[1] The final part of your Digi-SSL™ [2] application is the installation of your certificate. Installation of your Digi-SSL™ Certificate will differ greatly dependent on your webserver software. Select your webserver software from the list after reading the following general points:
When you are emailed your Digi-SSL™ certificate, two other certificates will also be attached to the email. Should they be required, you may download these certificates individually or collectively as a bundled file below:
[3] UTN-USERFirst-Hardware [3] - Root Certificate
[4] Digi-Sign CA Digi-SSL™ Xs [4] - Intermediate Certificate
[5] Bundled CA Chain for Apache [5](needed for Apache & Plesk Administrator installations)
[3] UTN-USERFirst-Hardware [3] - Root Certificate
[6] Digi-Sign CA Digi-SSL™ Xp [6] - Intermediate Certificate
[7] Bundled CA Chain for Apache [7](needed for Apache & Plesk Administrator installations)
NOTE: You must install both the bundle CA [9] certificate and your server certificate to provide secure access to your Web server.
On start-up, Stronghold loads CA certificates from the file specified by the SSLCACertificateFile entry in its 'httpd.conf' file.
You will receive an email from Digi-Sign with the certificate in the email (yourdomainname.cer). When viewed in a text editor, your certificate will look something like:
Copy your Certificate into the directory that you will be using to hold your certificates. In this example we will use /etc/ssl/crt/. Both the public and private key files will already be in this directory. The private key used in the example will be labelled private.key and the public key will be yourdomainname.cer.
It is recommended that you make the directory that contains the private key file only readable by root.
Login to the Administrator console and select the site that the certificate was requested for.
Select Services, then Actions next to Apache Web Server and then SSL Settings. There should already be a 'Self Signed' certificate saved.
Select 'Import' and copy the text from the yourdomainname.cer file into the box
Select 'Save', the status should now change to successful.
Logout, do not select delete as this will delete the installed certificate.
You will need to install the Intermediate and Root certificates in order for browsers to trust your certificate. As well as your SSL certificate ( yourdomainname.cer) two other certificates, named UTN-USERFirst-Hardware.crt and Digi-SignCADigi-SSLXp.crt or
Digi-SignCADigi-SSLXs.crt, are also attached to the email from Digi-Sign. Apache users will not require these certificates. Instead you can install the intermediate certificates using a 'bundle' method.
In the Virtual Host settings for your site, in the virtual site file, you will need to add the following SSL directives. This may be achieved by:
2. Add the following line to the virtual host file under the virtual host domain for your site (assuming /etc/httpd/conf is the directory mentioned in 1.), if the line already exists amend it to read the following:
SSLCACertificateFile /etc/httpd/conf/ca-bundle/ca_new.txt
If you are using a different location and certificate file names you will need to change the path and filename to reflect this.
The SSL section of the updated virtual host file should now read similar to this example (depending on your naming and directories used):
Save your virtual host file and restart Apache.
You are now all set to start using your Digi-Sign certificate with your Apache Ensim configuration.
Go to the Server Management screen.
Click the green icon (Wrench for RaQ4, Pencil for XTR) next to the SSL enabled virtual site
Click SSL Settings on the left side.
Copy the entire contents of the site certificate that you received, including
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
Paste the new certificate information that you copied into the "Certificate" window.
Select Use manually entered certificate from the pull-down menu at the bottom.
Click Save Changes.
You will need to install the Intermediate and Root certificates in order for browsers to trust your certificate. As well as your site certificate (yourdomainname.cer) two other certificates, named UTN-USERFirst-Hardware.crt and Digi-SignCADigi-SSLXp.crt or
Digi-SignCADigi-SSLXs.crt,, are also attached to the email from Digi-Sign. Cobalt users will not require these certificates. Instead you can install the intermediate certificates using a 'bundle' method.
Download a Bundled cert file
The following will require that you access the httpd config file. This may be achieved by telnetting into your webserver.
In the Global SSL settings, in the httpd.conf file, you will need to add the following SSL directive.
This may be achieved by:
Copying the bundle file to the same directory as httpd.conf (this contains all of the ca certificates in the Digi-Sign chain).
