Commercial SSL certificates from trusted Certificate Authorities like Sectigo, RapidSSL, DigiCert, and GlobalSign provide enterprise-grade security with extended validation options, warranty protection, and comprehensive browser compatibility. Unlike free certificates, commercial SSL certificates offer organization validation (OV) and extended validation (EV) options with enhanced trust indicators.
This comprehensive guide covers the complete process of purchasing, generating, and installing commercial SSL certificates on both Nginx and Apache web servers.
Understanding Commercial SSL Certificates
Commercial SSL certificates are digital certificates issued by trusted Certificate Authorities (CAs) that provide enhanced security features, validation levels, and business benefits beyond basic domain validation.
Types of Commercial SSL Certificates
| Certificate Type | Validation Level | Use Cases | Trust Indicators |
|---|---|---|---|
| Domain Validated (DV) | Basic domain ownership | Personal sites, blogs | Padlock icon |
| Organization Validated (OV) | Business verification | Corporate websites | Company name in certificate |
| Extended Validation (EV) | Rigorous business verification | E-commerce, banking | Green address bar, company name |
| Wildcard SSL | Domain + all subdomains | Multiple subdomains | *.example.com coverage |
| Multi-Domain SSL | Multiple domains | Multiple websites | SAN (Subject Alternative Names) |
Popular Commercial SSL Providers
1. Sectigo (Formerly Comodo)
- PositiveSSL: Budget-friendly DV certificates
- InstantSSL: OV certificates with business validation
- EV SSL: Extended validation certificates
- Wildcard SSL: Subdomain coverage options
2. RapidSSL
- RapidSSL Certificate: Quick issuance DV certificates
- RapidSSL Wildcard: Subdomain protection
- Budget-friendly: Cost-effective solutions
3. DigiCert
- Standard SSL: Premium DV certificates
- OV SSL: Organization validated certificates
- EV SSL: Extended validation certificates
- Premium support: 24/7 technical support
4. GlobalSign
- DomainSSL: Domain validated certificates
- OrganizationSSL: Business validated certificates
- ExtendedSSL: Extended validation certificates
Benefits of Commercial SSL Certificates
| Benefit | Description |
|---|---|
| Higher Trust Level | Recognized by all major browsers |
| Warranty Protection | Financial protection against certificate misuse |
| Customer Support | Dedicated technical support |
| Business Validation | Enhanced credibility for businesses |
| Longer Validity | Up to 2 years validity period |
| Mobile Compatibility | Optimized for mobile devices |
Prerequisites
Before installing commercial SSL certificates, ensure you have:
System Requirements
- Web Server: Nginx 1.14+ or Apache 2.4+
- Operating System: Ubuntu 18.04+, CentOS 7+, or similar
- Root Access: Administrative privileges required
- Domain Setup: Properly configured domain pointing to your server
- Firewall Configuration: Ports 80 and 443 open
Required Files
- Certificate Signing Request (CSR): Generated on your server
- Private Key: Generated with CSR (keep secure)
- SSL Certificate: Issued by the CA
- Intermediate Certificate: CA bundle (if separate)
- Root Certificate: CA root certificate (if needed)
Domain Validation Requirements
- WHOIS Information: Accurate domain registration details
- Administrative Email: Access to [email protected] or similar
- DNS Control: Ability to add DNS records for validation
- HTTP Validation: Web server accessible on port 80
Step 1: Generate Certificate Signing Request (CSR)
The first step is generating a CSR and private key on your server.
