Recommended VPS Complete list of best VPS hosting providers.

Installing Comodo SSL on VestaCP

A tutorial with pics on how to correctly install and setup Comodo Positive SSL certificate for your website or blog hosted on Vestacp server. This will be a complete step by step guide from buying a certificate, issuing the certificate and how to install it on Vestacp so your website is accessible via https:// protocol. Using SSL is said to increase not just the security factor but also SEO ranking especially after Google announced https:// is one of many factor considered in ranking position.

What is Comodo PositiveSSL?

PossitiveSSL by Comodo is a strong SSL certificate suitable for general websites, blogs, and even Facebook apps. The PositiveSSL provides low cost and fast online automated validation: No paperwork, no faxes, no delay. The SSL certificate is also powered with industry standard 2048 bit digital signatures and 99.9% browser recognition. It means all modern web browsers in any devices will recognize the certificate (except the 0.1% that’s probably using very ancient PC).

Some tech specs of Comodo PositiveSSL:

  • 1 domain per certificate
  • Including www and non-www
  • Domain validation
  • $10,000 warranty
  • Free unlimited reissues
  • 99.9% browser support
  • 2048 – 4096-bitkey length
  • up to 256-bit encryption

For your information, 128- to 256-bit certificate are nearly impossible to crack. But if some evil genius decrypts your SSL and steals the data transmitted via secure connection (a password or client’s credit card, for instance), Comodo will pay warranty compensation to the victim of such fraud.

Positive SSL from Comodo validates that your domain belongs to you. For many companies, this effective basic SSL certificate offers perfectly adequate protection. A PositiveSSL tells people that your site belongs to a real company and that their data is secure. Pricey certificates are targeted at companies with large budgets. They require complicated legal verification procedures and operation history that are just excessive for someone who needs a simple SSL for a Facebook app or login page. But, as your business expands, you may need more in-depth validation to increase customer trust, but a Positive SSL certificate is ideal for start-ups or businesses that don’t exchange highly sensitive data.

Obtaining PositiveSSL

Buying Comodo PositiveSSL from its official website will be very expensive while there are many big resellers offer cheaper discounted price. You can use Google, Bing or any of your favorite search engine to look for SSL promo. Per this example, I’ll show you how to get cheap yearly PositiveSSL from SSLs.com, a Namecheap.com’s sister company.

Step 1 – Go to https://www.ssls.com.

Step 2 –  Click on the “Add to chart” button in the PositiveSSL box:

add to chart

Step 3 – Then click the Chart button in the top right corner of the page to see that your SSL order is placed in shopping chart

add to chart 2

Step 4 – In the next page you can review your order and once every thing is correct, simply hit the Checkout button.

checkout buy ssl

Step 5 – Now you have to enter your email address to signup yourself an account at SSLs.com

enter email address

Step 6 – After clicking the “Yep, I’m Done” button, you’ll be redirected to next checkout page where you have to enter few details about yourself including Name, phone numbers, email and password used for login to your SSLs account. Finally hit that orange “Go To Payment” button.

enter detail

Step 7 – In the next page, choose which payment method you want to use: Credit card, Paypal, Bitcoin or account funds.

payment method

Step 8 – Make payment!

paypal payment

Step 9 – Once done, you’ll go back to SSLs page with your order number displayed along with the activation button.

order ssl ready

Generating SSL Certificate

Step 10 – Now activate the SSL cert you’ve just ordered. This will depend on which registrar you bought the SSL from. If you bought it from SSLs.com just like me, simply click the orange Activate button.

Step 11 – In the next page, you have to enter your Certificate Signing Request (CSR) key.

enter csr form

Getting CSR Key on VestaCP

Step 12 – How to get your server’s CSR key on Vestacp? It’s simple. Follow these steps:

Step 12.a. – Login to your VestaCP management panel via https://server-ip:8083

login to vestacp panel

Step 12.b. – Then go to Web > your domain.tld > Edit.

edit website vestacp

Step 12.c. – Then in the next page you have to enable the SSL Support option.

enable ssl support vestacp

Step 12.d. – Then click the Generate CSR link and a new browser window / tab will open.

generate csr vestacp

Step 12.e. – Go to that new windows / tab and fill in all required fields. Make sure you use a working email address. UK citizens have to fill in GB in the country 2 letter code, not UK. Once done, hit the OK button.

form csr generation

Step 12.f. – You’ll then get the generated CSR key along with SSL Certificate and SSL RSA Private Key. Here what you’ll use only the CSR and RSA Private Key.

vestacp csr key

Step 13 – Copy the CSR Key you’ve generated from VestaCP then paste it to your PositiveSSL provider which in my case is SSLs.com

copy csr key vestacp

paste the key to SSLs.com and hit the Read CSR button.

paste csr key

Step 14 – SSLs.com will read your CSR key and display in on the next page which you can review. Once everything seems Ok for you, click the Looks Good, Onward button.

check csr key

Step 15 – SSLs.com will then remind you that the certificate you bought will work on both www and non-www version of your domain. Simply click the Onward button again.

