COMODO SSL Certificate Installation with A+ Rating
Wall Script
Follow Me:
Sunday, December 11, 2016

COMODO SSL Certificate Installation with A+ Rating

SSL(Secure Sockets Layer) certificate is must for any e-commerce or data based applications. Because, nowadays to run any social applications like Google or Facebook, SSL/HTTPS URL is must to get geo location or any map related stuff. Long time back, I have already discussed with the installation of SSL certificate. But, I missed few configuration settings to get A+ rating for the website. A+ rating helps in standard approval for the website to work smoothly in all and any platform.

COMODO SSL Certificate Installation A+ Rating.


Live Demo    A+ Rating

COMODO company provides positive SSL certification for 20$. There are some guidelines to get A+ rating even after your purchase of the certificate. Few proper Apache and openssl configurations are must to achieve it. Follow this tutorial to easily get A+ rating.

Step 1
Open your server terminal and generating KEY file
root:/home# openssl genrsa -out domain.key 2048

Generating RSA private key, 1024 bit long modulus
....++++++
............++++++
e is 65537 (0x10001)


Step 2
Generating server CRT certificate file with domain.key.
root:/home# openssl req -new -key domain.key -out domain.crt

Enter pass phrase for domain.key: Key Password

Country Name (2 letter code) [AU]:IN // Country Code 
State or Province Name (full name) [Some-State]:Tamilnadu // State 
Locality Name (eg, city) []:Chennai // City 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:9lessons 
Organizational Unit Name (eg, section) []:software
Common Name (eg, YOUR name) []:www.domain.com //
Email Address []:admin@domain.com // Domain Verification 


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:SSL Password // No special characters
An optional company name []:egglabs

COMODO Positive SSL
I got the positive SSL from COMODO.com, once your SSL certificate order is successful. Download the domain.crt from your server and submit this to SSL provider. SSL provider company eg. COMODO will send you the domain verification mail to admin@domain.com which you specified email in the CRT file.

COMODO Certificate Files
COMODO will send you the following certificate files.
COMODO SSL Certificate Installation A+ Rating.

Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - www_example_com.crt (or the subdomain you gave them)

Create A COMODO Bundle File
Use terminal and combine following files to create a bundle, make sure follow the same following order.
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ca-bundle.crt

If you are a Windows user, use notepad and copy all of these files to create a bundle file.

Openssl
Try to use Openssl 1.0.2, lower versions has some vulnerability issues. I am using latest XAMPP server.

Step 3
Copy all of the certificate files into XAMPP SSL directories.
root:/home# cp www_example_com.crt /opt/lampp/etc/ssl.crt/www_example_com.crt
root:/home# cp domain.key /opt/lampp/etc/ssl.key/domain.key
root:/home# cp ca-bundle.crt /opt/lampp/etc/ssl.crt/ca-bundle.crt

Step 4
Enable SSL extension in Apache configuration file edit vi /opt/lampp/etc/httpd.conf
LoadModule ssl_module modules/mod_ssl.so

Step 5
Modify the SSL configuration file vi /opt/lampp/etc/extra/httpd-ssl.conf
<VirtualHost _default_:443>

# General setup for the virtual host
DocumentRoot "/opt/lampp/htdocs"
ServerName www.domain.com
ServerAdmin admin@domain.com
ErrorLog /opt/lampp/logs/error_log
TransferLog /opt/lampp/logs/access_log

# Server Certificate:
SSLCertificateFile /opt/lampp/etc/ssl.crt/www_example_com.crt

# Server Private Key:
SSLCertificateKeyFile /opt/lampp/etc/ssl.key/domain.key

# Certificate Authority (CA):
SSLCertificateChainFile /opt/lampp/etc/ssl.crt/ca-bundle.crt
</VirtualHost>

In the same file, copy the following code after the Listen 443 line. Make sure don't duplicate these configurations. These configuration will protect from POODLE, OpenSSL Padding Oracle vulnerability, BEAST and Heartbleed etc attacks.
Listen 443

SSLInsecureRenegotiation off

SSLProtocol All -SSLv2 -SSLv3

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES128:RSA+AESGCM!aNULL:!MD5:!DSS:!LOW:!MEDIUM

SSLHonorCipherOrder On

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

# Requires Apache >= 2.4.11
SSLSessionTickets Off

Step 6
Enable the SSL port for your server 443
Was this article helpful?
Thanks! Your feedback helps us to improve 9lessons.info


2 comments:

  1. Thank you buddy for showing the exact procedure to use SSL certificate. I bought SSL on black friday now i will give it a try for my blog.

    ReplyDelete
  2. Great !!
    This is a valuable information. Thanks for sharing this.

    ReplyDelete

Make in India