newspaint

Documenting Problems That Were Difficult To Find The Answer To

SSL Intermediate Certificate Order for Comodo Positive SSL

Applications like Dovecot and Exim require the intermediate certificates concatenated into one file along with your site’s certificate. Apache also requires the intermediate certificates in one file, too.

The Comodo Positive SSL certificate appears to be one of the cheapest available at gogetssl.com.

When you get a Comodo Positive SSL certificate you get your site certificate and three other “intermediate” certificate authority files bundled in your zip file, the three extra files are:

Filename Type Distance from Root
AddTrustExternalCARoot.crt Intermediate 0
COMODORSAAddTrustCA.crt Intermediate 1
COMODORSADomainValidationSecureServerCA.crt Intermediate 2
your_site.crt Site Certificate 3

For Apache you need to put the three certificate authority intermediate certificates into one file in order of decreasing distance from the root.

cat COMODORSADomainValidationSecureServerCA.crt  \
  COMODORSAAddTrustCA.crt \
  AddTrustExternalCARoot.crt \
  >intermediate.crt

and then add the following to your virtual server configuration:

SSLCertificateFile /etc/apache2/ssl/gogetssl/your_site.crt
SSLCertificateKeyFile /etc/apache2/ssl/gogetssl/your_site.key
SSLCertificateChainFile /etc/apache2/ssl/gogetssl/intermediate.crt

For Dovecot/Exim you need to put all four certificates including your site certificate into one file in order of decreasing distance from the root:

cat your_site.crt \
  COMODORSADomainValidationSecureServerCA.crt \
  COMODORSAAddTrustCA.crt \
  AddTrustExternalCARoot.crt \
  >your_site.comodo+intermediate.crt

and then add the following to your exim4.conf:

tls_certificate = CONFDIR/ssl/gogetssl/your_site.comodo+intermediate.crt
tls_privatekey = CONFDIR/ssl/gogetssl/your_site.key

and in dovecot.conf:

ssl_cert = </etc/dovecot/ssl/gogetssl/your_site.comodo+intermediate.crt
ssl_key = </etc/dovecot/ssl/gogetssl/your_site.key

2 responses to “SSL Intermediate Certificate Order for Comodo Positive SSL

  1. hen August 28, 2015 at 9:20 pm

    Thank you. That was extremely helpful.

  2. Stephen Chadfield December 2, 2015 at 11:18 am

    You are a lifesaver! I have the exact setup described above: apache+dovecot+exim+positivessl. Running smooth now.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: