For anyone having issues with the correct Comodo PositiveSSL certificate chain order, this may help.
After renewing the SSL certificate for my “Cloud Server,” I decided to run the site through the Qualys SSL Labs Reporting Tool to see if the server was correctly using the new certificate. The tool reported issues with the certificate chain order, after troubleshooting and many Apache restarts, I finally found the right order.
It turns out the bundle Comodo sends you (my reseller was Namecheap) includes additional root certificate authority certificates in addition to their root certificate. While this isn’t technically an issue, it will break a proper certificate chain check with some browsers and may throw warnings to end users in some browsers.
To fix this, you can install only the root certificate authority (CA) as a chain file in Apache. Instead, I bundled my site’s certificate with the root CA in one file to make administration easier. My ZIP file of certificates included two files.
Zip File Contents
www_cloud_louden_ca.ca-bundle = Root Certificate Authority Bundle www_cloud_louden_ca.crt = Website SSL Certificate
Open the “ca-bundle” file in a text editor. You will notice three certificates. We need to extract the first one, the primary Comodo root CA certificate. In another text editor, open your site’s SSL certificate and append the extracted root CA to the bottom of it. Save the new bundle as a new file, giving you the correct chain of certificates. You will now have a certificate file that looks something like this.
-----BEGIN CERTIFICATE REQUEST----- Your websites SSL certificate -----END CERTIFICATE REQUEST----- -----BEGIN CERTIFICATE REQUEST----- Comodo Root CA Certificate (first certificate in ca-bundle) -----END CERTIFICATE