Installing PositiveSSL on Apache (and on AWS cloudfront)
PositveSSL is that cheap SSL cert which we all get for peanuts from Namecheap, there's no shame in hiding that. However, installing it properly always seems to be misguided and Comodo's website is just horrible...
Here's all you need to do. Your zip file should contain four .crt files:
For browers to trust you properly, you need to provide the intermediate certificate WITH your certificate. Putting it in just the chain seems to not be enough, so your cert AND chain file should end up being this combined.crt
cat domain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > combined.crt
Note, AddTrustExternalCARoot.crt is not recommended to be included.
So finally, our Apache config should be something like:
SSLCertificateFile /etc/pki/tls/certs/combined.crt SSLCertificateKeyFile /etc/pki/tls/private/domain.key SSLCertificateChainFile /etc/pki/tls/certs/combined.crt
You'll probably want to do your own research to determine the ideal cipher methods too.
Hope that helped some of you, as I spent a bit of time puzzled why many people were giving the wrong steps.
When in doubt, this site is the best to verify you have anything setup properly:
Happy New Year!
If you try this method on AWS, it will error back with something like:
A client error (MalformedCertificate) occurred when calling the UploadServerCertificate operation: Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. The index within the chain of the invalid certificate is: -1
To get it working with AWS, it expects a PEM format and the SSLCertificate to be by itself. So this should get you fixed up:
(openssl x509 -inform PEM -in COMODORSADomainValidationSecureServerCA.crt; openssl x509 -inform PEM -in COMODORSAAddTrustCA.crt) > ca.crt
aws iam upload-server-certificate --server-certificate-name www.domain.com.au --certificate-body file:////domain_com_au.crt --private-key file:///domain_com_au.key --certificate-chain file:///ca.crt --path /cloudfront/www.domain.com.au/