Generate CSR Using OpenSSL
Create SSL Directory
bash
# Create directory for SSL files
sudo mkdir -p /etc/ssl/private/yourdomain.com
sudo mkdir -p /etc/ssl/certs/yourdomain.com
# Set proper permissions
sudo chmod 700 /etc/ssl/private/yourdomain.com
sudo chmod 755 /etc/ssl/certs/yourdomain.comGenerate Private Key and CSR
bash
# Navigate to SSL directory
cd /etc/ssl/private/yourdomain.com
# Generate 2048-bit private key
sudo openssl genrsa -out yourdomain.com.key 2048
# Generate CSR
sudo openssl req -new -key yourdomain.com.key -out yourdomain.com.csrWhen prompted, provide the following information:
text
Country Name (2 letter code) [XX]: US
State or Province Name (full name) []: California
Locality Name (eg, city) [Default City]: San Francisco
Organization Name (eg, company) [Default Company Ltd]: Your Company Name
Organizational Unit Name (eg, section) []: IT Department
Common Name (e.g. server FQDN or YOUR name) []: yourdomain.com
Email Address []: [email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (leave blank)
An optional company name []: (leave blank)Secure the Private Key
bash
# Set restrictive permissions on private key
sudo chmod 600 /etc/ssl/private/yourdomain.com/yourdomain.com.key
sudo chown root:root /etc/ssl/private/yourdomain.com/yourdomain.com.keyVerify CSR Content
bash
# Display CSR content
sudo openssl req -in /etc/ssl/private/yourdomain.com/yourdomain.com.csr -text -noout
# Copy CSR content for submission to CA
sudo cat /etc/ssl/private/yourdomain.com/yourdomain.com.csrGenerate CSR for Wildcard Certificates
For wildcard certificates covering subdomains:
bash
# Generate wildcard CSR
sudo openssl req -new -key yourdomain.com.key -out wildcard.yourdomain.com.csr
# Use *.yourdomain.com as Common Name
Common Name (e.g. server FQDN or YOUR name) []: *.yourdomain.comGenerate CSR for Multi-Domain (SAN) Certificates
For certificates covering multiple domains:
bash
# Create configuration file for SAN certificate
sudo nano /etc/ssl/san.conf
ini
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = California
L = San Francisco
O = Your Company Name
OU = IT Department
CN = yourdomain.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = yourdomain.com
DNS.2 = www.yourdomain.com
DNS.3 = api.yourdomain.com
DNS.4 = blog.yourdomain.com
bash
# Generate SAN CSR
sudo openssl req -new -key yourdomain.com.key -out san.yourdomain.com.csr -config /etc/ssl/san.confStep 2: Purchase and Validate SSL Certificate
Submit CSR to Certificate Authority
- Choose SSL Provider: Select from Sectigo, RapidSSL, DigiCert, etc.
- Select Certificate Type: DV, OV, EV, Wildcard, or Multi-Domain
- Submit CSR: Paste the CSR content during purchase
- Complete Payment: Process payment for the certificate
- Domain Validation: Complete the validation process
Domain Validation Methods
Email Validation
- Receive validation email at [email protected]
- Click validation link in the email
- Confirm domain ownership
DNS Validation
bash
# Add DNS CNAME record as specified by CA
# Example:
# _dnsauth.yourdomain.com CNAME 201909191234567890abcdef.comodoca.comHTTP File Validation
bash
# Create validation file as specified by CA
sudo mkdir -p /var/www/yourdomain.com/.well-known/pki-validation
sudo nano /var/www/yourdomain.com/.well-known/pki-validation/validation-file.txt
# Add required content and ensure it's accessible via HTTP
curl http://yourdomain.com/.well-known/pki-validation/validation-file.txtDownload Certificate Files
After validation, download:
- yourdomain.com.crt: Your domain certificate
- yourdomain.com.ca-bundle: Intermediate certificates
- yourdomain.com.p7b: PKCS#7 format (optional)
Step 3: Install SSL Certificate on Nginx
Prepare Certificate Files
bash
# Upload certificate files to server
sudo cp yourdomain.com.crt /etc/ssl/certs/yourdomain.com/
sudo cp yourdomain.com.ca-bundle /etc/ssl/certs/yourdomain.com/
# Create combined certificate file (certificate + intermediate)
sudo cat yourdomain.com.crt yourdomain.com.ca-bundle > /etc/ssl/certs/yourdomain.com/yourdomain.com-combined.crt
# Set proper permissions
sudo chmod 644 /etc/ssl/certs/yourdomain.com/*Configure Nginx Virtual Host
Basic SSL Configuration
bash
sudo nano /etc/nginx/sites-available/yourdomain.com
nginx
# HTTP to HTTPS redirect
server {
listen 80;
listen [::]:80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$server_name$request_uri;
}
# HTTPS server block
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
root /var/www/yourdomain.com/public_html;
index index.html index.htm index.php;
# SSL Configuration
ssl_certificate /etc/ssl/certs/yourdomain.com/yourdomain.com-combined.crt;
ssl_certificate_key /etc/ssl/private/yourdomain.com/yourdomain.com.key;
# Modern SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/yourdomain.com/yourdomain.com.ca-bundle;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options nosniff always;
add_header X-Frame-Options DENY always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Logging
access_log /var/log/nginx/yourdomain.com-ssl-access.log;
error_log /var/log/nginx/yourdomain.com-ssl-error.log;
location / {
try_files $uri $uri/ =404;
}
# PHP processing (if needed)
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.0-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# Deny access to hidden files
location ~ /\. {
deny all;
}
# Cache static files
location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff|woff2|ttf|svg)$ {
expires 1y;
add_header Cache-Control "public, immutable";
add_header Vary Accept-Encoding;
}
}Wildcard SSL Configuration
nginx
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.yourdomain.com yourdomain.com;
# Wildcard SSL certificate
ssl_certificate /etc/ssl/certs/yourdomain.com/wildcard.yourdomain.com-combined.crt;
ssl_certificate_key /etc/ssl/private/yourdomain.com/wildcard.yourdomain.com.key;