Add the following line to httpd.conf, if the line already exists amend it to read the following:
SSLCACertificateFile /etc/httpd/conf/ca-bundle/ca_new.txt
NOTE: If you are using a different location and certificate file names you will need to change the path and filename to reflect your server.
1. After you receive your SSL certificate, firstly visit our web site download site file and the bundle file (rootchain) certificates to a secure location.
2. Click SSL on your control panel home page.
3. Go to the Web Service page and click the Edit icon in the SSL field.
4. In the form that opens, enter the SSL certificate into the box Install Certificate based on previously generated Certificate request and click Upload:
5. Enter the rootchain (bundle) certificate into the box Certificate Chain File and click Install:
6. Now you can use the SSL certificate.
IKEYMAN for Certificate Installation
Digi-Sign sends more than one certificate. In addition to the certificate for your server Digi-Sign send an Intermediate CA Certificate (the Digi-Sign certificate) and a Root CA Certificate (UTN-USERFirst-Hardware). Before installing the server certificate, install both of these certificates. Follow the instructions in 'Storing a CA certificate'.
NOTE:If the authority who issues the certificate is not a trusted CA in the key database, you must first store the CA certificate and designate the CA as a trusted CA. Then you can receive your CA-signed certificate into the database. You cannot receive a CA-signed certificate from a CA who is not a trusted CA. For instructions see 'Storing a CA certificate'
Storing a CA Certificate:
To receive the CA-signed certificate into a key database:
Requires the certificates to be merged into the Key Ring file. This process must be completed for all three certificates provided.
For additional information, refer to your server documentation.
Please note: To meet the most recent security standards [10], we strongly advise to update all servers running MS IIS 4.x with the most recent Service Packs for Windows NT 4.
We also advise to perform an upgrade on the server, of the MS Internet Explorer to at least version 5.5 Service Pack 2.
You will have received 3 Certificates from Digi-Sign. Save these Certificates to the desktop of the web server machine, then:
Installing your SSL Certificate:
Important: You must now restart the computer or the IISAdmin Service to complete the installation
You may want to test the Web site to ensure that everything is working correctly. Be sure to use https:// when you test connectivity to the site
Follow these instructions to install your SSL server certificate:
Important: You must now restart the computer or the IISAdmin Service to complete the installation
You may want to test the Web site to ensure that everything is working correctly. Be sure to use https:// when you test connectivity to the site
You must first export the SSL certificate of the IIS 4.x / IIS 5.x / IIS 6.x Web site with the associated Private Key. If you do not have this key, ISA server will not allow you to use this certificate for SSL:
NOTE: If you do not have the option to export the Private key then the private key has already been exported to another computer or the key never existed on this computer. You cannot use this certificate on ISA Server. You must request a new certificate for this site for ISA Server.
NOTE: Ensure that you keep the file safe the SSL protocol depends upon this file.
Copy the file that you created to ISA Server.
On the ISA Server, open the MMC:
Now you will need to import the root and intermediate certificates.
On the Microsoft ISA Server:
To install the UTN-USERFirst-Hardware.crt Certificate:
To install the Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt:
Important: You must now restart the computer to complete the install.
Under the Personal folder, when a subfolder called 'Certificates' is displayed, click "Certificates" and verify that there is a certificate with the name of the Web computer.
Right-click the certificate and then click Properties.
If the 'Intended Purposes' field of the certificate is set to 'All' rather than a list of specific purposes, the following steps must be followed before ISA Server can recognize the certificate:
In the Certificate Services snap-in, open the Properties dialog box of the relevant certificate. Change the Enable all purposes for this certificate option to the Enable only the following purposes option, select all of the items, and then click Apply.
Open the ISA Manager and complete the SSL install:
Restart ISA Server.
You will have received 3 Certificates from Digi-Sign. Save these Certificates to the desktop of the webserver machine, then:
Installing your SSL Certificate:
Important: You must now restart the computer or the IISAdmin Service to complete the installation
When you receive your certificates from Digi-Sign there will be your site certificate (named yourdomain.cer) plus 2 others (UTN-USERFirst-Hardware.crt and
Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt), these 2 must be installed as a Trusted Certificate Authority [9] CA and Certificate Chain.