ssl service domain coverage

Step 16 – It well then ask you to confirm that the domain you wish to apply for its SSL certificate is really owned  by you. There are two domain confirmation methods: by email or by uploading file. You can choose which one is most preferable by you but email method is my favorite method.

confirm domain owwnership

Step 17 -Once clicked the Got It, Onward button, you’ll be redirected to another page where you have to fill in some details again.

fill in personal details

Once done, click the Onward button again. You’ll then see a page similar to this:

certificate issue in progress

Step 18 – Now upload the given file or check inbox of your email to proceed the confirmation process. If you are using email confirmation method, confirm your email by entering given validation code.

confirmation email

Entering validation code at Comodo website (clicked the browse here link).

enter validation code

Step 19 – Now wait for few minutes (about 1 – 3 minutes) then double-check your inbox because the certificate file will be sent directly to your email. It should look like this:

certificate file sent to email

Step 20 – Download the attached .zip file to your local drive. The file name should be domainname_tld.zip.

download certificate file

Step 21 – Open that file using either Winrar or Winzip or simply extract its content and you’ll get 4 (four) files which are: domainname_tld.crt, COMODORSADomainValidationSecureServerCA.crt, COMODORSAAddTrustCA.crt, and AddTrustExternalCARoot.crt.

certificate files

Step 22 – Now you have to open each file and copy – paste its content to corresponding field in VestaCP. Here’s the main rule:

SSL Certificate:
domainname_tld.crt

SSL Key:
The SSL Key that you have created in CSR Generation, in Vesta

SSL Certificate / Intermediate:
Use the other three certificates sended by Comodo in this order:
1- COMODORSADomainValidationSecureServerCA.crt
2- COMODORSAAddTrustCA.crt
3- AddTrustExternalCARoot.crt

I’ll show you in the next steps:

Step 23 – Open the domainname_tld.crt file using your favorite text editor like Notepad, Sublime or Notepad++, etc. In my case I simply use built-in Winrar Text Viewer feature. Copy all of its content and never add or remove any part of it.

copy ssl certificate

Then go back to Vestacp management panel and paste the SSL certificate inside the SSL Certificate field.

copied ssl certificate

Step 24 – Now go back to another Vestacp page where you generated CSR key previously. Copy the SSL Key content:

copy ssl key

then paste that copied SSL Private Key to the SSL Key field in previous tab.

paste ssl private key

Step 25 – Open the COMODORSADomainValidationSecureServerCA.crt file then copy – paste its content to the SSL Certificate Authority / Intermediate field.

comodorsadomainvalidationsecureserverca-crt

paste comodorsadomainvalidationsecureserverca-crt

Step 26 – Open the COMODORSAAddTrustCA.crt file then copy – paste its content to the SSL Certificate Authority / Intermediate field right after the copied COMODORSADomainValidationSecureServerCA.crt.

COMODORSAAddTrustCA crt

paste COMODORSAAddTrustCA crt

Step 27 – Open the AddTrustExternalCARoot.crt file then copy – paste its content to the SSL Certificate Authority / Intermediate field right after the copied COMODORSAAddTrustCA.crt.

AddTrustExternalCARoot crt file

paste AddTrustExternalCARoot crt

Step 28 – Finally, hit the Save button and you’ll see something like this:

saved changes

The Changes have been saved message indicates that every thing is fine. Otherwise you’ll get an error message.

Step 29 – Now open up your web browser and open your website via https:// protocol and in the address bar you’ll see something like this (in Firefox)

comodo ssl certificate installed

Step 30 – Optionally, if you are using WordPress, search for any SSL plugin to redirect all request to SSL. One of best and simple one that really works is Really Simple SSL plugin.

reall simple ssl plugin

Other than WordPress? you can simply add syntax below to your .htaccess file to do 301 redirect from http to https

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

That’s all. I hope you like it. Please do not hesitate to drop a comment below if you’ve found any part of those steps above that you don’t quite understand.

In my own experience, I always get B rating at SSLLabs.com test. That’s understandable because I installed Comodo PositiveSSL on Vestacp with 1 IP (shared with other domains) while normally (recommended) SSL can only be installed on a domain with dedicated IP. But thanks to Server Name Indication (SNI) technology implemented in Vestacp so users can now use SSL without requiring a dedicated IP. The main disadvantage of SNI is the fact that it is not compatible with:

  • Windows XP + any version of Internet Explorer (6, 7, 8, 9)
  • Internet Explorer 6 or earlier
  • Safari on Windows XP
  • BlackBerry Browser
  • Windows Mobile up to 6.5
  • Nokia Browser for Symbian at least on Series60
  • Opera Mobile for Symbian at least on Series60

So it is recommended to assign dedicated IP to the domain you wish to install SSL on it.

11 Comments

Add a Comment

Your email address will not be published. Required fields are marked *

Get more stuff like this
in your inbox

Subscribe and get interesting stuff plus faster updates to your email.