Comodo / PositiveSSL / InstantSSL Multi-domain SSL certificate installation on Plesk

If you're short of IP addresses and hosting multiple domains on a single IP requiring SSL connection to all domains, then a good solution would be to get the Multi-Domain certificate from Comodo, which is a single certificate containing more than one domain name, and that certificate is for a single server installation.

However, the use of Host Headers (which is how you can use a single IP for more than one SSL enabled domain) is not recommended for E-Commerce sites.

The multi-domain certificate can only be purchased from one of the Comodo resellers, or can apply to become one yourself.

To order the certs, you will need to first generate a Certificate Signing Request Key. This is easily done via Plesk admin UI.

  1. Login to the Plesk Control Panel.
  2. From the left hand menu, select 'Server'.
  3. Click on 'Certificates'.
  4. Click on the 'Add New Certificate' item.
  5. Fill out the information on the page. All items noted by red asterisks must be filled in
  6. Press the 'Request' button.
  7. You will then be returned to the Certificates menu. From the list at the bottom of the page, click on the certificate name that you just created. Mid-way down the page, there is a box. Copy the content of this box labelled 'CSR'.
  8. Paste the CSR into the order screen when purchasing the SSL certificate.

Shortly after ordering, the SSL certificate is emailed to you zipped along with the below CA certs:

  1. AddTrustExternalCARoot.crt
  2. PositiveSSLCA.crt
  3. UTNAddTrustServerCA.crt

The CA certs need to be concatenated and uploaded to Plesk as one single certificate and should follow the same order.

$ cat PositiveSSLCA.crt > CA.crt
$ cat UTNAddTrustServerCA.crt >> CA.crt
$ cat AddTrustExternalCARoot.crt >> CA.crt

Those files are available for download from Comodo's support site as well.

The order you place the contents of those files into a new file is important, and should be followed as outlined above. No blank lines should be added between the certificate contents when you copy the contents of the existing CA certs into a new file. You then provide this new file to Plesk when it asks for the CA Certificate.

In order to install the certificate, go back to the Certificate area in Plesk and upload or copy/paste the certs into the relevant areas.

Return to the Server Page and go to the IP address section. Click on the relevant IP address and apply the newly installed certificate.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

verify intermediate certificates are installed correctly

openssl s_client -showcerts -connect [host.domain.tld:443]

The command should return status code of 0 if the intermediate certs are installed correctly.

Nginx & Comodo Positive SSL

First, I need to make a "valid" crt file. I run this command:
cat mysite_com.crt AddTrustExternalCARoot.crt UTNAddTrustServerCA.crt PositiveSSLCA.crt >> new_mysite_com.crt

Last, change nginx.conf:

ssl_certificate      /usr/local/nginx/new_mysite_com.crt;
ssl_certificate_key  /usr/local/nginx/mysite_com.key;

mysite_com.key is the original key file which is used to make your mysite_com.crt

Good luck to you :)

certificate routines:X509_check_private_key:key values mismatch

That's right, if you get the concatenation out of order, you would get something like the below error because nginx has tried to use the private key with the bundle’s first certificate instead of the server certificate.

certificate routines:X509_check_private_key:key values mismatch

positivessl and nginx

Concatenate the SSL Cert and CA bundle as below:

cat server.crt server.ca-bundle >server.pem

Then include in nginx conf:

  ssl_certificate      ssl/server.pem;
  ssl_certificate_key  ssl/server.key;

SSL Virtual Host Configuration

Below is example apache virtual host configuration file:

NameVirtualHost 192.168.1.2:443

#
# host.domain1.tld:443
#
<VirtualHost 192.168.1.2:443>
  ServerName host.domain1.tld
  UseCanonicalName Off
  DocumentRoot /var/www/vhosts/host.domain1.tld/web
  CustomLog /var/log/httpd/vhosts/host.domain1.tld/ssl_access_log combined
  ErrorLog /var/log/httpd/vhosts/host.domain1.tld/ssl_error_log
  SSLEngine on
  SSLVerifyClient none
  SSLCertificateFile /var/www/vhosts/host.domain1.tld/ssl/host.domain1.tld.pem
</VirtualHost>

#
# host.domain2.tld:443
#
<VirtualHost 192.168.1.2:443>
  ServerName host.domain2.tld
  UseCanonicalName Off
  DocumentRoot /var/www/host.domain2.tld/web
  CustomLog /var/log/httpd/vhosts/host.domain2.tld/ssl_access_log combined
  ErrorLog /var/log/httpd/vhosts/host.domain2.tld/ssl_error_log
  SSLEngine on
  SSLVerifyClient none
  SSLCertificateFile /var/www/vhosts/host.domain2.tld/ssl/host.domain2.tld.pem
</VirtualHost>

Note: The SSLCertificateFile are just dummy certificates as the actual certificate will be in the main "/etc/httpd/conf.d/ssl.conf" file.

A self-signed pem certificate is easy created via the below "make_cert.sh" script:

#!/bin/sh
# make_cert.sh
umask 077

answers() {
        echo --
        echo SomeState
        echo SomeCity
        echo SomeOrganization
        echo SomeOrganizationalUnit
        echo subscriptions.bioethika.com
        echo root@localhost.localdomain
}

if [ $# -eq 0 ] ; then
        echo $"Usage: `basename $0` filename [...]"
        exit 0
fi

for target in $@ ; do
        PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
        PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
        trap "rm -f $PEM1 $PEM2" SIGINT
        answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 9999 -out $PEM2 2> /dev/null
        cat $PEM1 >  ${target}
        echo ""   >> ${target}
        cat $PEM2 >> ${target}
        rm -f $PEM1 $PEM2
done

Why not for e-ccomerce sites?

Why is the use of Host Headers not recommended for E-Commerce sites?

Thx,
Jose

Comment