If you're short of IP addresses and hosting multiple domains on a single IP requiring SSL connection to all domains, then a good solution would be to get the Multi-Domain certificate from Comodo, which is a single certificate containing more than one domain name, and that certificate is for a single server installation.
However, the use of Host Headers (which is how you can use a single IP for more than one SSL enabled domain) is not recommended for E-Commerce sites.
The multi-domain certificate can only be purchased from one of the Comodo resellers, or can apply to become one yourself.
To order the certs, you will need to first generate a Certificate Signing Request Key. This is easily done via Plesk admin UI.
-
Login to the Plesk Control Panel.
From the left hand menu, select 'Server'.
Click on 'Certificates'.
Click on the 'Add New Certificate' item.
Fill out the information on the page. All items noted by red asterisks must be filled in
Press the 'Request' button.
You will then be returned to the Certificates menu. From the list at the bottom of the page, click on the certificate name that you just created. Mid-way down the page, there is a box. Copy the content of this box labelled 'CSR'.
Paste the CSR into the order screen when purchasing the SSL certificate.
Shortly after ordering, the SSL certificate is emailed to you zipped along with the below CA certs:
-
AddTrustExternalCARoot.crt
PositiveSSLCA.crt
UTNAddTrustServerCA.crt
The CA certs need to be concatenated and uploaded to Plesk as one single certificate and should follow the same order.
$ cat PositiveSSLCA.crt > CA.crt
$ cat UTNAddTrustServerCA.crt >> CA.crt
$ cat AddTrustExternalCARoot.crt >> CA.crtThose files are available for download from Comodo's support site as well.
The order you place the contents of those files into a new file is important, and should be followed as outlined above. No blank lines should be added between the certificate contents when you copy the contents of the existing CA certs into a new file. You then provide this new file to Plesk when it asks for the CA Certificate.
In order to install the certificate, go back to the Certificate area in Plesk and upload or copy/paste the certs into the relevant areas.
Return to the Server Page and go to the IP address section. Click on the relevant IP address and apply the newly installed certificate.
verify intermediate certificates are installed correctly
openssl s_client -showcerts -connect [host.domain.tld:443]The command should return status code of 0 if the intermediate certs are installed correctly.
Nginx & Comodo Positive SSL
First, I need to make a "valid" crt file. I run this command:
cat mysite_com.crt AddTrustExternalCARoot.crt UTNAddTrustServerCA.crt PositiveSSLCA.crt >> new_mysite_com.crtLast, change nginx.conf:
ssl_certificate /usr/local/nginx/new_mysite_com.crt;ssl_certificate_key /usr/local/nginx/mysite_com.key;
mysite_com.key is the original key file which is used to make your mysite_com.crt
Good luck to you :)
certificate routines:X509_check_private_key:key values mismatch
That's right, if you get the concatenation out of order, you would get something like the below error because nginx has tried to use the private key with the bundle’s first certificate instead of the server certificate.
certificate routines:X509_check_private_key:key values mismatchpositivessl and nginx
Concatenate the SSL Cert and CA bundle as below:
cat server.crt server.ca-bundle >server.pemThen include in nginx conf:
ssl_certificate ssl/server.pem;ssl_certificate_key ssl/server.key;
SSL Virtual Host Configuration
Below is example apache virtual host configuration file:
NameVirtualHost 192.168.1.2:443
#
# host.domain1.tld:443
#
<VirtualHost 192.168.1.2:443>
ServerName host.domain1.tld
UseCanonicalName Off
DocumentRoot /var/www/vhosts/host.domain1.tld/web
CustomLog /var/log/httpd/vhosts/host.domain1.tld/ssl_access_log combined
ErrorLog /var/log/httpd/vhosts/host.domain1.tld/ssl_error_log
SSLEngine on
SSLVerifyClient none
SSLCertificateFile /var/www/vhosts/host.domain1.tld/ssl/host.domain1.tld.pem
</VirtualHost>
#
# host.domain2.tld:443
#
<VirtualHost 192.168.1.2:443>
ServerName host.domain2.tld
UseCanonicalName Off
DocumentRoot /var/www/host.domain2.tld/web
CustomLog /var/log/httpd/vhosts/host.domain2.tld/ssl_access_log combined
ErrorLog /var/log/httpd/vhosts/host.domain2.tld/ssl_error_log
SSLEngine on
SSLVerifyClient none
SSLCertificateFile /var/www/vhosts/host.domain2.tld/ssl/host.domain2.tld.pem
</VirtualHost>
Note: The SSLCertificateFile are just dummy certificates as the actual certificate will be in the main "/etc/httpd/conf.d/ssl.conf" file.
A self-signed pem certificate is easy created via the below "make_cert.sh" script:
#!/bin/sh
# make_cert.sh
umask 077
answers() {
echo --
echo SomeState
echo SomeCity
echo SomeOrganization
echo SomeOrganizationalUnit
echo subscriptions.bioethika.com
echo root@localhost.localdomain
}
if [ $# -eq 0 ] ; then
echo $"Usage: `basename $0` filename [...]"
exit 0
fi
for target in $@ ; do
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
trap "rm -f $PEM1 $PEM2" SIGINT
answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 9999 -out $PEM2 2> /dev/null
cat $PEM1 > ${target}
echo "" >> ${target}
cat $PEM2 >> ${target}
rm -f $PEM1 $PEM2
done
Why not for e-ccomerce sites?
Why is the use of Host Headers not recommended for E-Commerce sites?
Thx,
Jose