*** Install the SSL Certificate ***
On Ironport's operating system, Async 5.5, you can't install the SSL certificate via the GUI. You must login to the command line (CLI). You can SSH into the CLI and type the following command sequence:
ironport> certconfig
[]> setup
ironport output: paste cert in PEM format (end with '.'):
Copy and paste the .crt/.cer file, including the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. If you're using windows, you may need to open this file with wordpad/notepad.
ironport output: paste key in PEM format (end with '.'):
Copy and paste the server.key.PEMunsecure file.
If you received an intermediate CA certificate, you need to perform an additional step:
ironport output: Do you want to add an intermediate certificate? [N]> Y
Copy and paste the contents of the intermediate CA certificate file here.
ironport>commit
When you receive your certificates from Digi-Sign there will be your site certificate (named yourdomain.cer) plus 2 others (UTN-USERFirst-Hardware.crt and
Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt), these 2 must be installed as a Trusted Certificate Authority [9] CA and Certificate Chain.
NOTE: Do not shutdown or restart the server until all steps have been completed.
At this stage all the certificates are installed and SSL now needs to be activated.
1. Select the Install Certificate link on the left side of the page.
2. Select the Security Tab.
3. On the left frame, choose the Install Certificate link.
Select Trusted Certificate Authority CA, enter the password and copy the text from the
UTN-USERFirst-Hardware to the Message Text box (including the BEGIN and END lines), then click 'OK'.
Accept the certificate.
NOTE:: Do not shutdown or restart the server until all steps have been completed.
Repeat the steps from above using the text from the Digi-Sign CA Digi-SSL Xs™ or
Digi-Sign CA Digi-SSL Xp™and choosing the 'Certificate Chain' option.
4. Fill out the form to install your certificate:
5. Choose Message text (with headers) and paste the text you copied from your certificate file: your_domain.cer
6. Click the OK button at the bottom of the page.
7. If everything looks correct, click the Add Server Certificate button.
1. Click the Preferences tab near the top of the page.
2. Select the Edit Listen Sockets link on the left frame.
a. Alter the following fields:
b. Click the OK button to apply these changes.
In the security field of the Edit Listen Sockets page, there should now be an Attributes link.
3. Click the Attributes link.
4. Enter the user@realm-name password to authenticate to the user@realm-name on the system.
5. Select SSL settings from the pop-up window.
6. Select the certificate for the user@realm-name followed by: Server-Cert (or the name you chose if it is different).
7. When you have chosen a certificate and confirmed all the security settings, click the OK button.
8. Click the Apply link in the far upper right corner to apply these changes before you start your server.
9. Click the Load Configuration Files link to apply the changes.
If you click the Apply Changes button when the server is off, a pop-up window prompts you for a password. This window is not resizable, and you might have problem submitting the change.
There are two workarounds for the problem noted above:
10. Provide the requested passwords in the dialog boxes to start the server.
11. At the Module user@realm-name prompt, enter the password you set when you created user in the realm-name using secadm.
12. Verify the new SSL-enabled web server at the following URL:
Note that the default server_port is 443.
When you receive your Digi-SSL™ [2] certificate back from Digi-Sign, it will be encrypted with your public key so that only you can decrypt it. Only by entering the correct password for your trust database, can you decrypt and install your certificate.
There are three types of certificates:
A certificate chain is a hierarchical series of certificates signed by successive certificate authorities. A CA certificate identifies a certificate authority (CA) and is used to sign certificates issued by that authority. A CA certificate can in turn be signed by the CA certificate of a parent CA, and so on, up to a Root CA.
The server will use the key-pair file password you specify to decrypt the certificate when you install it. You can either save the certificates somewhere accessible to the server, or copy them in a text format and be ready to paste them into the Install Certificate form, as described here.
