Install SSL Certificate Properly

ssl-logoMany of us are using SSL for our sites. However, there is a big chance that we are not installing the SSL certificate to your web server properly. This might lead to some unwanted warning problems in some browsers such as Mozilla Firefox, or Mobile Phone browsers. In this tutorial, I will mention on how to install SSL Certificate properly. The guide is for Nginx web server and with AlphaSSL certificate.

First, when purchasing SSL certificates, we will need to generate CSR and key (domain.key for example) files, and then the SSL provider will provider us a certificate files (domain.crt for example). Most of us simply put these files to the web server and do installation. Something like following code (with nginx):

[bash]ssl on;
ssl_certificate /home/domain/domain.crt;
ssl_certificate_key /home/domain/domain.key;[/bash]

This is good enough for most browsers, but it might cause some untrusted warning in some browsers (Mozilla Firefox for example). We can check if SSL is installed properly at the DigiCert Help page.

So, what is a proper way to install SSL certificate? The answer is that we need to create a new bundle file containing not only the certificate file, but also the CA intermediate certificate and CA root files. The format of the bundle file is something like the follows:

[bash]—–BEGIN CERTIFICATE—–
#Your AlphaSSL Certificate#
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
#AlphaSSL Intermediate Certificate#
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
#AlphaSSL Root Certificate#
—–END CERTIFICATE—–[/bash]

Or with PositiveSSL:

[bash]—–BEGIN CERTIFICATE—–
#Your PositiveSSL Certificate#
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
#COMODORSADomainValidationSecureServerCA.crt Certificate#
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
#COMODORSAAddTrustCA.crt Certificate#
—–END CERTIFICATE—–[/bash]

For the AlphaSSL certificates, we can easily download CA root and CA intermediate files at http://www.alphassl.com/support/install-root-certificate.html. We then simply use cat command line to concat 3 files into a bundle one (domain-bundle.crt for example) as follows:

[bash]cat domain.crt alphasha-intermediate.cer alphassl-root.pem >> domain-bundle.crt[/bash]

Then, restart/reload nginx web server and all is set.

For other web server installation, we can refer to the GlobalSign guides at https://support.globalsign.com/#category_SSL_Installation

For AWS Elastic Load Balancer

  • Use .key for key field
  • Use the main certificate for cert field
  • Concat of COMODORSADomainValidationSecureServerCA.crt, COMODORSAAddTrustCA.crt, and AddTrustExternalCARoot.crt for the Chain field

Leave a Reply