[Resolved] Comodo InstantSSL Chained CA-Bundle

Discussion in 'Install/Configuration' started by J.T., Sep 14, 2010.

  1. J.T.

    J.T. New Member

    Hi,

    We use Comodo InstantSSL for some of our domains.

    I'd simply upload the crt to /conf/cert where the key is too, then give the SSl Private Key File, Certificate File and leave Chained No.

    That then works fine for almost everybody.

    But every now and then, some people say they get warnings about it being insecure. Probably those on a tightly secured network.

    This tool confirms that:

    http://www.sslshopper.com/ssl-checker.html

    Note the link to Comodo's Apache OpenSSL instructions:

    https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=264&nav=0,96,1,88

    SO ideally, we'd use the ca-bundle file Comodo send along with the CRT.

    Before using Litespeed, indeed this worked in Apache:

    Code:
    SSLCertificateChainFile /etc/ssl/crt/yourSERVERNAME.ca-bundle
    But I can't get that to work in Litespeed.

    If I upload the ca-bundle file in the same /conf/cert directory where the site's key and crt are, then say Chained Certificate - Yes, CA Certificate Path = $SERVER_ROOT/conf/cert/ and CA Certificate File = $SERVER_ROOT/conf/cert/yourSERVERNAME.ca-bundle

    I restart LSWS and then that tool, and the browser thinks no SSL has been installed.

    I don't understand the explanation of CA Certiticate Path and File either.

    How can I use Comodo's chained bundle?
    Last edited by a moderator: Sep 21, 2010
  2. mistwang

    mistwang LiteSpeed Staff

    "Chained Certificate" off
    "CA Certificate File" = $SERVER_ROOT/conf/cert/yourSERVERNAME.ca-bundle
    "CA Certificate Path" should not be set
  3. J.T.

    J.T. New Member

    Thanks, I'll try that. Comodo just suggested to put the bundle certificate inside the normal certificate file. Normal certificate up top, followed by the bundle. I'll try that as well just in case.
  4. mistwang

    mistwang LiteSpeed Staff

    You can do that, combine all certificates in one file. If you do that, make sure to set "Chained Certificate" to "Yes".
  5. J.T.

    J.T. New Member

    Thanks, that seems to work. That SSL checker now has green ticks all over, great!
    Last edited: Sep 20, 2010

Share This Page