Installing a Certificate
To install a certificate, perform the following steps:
1. Access either the Administration Server or the Server Manager and choose the Security tab.
2. Click the Install Certificate link.
3. Check the type of certificate you are installing:
4. Select the Cryptographic Module from the drop-down list.
5. Enter the Key-Pair File Password.
6. Leave the a name for the certificate field blank if it is to be the only one used for this server instance, unless:
7. Select either:
8. Click OK.
9. Select either:
10. Repeat steps from point 2 to 9 for each individual certificate you received from Digi-Sign and ensure you select the correct certificate type, that you are installing. We recommend, that you install certificates in the following order:
11. For the Server Manager, click Apply, and then Restart for changes to take effect.
Important: Installation is a two-step process - ensure you follow both steps listed below:
Important: Installation is a two-step process - ensure you follow both steps listed below.
If successful a message is returned 'Certificate Successfully Installed'.
If there are any errors the old certificate will replace the new certificate that you have just sent to the server and you will be required to enter it again.
Now click Up Level to return to the Domain Administration page.
To ensure your certificate is trusted by all browsers you need to install a rootchain certificate for the domain.
Using your SSL Certificate to secure logging into your Plesk Administrator
If you are applying your certificate to the Plesk control panel (in order to secure your login) you will need to login to Plesk Administrator and select Server.
Select Certificate and complete the above instructions as per applying your SSL certificate to a domain.
If you have already obtained a certificate containing private key and certificate part (and may be CA certificate), follow these steps to upload it:
You can upload an existing certificate in two ways:
Uploading a CA certificate
For the Digi-Sign CA [9] Digi-SSL Xs or Digi-Sign CA Digi-SSL Xp is the CA Certificate, or rootchain certificate. The CA Certificate is used to appropriately identify and authenticate the certificate authority, which has issued your SSL certificate. To upload your CA Certificate, follow these steps:
NOTE: When you add a certificate, it is not installed automatically onto the domain or assigned to an IP address, but only added to the Certificate repository. You can assign a certificate to an IP address at the Client's IP pool
9. Click the 'Send Text' button.
10. Now click 'Up Level' from the top right of the screen and choose 'Setup'.
11. At the top of the page, change the 'SSL Certificate' drop-down menu to the certificate you have just installed.
12. Click the 'Server' item from the left hand menu.
13. Click on the 'Service Management' menu item.
14. You now need to Stop and Start the Apache process.
NOTE: Restarting Apache will NOT work. You must stop the service, then start it again to complete the installation
the Certificates icon at the Domain administration page. The certificates repository page will open displaying the list of available certificates:
The four icons, preceding the certificate name in the list, indicate the present parts of a certificate. The icon displayed in the R column indicates that the Certificate Signing request part is present in the certificate, the icon in the K column indicates that the private key is contained within the certificate, the icon in the C column indicates that the SSL certificate text part is present and the icon in the A column indicates that CA certificate part is present. The number in the Used column indicates the number of IP addresses the certificate is assigned to.
Add Certificate icon. You will be taken to the SSL certificate creation page.
2. In the Upload certificate files section of the page, use the Browse button to locate the appropriate certificate file or a required certificate part.
NOTE: Your certificate can be contained within one or several files, so you may upload the certificate by parts or as a single file, selecting it in several fields (Plesk will recognize the appropriate certificate parts and upload them correspondingly).
3. Click Send File. This will upload your certificate parts to the repository.
2. Type in or paste the certificate text and private key into the text fields and click the Send Text button.
2. Use the Browse button, within the section related to the certificate uploading, to locate the appropriate CA Certificate file.
3. Click Send File. This will upload your CA Certificate to the repository.
When you receive your certificates you need to store them in the mydomain directory.
NOTE: If you obtain a private key file from a source other than the Certificate Request Generator servlet, verify that the private key file is in PKCS#5/PKCS#8 PEM format.
To use a certificate chain, append the additional PEM-encoded digital certificates to the digital certificate that issued for the WebLogic Server (the intermediate CA certificate). The last digital certificate in the file chain will be the Root certificate that is self-signed. (example below:)
MIIB+jCCAWMCAgGjMA0GCSqGSIb3DQEBBAUAMEUxCzAJBgNVBAYTAlVTMRgwFgYD
.....(your Intermediate CA certificate).....
bW1EDp3zdHSo1TRJ6V6e6bR64eVaH4QwnNOfpSXY
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE0DCCA7igAwIBAgIQMKeebbHpGVqxyFDTln1j1TANBgkqhkiG9w0BAQUFADBv
.....(your Root CA certificate).....