# SSL configuration (same as above)
# ... SSL settings ...
# Subdomain routing
location / {
if ($host = api.yourdomain.com) {
root /var/www/api;
}
if ($host = blog.yourdomain.com) {
root /var/www/blog;
}
try_files $uri $uri/ =404;
}
}Enable and Test Nginx Configuration
bash
# Enable the site
sudo ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/
# Test configuration
sudo nginx -t
# Reload Nginx
sudo systemctl reload nginx
# Check SSL certificate
openssl s_client -connect yourdomain.com:443 -servername yourdomain.comStep 4: Install SSL Certificate on Apache
Prepare Certificate Files
bash
# Upload certificate files to Apache SSL directory
sudo cp yourdomain.com.crt /etc/ssl/certs/
sudo cp yourdomain.com.ca-bundle /etc/ssl/certs/
sudo cp yourdomain.com.key /etc/ssl/private/
# Set proper permissions
sudo chmod 644 /etc/ssl/certs/yourdomain.com.*
sudo chmod 600 /etc/ssl/private/yourdomain.com.keyEnable SSL Module
bash
# Enable SSL module
sudo a2enmod ssl
sudo a2enmod headers
sudo a2enmod rewrite
# Restart Apache
sudo systemctl restart apache2Configure Apache Virtual Host
Create SSL Virtual Host
bash
sudo nano /etc/apache2/sites-available/yourdomain.com-ssl.conf
apache
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
DocumentRoot /var/www/yourdomain.com/public_html
# SSL Configuration
SSLEngine on
SSLCertificateFile /etc/ssl/certs/yourdomain.com.crt
SSLCertificateKeyFile /etc/ssl/private/yourdomain.com.key
SSLCertificateChainFile /etc/ssl/certs/yourdomain.com.ca-bundle
# Modern SSL Configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
# OCSP Stapling
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
# Security Headers
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Logging
ErrorLog ${APACHE_LOG_DIR}/yourdomain.com-ssl-error.log
CustomLog ${APACHE_LOG_DIR}/yourdomain.com-ssl-access.log combined
<Directory /var/www/yourdomain.com/public_html>
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
</IfModule>Configure HTTP to HTTPS Redirect
bash
sudo nano /etc/apache2/sites-available/yourdomain.com.conf
apache
<VirtualHost *:80>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
# Redirect all HTTP traffic to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</VirtualHost>Enable Sites and Test
bash
# Enable SSL site
sudo a2ensite yourdomain.com-ssl.conf
# Enable redirect site
sudo a2ensite yourdomain.com.conf
# Test configuration
sudo apache2ctl configtest
# Reload Apache
sudo systemctl reload apache2
# Test SSL certificate
openssl s_client -connect yourdomain.com:443 -servername yourdomain.comStep 5: Configure Firewall
Ubuntu/Debian (UFW)
bash
# Allow HTTP and HTTPS traffic
sudo ufw allow 'Apache Full'
# or for Nginx
sudo ufw allow 'Nginx Full'
# Allow specific ports
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Check status
sudo ufw statusCentOS/RHEL/AlmaLinux (Firewalld)
