Comodo PositiveSSL SSL certificate is a type of Domain Validation that many users use because it is cheap, easy to install, and does not require confirmation of any information.
In this article, I will show you how to install the PositiveSSL certificate on the server using Nginx. With Let’s Encrypt, check out this tutorial.
1. Generate certificate
After registering for SSL, you will need to generate the new certificate file.
In this step, you need to provide the Private Key (and CSR Key), be sure to save this private key for use in the step below. It’s up to you to register certificate that support different auto generate keys.
The format of the private key is:
-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDXCvdAoLtG5QRb GvYZ/9pOqYYUpA/rZnAAUAFyqdnMcMsYmD6W/m4J9W7/onDrQX7ExzfAKhbWy+FA v18S8P7arvjxnjXoS8rs4/IVwiqLy5PqispyEmlsFp19/TpJeYltVrrPofiS7/IV p095TH66erRgxe54BhzPI2XrurKeqSlgyMbBfgw73KaX3LP7qVcVOSEJWkz9WEhl RJrYwZ3s8U2iFF7ZK/wX7pVN36XM187pFg6vcIjKWdnOUmgPsOYof6d72koddiPm oOuDIHAd3M3i1OrhLmx1usHmbL5hj2ls9MI6LOjm15ZAGk+q7lIOsdRfAto8pgE7 u7oB4ts/AgMBAAECggEAaLYGP4oEpzjNLi+qtm5HNxaFG3fn6JAw6XYLvnHGhC5I NumrUIsDugWwzvmiUmvJ9rerBf94r48HWCfXe7mt335j6gNH7J07aq50KvQpE3lF xWdfvLwKaX95oOe1giGUMZGR1ZjhGWuNTc3yfPYqn1Mwkg7PV9JiJNrvviFi6K5B vcjVNBlf44zQG4UMeZ9T/aoVFtmDifRMDQQ62MdzgJs4AE0U2+MEbN3NBySbeXID -----END PRIVATE KEY-----
The SSL certificate email from Comodo has the following title: “Your PositiveSSL Certificate for coupontree.co”, in the mail attach a compressed file coupontree_co.zip contains 2 files:
Coupontree_co.crt
Coupontree_co.ca-bundle
You use any editor, ex: Notepad ++, open the file coupontree_co.crt, copy all the content and paste to the top of the file coupontree_co.ca-bundle, save to file ssl-bundle.crt.
At this time, the ssl-bundle.crt certificate file will contain the contents of both .crt and .ca-bundle files. You note the order for the standard!
2. Install the SSL certificate
Create the folder containing the certificate file:
mkdir -p /etc/nginx/ssl/coupontree_co/
Save the certificate file content in this folder, copy/paste using nano:
nano /etc/nginx/ssl/coupontree_co/ssl-bundle.crt
Save Private Key content in Folder:
nano /etc/nginx/ssl/coupontree_co/private.key
Create 2048 bit DH parameter files, the generate process will take a long time:
openssl dhparam 2048 -out /etc/nginx/ssl/dhparam.pem
Next, we will edit the Nginx configuration file. For example, your domain name is “coupontree.co”, the configuration file will have a path of /etc/nginx/conf.d/coupontree.co.conf.
Open configuration file with nano
nano /etc/nginx/conf.d/coupontree.co.conf
SSL configuration handles requests
In block server adjust the second {…}:
+ Change listen 80 default_server; To listen 443 ssl http2;
+ Following line server_name coupontree.co; Add the optimized SSL configuration snippet:
# SSL ssl_certificate /etc/nginx/ssl/coupontree_co/ssl-bundle.crt; ssl_certificate_key /etc/nginx/ssl/coupontree_co/private.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; # Improve HTTPS performance with session resumption ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; # DH parameters ssl_dhparam /etc/nginx/ssl/dhparam.pem; # Enable HSTS add_header Strict-Transport-Security "max-age=31536000" always;
Redirect all www http to https
In the server {…} block at the top:
+ Change server_name www.coupontree.co; Go to server_name coupontree.co www.coupontree.co;
+ Change rewrite ^ (. *) Http: //coupontree.co$1 permanent; To rewrite ^ (. *) Https: //coupontree.co$1 permanent;
The results are as follows:
server { listen 80; server_name coupontree.co www.coupontree.co; rewrite ^(.*) https://coupontree.co$1 permanent; }
At this time, visit http://coupon=tree.co or http://www.coupontree.co will automatically redirect to https://coupontree.co
Redirect all www https to https
Add new server { … } block at the top
server { listen 443 ssl http2; server_name www.coupontree.co; # SSL ssl_certificate /etc/nginx/ssl/coupontree_co/ssl-bundle.crt; ssl_certificate_key /etc/nginx/ssl/coupontree_co/private.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; rewrite ^(.*) https://coupontree.co$1 permanent; }
At this time, visit https://www.coupontree.co will automatically redirect to https://coupontree.co
Check Nginx configuration
nginx -t
Restart Nginx
service nginx restart
If you use WordPress, install the Really Simple SSL plugin to auto redirect http to https and move all .css, .js link to https.
If you do not want to use the Really Simple SSL plugin, please refer to the Let’s Encrypt Installation Guide in cPanel for instructions on how to do it manually.
Now visit the domain to enjoy the results. Good luck.