enter it every time you start Apache.
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
Open the certificate request csr file and paste it in the CSR area of Namecheap (or where you decided to purchase your certificate from). Make sure to select “Apache + OpenSSL” as the server type. This option will affect the types of certificates you get back.
Once you click “Next”, you’ll be asked to select an email address. It’s very important you select one that works, don’t just click anything. They will send you an email with a confirmation code you need to enter before the certificate request is processed. Once everything is valid and good on their end, they will email you a zip file containing your certificate. Once you extract the file, you should see several files like this:
This is where it gets tricky. In order to use these certificates in Apache, you need to create a “bundle”, meaning combining them all into one. But guess what – they don’t tell you how or in what order. All you need to do is open notepad and copy/paste the file contents one by one. Paste them in the following order exactly: Your Domain Certificate, COMODORSADomainValidationSecureServerCA.crt, COMODORSAAddTrustCA.crt, and AddTrustExternalCARoot.crt. Double check the order. If you get the order wrong, some browsers, especially mobile, will flag it as invalid. Nothing will chase people away from your site faster than that big red “INVALID/UNTRUSTED CERTIFICATE” message.
Save this new file as certbundle.txt.
Open your Apache configuration file, /etc/httpd.conf. Create a virtual host block for the new SSL version of your site and add the paths to your certificates. We recommend uploading the certificates to a directory that is not accessible by anyone other than root and apache. You will need to upload your domain crt, the myserver.key file we created earlier, and the new bundle file, certbundle.txt, that you just created.
Restart Apache and you should be good to go!