Installing PositiveSSL on Apache (and on AWS cloudfront)

PositveSSL is that cheap SSL cert which we all get for peanuts from Namecheap, there's no shame in hiding that. However, installing it properly always seems to be misguided and Comodo's website is just horrible...

Here's all you need to do. Your zip file should contain four .crt files:

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • domain.crt

For browers to trust you properly, you need to provide the intermediate certificate WITH your certificate. Putting it in just the chain seems to not be enough, so your cert AND chain file should end up being this combined.crt

cat domain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > combined.crt

Note, AddTrustExternalCARoot.crt is not recommended to be included.

So finally, our Apache config should be something like:

  SSLCertificateFile /etc/pki/tls/certs/combined.crt
  SSLCertificateKeyFile /etc/pki/tls/private/domain.key
  SSLCertificateChainFile /etc/pki/tls/certs/combined.crt

You'll probably want to do your own research to determine the ideal cipher methods too.

Hope that helped some of you, as I spent a bit of time puzzled why many people were giving the wrong steps.

When in doubt, this site is the best to verify you have anything setup properly:

Happy New Year!


If you try this method on AWS, it will error back with something like:

A client error (MalformedCertificate) occurred when calling the UploadServerCertificate operation: Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. The index within the chain of the invalid certificate is: -1  

To get it working with AWS, it expects a PEM format and the SSLCertificate to be by itself. So this should get you fixed up:

(openssl x509 -inform PEM -in COMODORSADomainValidationSecureServerCA.crt; openssl x509 -inform PEM -in COMODORSAAddTrustCA.crt) > ca.crt


aws iam upload-server-certificate --server-certificate-name --certificate-body file:////domain_com_au.crt --private-key file:///domain_com_au.key --certificate-chain file:///ca.crt --path /cloudfront/  
comments powered by Disqus