bash
# Allow HTTP and HTTPS services
sudo firewall-cmd --zone=public --permanent --add-service=http
sudo firewall-cmd --zone=public --permanent --add-service=https
# Reload firewall
sudo firewall-cmd --reload
# Check status
sudo firewall-cmd --list-allAdvanced SSL Configurations
Perfect Forward Secrecy
Generate DH Parameters
bash
# Generate strong DH parameters (this may take a while)
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048Nginx DH Configuration
nginx
# Add to server block
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ecdh_curve secp384r1;Apache DH Configuration
apache
# Add to virtual host
SSLOpenSSLConfCmd DHParameters /etc/ssl/certs/dhparam.pemCertificate Transparency
Nginx CT Configuration
nginx
# Enable Certificate Transparency
ssl_ct on;
ssl_ct_static_scts /etc/ssl/certs/yourdomain.com/scts;Apache CT Configuration
apache
# Load CT module
LoadModule ssl_ct_module modules/mod_ssl_ct.so
# Enable CT in virtual host
SSLSRPVerifierFile /etc/ssl/certs/yourdomain.com/sctsHTTP Public Key Pinning (HPKP)
bash
# Generate backup key
openssl genrsa -out /etc/ssl/private/backup.key 2048
openssl rsa -in /etc/ssl/private/backup.key -pubout -outform der | openssl dgst -sha256 -binary | base64
# Get current certificate hash
openssl x509 -in /etc/ssl/certs/yourdomain.com.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64Add HPKP header (use with extreme caution):
nginx
# Nginx
add_header Public-Key-Pins 'pin-sha256="current-cert-hash"; pin-sha256="backup-key-hash"; max-age=2592000; includeSubDomains';
apache
# Apache
Header always set Public-Key-Pins 'pin-sha256="current-cert-hash"; pin-sha256="backup-key-hash"; max-age=2592000; includeSubDomains'SSL Certificate Management
Monitor Certificate Expiration
bash
#!/bin/bash
# SSL Certificate Expiration Monitor
DOMAIN="yourdomain.com"
THRESHOLD=30 # Days before expiration to alert
# Get certificate expiration date
EXPIRY_DATE=$(echo | openssl s_client -servername $DOMAIN -connect $DOMAIN:443 2>/dev/null | openssl x509 -noout -dates | grep notAfter | cut -d= -f2)
# Calculate days until expiration
EXPIRY_EPOCH=$(date -d "$EXPIRY_DATE" +%s)
CURRENT_EPOCH=$(date +%s)
DAYS_UNTIL_EXPIRY=$(( ($EXPIRY_EPOCH - $CURRENT_EPOCH) / 86400 ))
if [ $DAYS_UNTIL_EXPIRY -lt $THRESHOLD ]; then
echo "WARNING: SSL certificate for $DOMAIN expires in $DAYS_UNTIL_EXPIRY days"
# Send alert email
# echo "SSL certificate expiring soon" | mail -s "SSL Alert" [email protected]
fiCertificate Backup
bash
#!/bin/bash
# SSL Certificate Backup Script
BACKUP_DIR="/backup/ssl/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR
# Backup certificate files
cp -r /etc/ssl/private/yourdomain.com $BACKUP_DIR/
cp -r /etc/ssl/certs/yourdomain.com $BACKUP_DIR/
# Create archive
tar -czf $BACKUP_DIR/ssl-certificates-$(date +%Y%m%d).tar.gz -C $BACKUP_DIR .
