Sunday, February 1, 2015

Combining SSL certificates from Comodo Positive SSL for NGINX

Here is a quick and easy way to combine Comodo's Positive SSL Certificate.

I bought my certificate from NameCheap for about $9.95 / year.

This post will only describe the process of combining the certificate. I assume you already:

1. Generate CSR and .key file
2. Submit CSR to Comodo / Namecheap
3. Got an email from Comodo containing .crt file

If you have not done any of the task above, please do them first before following this guide.


[STEP 1]  Confirm and Extract all files received from Comodo:

Attached to this email you should find a .zip file containing:

  • Root CA Certificate - AddTrustExternalCARoot.crt
  • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
  • Your PositiveSSL Certificate - <YOUR_DOMAIN_NAME>_com.crt 

[STEP 2]  Make sure all files are inside one directory.

Copy / move all files into one directory.

[STEP 3]  Combine them!

From your linux server command line, execute:

cat <YOUR_DOMAIN_NAME>_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > <YOUR_DOMAIN_NAME>_combined.crt

[STEP 4]  Edit your nginx /etc/sites-available/<your_file>


The following configuration is what I use to enable SSL on my NGINX configuration. I have tweaked this configuration overtime and this is my latest one. It enables TLS and prevent SSLv2 and SSLv3 from being used because they are weak and vulnerable. I also included configuration to disable weak ciphers.

ssl on;
ssl_certificate /etc/ssl/<YOUR_DOMAIN_NAME>/<YOUR_DOMAIN_NAME>_combined.crt;
ssl_certificate_key /etc/ssl/private/<YOUR_DOMAIN_NAME>.key;

ssl_session_timeout 5m;

#enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

#Disables all weak ciphers
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

ssl_prefer_server_ciphers on;



[STEP 5]  Restart NGINX



service nginx restart
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)