WjEZgqr9NaoNZCZpyfZxPsOFYzoxLYEmJs3AJHxkhIHg6YQU
-----END CERTIFICATE-----
Configure WebLogic Server to use the SSL protocol; you need to enter the following information on the SSL tab in the Server Configuration window:
Once you have a private key and digital certificate, copy the private key file generated by the Certificate Request Generator servlet and the digital certificate you received into the mydomain directory. Private Key files and digital certificates are generated in either PEM or Definite Encoding Rules (DER) format. The filename extension identifies the format of the digital certificate file. A PEM (.pem) format private key file begins and ends with the following lines, respectively:
NOTE: Typically, the digital certificate file for a WebLogic Server is in one file, with either a .pem or .der extension, and the WebLogic Server certificate chain is in another file. Two files are used because different WebLogic Servers may share the same certificate chain.
The first digital certificate in the certificate authority file is the first digital certificate in the WebLogic Server's certificate chain. The next certificates in the file are the next digital certificates in the certificate chain. The last certificate in the file is a self-signed digital certificate that ends the certificate chain. A DER (.der) format file contains binary data. WebLogic Server requires that the file extension match the contents of the certificate file.
NOTE: If you are creating a file with the digital certificates of multiple certificate authorities or a file that contains a certificate chain, you must use PEM format. WebLogic Server provides a tool for converting DER format files to PEM format, and visa versa.
When your certificate is issued you will receive 4 certificates:
Yourdomain.cer
Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt
UTN-USERFirst-Hardware.crt
Yourdomain.cer
Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt
UTN-USERFirst-Hardware.crt
When you have chosen your cipher settings, click Save again to send the information to the server.
When you receive your certificates there will be 3 files, open a text editor and then copy the text from each certificate into the text editor to form one file. The certificates should be pasted in the following sequence, your site Certificate named yourdomain.cer, Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt , UTN-USERFirst-Hardware.crt, and the resulting file should look like the following:
-----BEGIN CERTIFICATE-----
(Class3CertificateAthority Encoded Text)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(TrustRootCertificateAuthority Encoded Text)
-----END CERTIFICATE-----
Please note: Make sure you include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- as displayed above.
1. Login to the web server.
2. Select SSL certificates
3. Select Generate CSR [14] (or Replace Certificate) against the certificate set
4. Copy/Paste the text from the text editor into the Signed Certificate box and click OK.
5. Then select Accept this Certificate
6. The certificate set now needs assigning to the web site. Click on the Home icon. Put a tick in the box next to the virtual server to configure and select configure.
7. Click on SSL Enabled.
8. Enable SSL and select the certificate set to use.
9. Apply and commit the changes then restart the web server.
Links:
[1] https://www.digi-sign.com/downloads/download.php?id=aacd-digi-ssl-pdf
[2] http://www2.digi-sign.com/digi-ssl
[3] http://www2.digi-sign.com/download/certificate/UTN-USERFirst-Hardware.crt
[4] http://www2.digi-sign.com/download/certificate/Digi-SignCADigi-SSLXs.crt
[5] http://www2.digi-sign.com/download/certificate/Digi-SSLXsCA_Chain.pem
[6] http://www2.digi-sign.com/download/certificate/Digi-SignCADigi-SSLXp.crt
[7] http://www2.digi-sign.com/download/certificate/Digi-SSLXpCA_Chain.pem
[8] http://www.digi-sign.com/support/digi-ssl/install%20certificate/index
[9] http://www2.digi-sign.com/certificate+authority
[10] http://www2.digi-sign.com/compliance/introduction
[11] http://www.yourdomain.com
[12] https://hostname.domain:
[13] https://myhost.yoursitename.com
[14] http://www2.digi-sign.com/support/digi-ssl/generate+csr