The problem with the cheaper certificates is they always come with “intermediary” certificates that have to also be included (bundled) in the set up, and the provided instruction on how to use those 3 additional certificate files is missing, outdated, or is just wrong. I think this is done by design, to get you to spend more on the more expensive extended validation certs (that don’t need intermediary certs).
Aside from that, the basic low-end “domain validation” certs win on 3 fronts:
- They cost $10 instead of $300.
- They are very easy to get since the “validation” step (to prove who you are) is basically opening an email sent to the domain name (admin@domain.name) and clicking the provided link.
- They have faster/more-responsive page load times, since the Browser does no external checking of the revocation list, which can add an additional .5-2 seconds before the page is displayed (this is why Amazon and Ebay do not use the EV “green bar” certs).
Here is how to install the most common certificate on the market, the Comodo PositiveSSL Certificate bundled with root and intermediate CA Certificates on Apache. These instructions can be used on WampDeveloper Pro, on any other WAMP or Apache setup, and on Linux – with just some path changes. The fictitious domain used in this example is www.example.com.
Open the command line with elevated privileges (e.g., right-click cmd.exe and select ‘Run as admin’). And change to the website’s \certs folder:
C:
cd C:\WampDeveloper\Websites\www.example.com\certs\1. Generate a 2048 bit private key named www_example_com.key.
openssl genrsa -out www_example_com.key 2048
2. Generate a Certificate Signing Request (csr) file named www_example_com.csr.
openssl req -new -key www_example_com.key -out www_example_com.csr -config C:\WampDeveloper\Config\Apache\openssl.cnf* Update the above line for openssl’s “-config path” on your WampDeveloper installation (drive letter), or for other WAMPs, or just leave it out on Linux.
For “Common Name” enter:
www.example.com
For all other fields enter:
.
The “.” means empty / no value. Because you are purchasing a simple “domain validation” certificate, all other fields will get erased.
* If you specify the “www” host on the domain.name (as above), Comodo will issue the certificate for both: www.example.com and example.com
3. Open the “Certificate Signing Request” file www_example_com.csr and copy/paste its entire (full) contents into the proper box when activating the SSL Certificate you have purchased.
4. After the confirmation process, you’ll receive an email with an attached zip file named “www_example_com.zip”.
1. Save this file to some location.
2. Right click this file, select Properties. Click button: Unblock (or Windows won’t allow you to extract the certs due to security issues).
3. Extract the contents of the zip into the website’s \certs folder.
5. Create the CA (Certificate Authority) Intermediary Certificates Bundle file:
copy /B COMODORSADomainValidationSecureServerCA.crt + COMODORSAAddTrustCA.crt + AddTrustExternalCARoot.crt PositiveSSL.ca-bundleFor Linux, this command would instead be:
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > PositiveSSL.ca-bundleThis will create a file named PositiveSSL.ca-bundle containing the 3 CA (Certificate Authority) intermediary certificates, all in the proper order. Each CA certificate basically validates the one next to it, top to bottom, from the root CA certificate that your Browser has on file, through the intermediary certs, and down to the public certificate file (provided by Apache).
6. Configure the website’s SSL VirtualHost file to use the private key, public certificate, and bundled intermediary certificate chain file.
Edit the website’s SSL VirtualHost file:
C:\WampDeveloper\Vhosts\www.example.com.ssl.vh.conf
Update existing SSLCertificateFile and SSLCertificateKeyFile paths with the proper file names. And add in the SSLCertificateChainFile directive + path.
SSLCertificateFile "C:/WampDeveloper/Websites/www.example.com/certs/www_example_com.crt"
SSLCertificateKeyFile "C:/WampDeveloper/Websites/www.example.com/certs/www_example_com.key"
SSLCertificateChainFile "C:/WampDeveloper/Websites/www.example.com/certs/PositiveSSL.ca-bundle"Save VirtualHost file.
7. Restart Apache.
Check your website -