echo "SSL certificates backed up to $BACKUP_DIR"Certificate Renewal Process
bash
# 1. Generate new CSR (reuse existing private key)
sudo openssl req -new -key /etc/ssl/private/yourdomain.com/yourdomain.com.key -out /etc/ssl/private/yourdomain.com/yourdomain.com-renewal.csr
# 2. Submit CSR to CA for renewal
# 3. Download new certificate
# 4. Replace old certificate files
# 5. Test and reload web serverTesting SSL Installation
Online SSL Testing Tools
- SSL Labs Test: https://www.ssllabs.com/ssltest/
- DigiCert SSL Checker: https://www.digicert.com/help/
- Qualys SSL Test: https://www.ssllabs.com/ssltest/analyze.html
Command Line Testing
bash
# Test SSL handshake
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
# Check certificate details
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text
# Test certificate chain
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -showcerts
# Verify certificate matches private key
openssl x509 -noout -modulus -in /etc/ssl/certs/yourdomain.com.crt | openssl md5
openssl rsa -noout -modulus -in /etc/ssl/private/yourdomain.com/yourdomain.com.key | openssl md5Browser Testing
- Visual Indicators: Check for padlock icon and certificate details
- Certificate Information: Click padlock to view certificate details
- Mixed Content: Ensure no mixed content warnings
- Cross-Browser Testing: Test on multiple browsers and devices
Troubleshooting Common Issues
Issue 1: Certificate Chain Incomplete
Symptoms: Browser warnings about untrusted certificate
Solutions:
bash
# Verify certificate chain
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
# Rebuild certificate chain
cat yourdomain.com.crt intermediate.crt root.crt > combined.crt
# Use SSL Labs to verify chainIssue 2: Mixed Content Warnings
Symptoms: Some content loading over HTTP on HTTPS pages
Solutions:
bash
# Find mixed content
grep -r "http://" /var/www/yourdomain.com/
# Update internal links
sed -i 's/http:\/\/yourdomain\.com/https:\/\/yourdomain\.com/g' /var/www/yourdomain.com/public_html/*.html
# Use Content Security Policy
add_header Content-Security-Policy "upgrade-insecure-requests;";Issue 3: Private Key Mismatch
Symptoms: SSL certificate not working after installation
Solutions:
bash
# Verify certificate and key match
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5
# Both should produce the same hashIssue 4: Weak SSL Configuration
Symptoms: Low SSL rating or security warnings
Solutions:
bash
# Update SSL protocols
ssl_protocols TLSv1.2 TLSv1.3;
# Use strong ciphers
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512;
# Disable compression
ssl_compression off;Best Practices
Security Best Practices
- Use Strong Private Keys: Minimum 2048-bit RSA keys
- Disable Weak Protocols: Only TLS 1.2 and 1.3
- Implement HSTS: Force HTTPS connections
- Regular Updates: Keep web servers updated
- Monitor Certificates: Set up expiration alerts
Performance Best Practices
- Enable HTTP/2: Improve performance over HTTPS
- OCSP Stapling: Reduce SSL handshake time
- Session Resumption: Cache SSL sessions
- Compression: Enable gzip/brotli for content
- CDN Integration: Use CDN with SSL support
Management Best Practices
- Certificate Inventory: Maintain list of all certificates
- Renewal Calendar: Track expiration dates
- Backup Strategy: Regular backups of certificates and keys
- Testing Schedule: Regular SSL configuration testing
- Documentation: Detailed installation procedures
Conclusion
Commercial SSL certificates provide enhanced security, trust, and business validation compared to free alternatives. With proper installation and configuration on Nginx or Apache, they deliver enterprise-grade protection for websites and applications.
Key Benefits Achieved
- Enhanced Trust: Organization and extended validation options
- Business Credibility: Professional appearance and user confidence
- Warranty Protection: Financial coverage against certificate misuse
- Premium Support: Dedicated technical assistance
- Mobile Optimization: Excellent compatibility across devices
Certificate Provider Comparison
| Provider | Strengths | Best For |
|---|---|---|
| Sectigo | Cost-effective, quick issuance | Small to medium businesses |
| RapidSSL | Budget-friendly, fast validation | Personal and small business sites |
| DigiCert | Premium features, excellent support | Enterprise and high-traffic sites |
| GlobalSign | Strong reputation, IoT certificates | Corporate and specialized applications |
Performance Impact
Commercial SSL certificates typically provide:
- Faster Validation: Quicker issuance than EV alternatives
- Better Performance: Optimized for modern browsers
- Mobile Compatibility: Enhanced mobile device support
- Global Recognition: Trusted worldwide
Regular monitoring, proper configuration, and timely renewal ensure your commercial SSL certificates continue to provide optimal security and performance for your web applications and business operations.
Whether you choose Sectigo PositiveSSL for cost-effectiveness, RapidSSL for quick deployment, or DigiCert for premium features, following this guide ensures professional SSL implementation on both Nginx and Apache web servers.