Published on Digi-Sign, The Certificate Corporation (http://www2.digi-sign.com)

By Digi-Sign

Created Feb 18 2008 - 14:07

Digi-SSL™ Certificates

Digi-SSL™ Support

This is the main Digi-SSL™ Support page and provides all the main support pages you require to own and use your Digi-SSL™ Certificates.

Important Note:

Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]

Digi-SSL™ Support Search Facility

You can browse this Support Directory or you can view the Digi-SSL™ KnowledgeBase [2] that contains specific Questions & Answers [Q&A](this is free today but will be a 'Subscription Only' service soon).

Alternatively, you may wish to search all of the Digi-SSL™ pages using the search facility below.

Search all Digi-SSL™ pages

You can return 'Up' to the main Support section of the entire site or continue browsing by using the links below. And remember, to get the most extensive help file access and or to contribute, Login [3] or Register [4].

CSR Generation

Important Note:

How to generate a Certificate Signing Request [CSR] on a server

The first part of enrolling for your Digi-SSL™ [5] Certificate is to generate a Certificate Signing Request [CSR]. CSR generation is wholly dependent on the software you use on your webserver. Select your webserver software from the list below after reading the following general points:

General Points to remember before creating your CSR

The Common Name field should be the Fully Qualified Domain Name [FQDN] or the web address for which you plan to use your Certificate, e.g. the area of your site you wish customers to connect to using SSL. For example, a Digi-SSL™ Certificate issued for digi-sign.com will not be valid for secure.digi-sign.com. If the web address to be used for SSL is secure.digi-sign.com, ensure that the common name submitted in the CSR is secure.digi-sign.com

If your webserver software does not appear on the list, please contact support [6] with full details of your webserver software and we will contact you with further instructions.

Apache Mod_SSL

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

OpenSSL

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Cobalt RaQ4/XTR

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Apache via Ensim Webppliance 3.1.x

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Stronghold Server

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Hsphere

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

IBM HTTP Server

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Java Server

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Tomcat Server

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Lotus Domino Server versions 4.6x and 5.0x

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Microsoft IIS 4.x

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Microsoft IIS 5.x / 6.x

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Microsoft IIS 7 Server 2008

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Microsoft ISA 2000 Server

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Microsoft Office Communications Server [OCS] 2007

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Microsoft SMTP Server

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Ironport

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

I-Planet Web Server

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

I-Planet Web Server 6.x

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Sun ONE 6.x

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Oracle Web Server

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Plesk Server Administrator 2.5

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Plesk 5.0

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Plesk 6.0

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Plesk 7.0

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Plesk 7.5

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

BEA Systems Weblogic

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Website Pro 3.x

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

WS FTP Server

Important Note:: Effective 1 January 2011, we will no longer support any Certificate Signing Request [CSR] generated with a 1024 bit key. This is because NIST, PKIX, WebTrust and other respective security standards no longer consider the 1024 bit key size as secure. Read more > [1]
Instructions

Zeus

Important Note:

Login to the web server

Install Digi-SSL™

How to install your Digi-SSL™ certificate on the server: [22] The final part of your Digi-SSL™ [5] application is the installation of your certificate. Installation of your Digi-SSL™ Certificate will differ greatly dependent on your webserver software. Select your webserver software from the list after reading the following general points:
General Points to remember:

Installing Apache Mod SSL

Step-by-Step Instructions

Step one: Copy your certificate to file

You will receive an email from Digi-Sign with the certificate in the email (yourdomainname.cer or yourdomainname.crt). When viewed in a text editor, your certificate will look something like:

Copy your Certificate into the directory that you will be using to hold your certificates. In this example we will use /etc/ssl/crt/. Both the public and private key files will already be in this directory. The private key used in the example will be labelled private.key and the public key will be yourdomainname.cer.

It is recommended that you make the directory that contains the private key file only readable by root.

Step two: Install the Intermediate Certificates

You will need to install the chain certificates (intermediates) in order for browsers to trust your certificate. As well as your SSL certificate (yourdomainname.cer) two other certificates, named UTN-USERFirst-Hardware.crt and Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt, are also attached to the email from Digi-Sign.

Apache users will not require these certificates. Instead you can install the intermediate certificates using a 'bundle' method. You can download the correct Apache bundled CA file for your SSL server certificate here [28].

In the Virtual Host settings for your site, in the httpd.conf file, you will need to complete the following:

2. Add the following line to SSL section of the httpd.conf (assuming /etc/httpd/conf is the directory to where you have copied the bundlecafilename.pem file). If the line already exists amend it to read the following:

SSLCACertificateFile /etc/httpd/conf/ca-bundle/bundlecafilename.txt

If you are using a different location and certificate file names you will need to change the path and filename to reflect your server.

The SSL section of the updated httpd config file should now read similar to this example (depending on your naming and directories used):

Apache OpenSSL

Step by Step Instructions

Step one: Copy your certificate to file

You will receive an email from Digi-Sign with the certificate in the email (yourdomainname.cer). When viewed in a text editor, your certificate will look something like:

It is recommended that you make the directory that contains the private key file only readable by root.

Step two: Install the Intermediate Certificates

You will need to install the chain certificates (intermediates) in order for browsers to trust your certificate. As well as your SSL certificate (yourdomainname.cer) two other certificates, named UTN-USERFirst-Hardware.crt and Digi-SignCADigi-SSLXp.crt or
Digi-SignCADigi-SSLXs.crt, are also attached to the email from Digi-Sign.

Apache users will not require these certificates. Instead you can install the intermediate certificates using a 'bundle' method.

In the Virtual Host settings for your site, in the httpd.conf file, you will need to complete the following:

2. Add the following line to SSL section of the httpd.conf (assuming /etc/httpd/conf is the directory to where you have copied the ca.txt file). if the line already exists amend it to read the following:

SSLCACertificateFile /etc/httpd/conf/ca-bundle/ca_new.txt

If you are using a different location and certificate file names you will need to change the path and filename to reflect your server.

The SSL section of the updated httpd config file should now read similar to this example (depending on your naming and directories used):

Save your httpd.conf file and restart Apache.

Java Server

The certificates you receive will be:

These must be imported in the correct order:

Use the keytool command to import the certificates as follows:

For Digi-SSL Xp™ Certificates
Keytool -import -trustcacerts -alias INTER -file Digi-SignCADigi-SSLXp.crt -keystore domain.key

For Digi-SSL Xs™ Certificates
Keytool -import -trustcacerts -alias INTER -file Digi-SignCADigi-SSLXs.crt -keystore domain.key

If you are using an alias then please include the alias command in the string. Example:

The password is then requested.

Enter keystore password: (This is the one used during CSR creation)
The following information will be displayed about the certificate and you will be asked if you want to trust it (the default is no so type 'y' or 'yes'):

Then an information message will display as follows:

All the certificate are now loaded and the correct root certificate will be presented.

You will need to amend your configuration to use the new keystore file you created.

Update server.xml configuration file:

2. Find the following section:

<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
port="443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true";
clientAuth="false" sslProtocol="TLS" keystoreFile="domain.key"
keystorePass="YOUR_KEYSTORE_PASSWORD" />

After completing these configuration changes, you must restart Tomcat as you normally do, and you should be in business. You should be able to access any web application supported by Tomcat via SSL.

Tomcat Server

The certificates you receive will be:

These must be imported in the correct order:

Use the keytool command to import the certificates as follows:

For Digi-SSL Xp™ Certificates
Keytool -import -trustcacerts -alias INTER -file Digi-SignCADigi-SSLXp.crt -keystore domain.key

For Digi-SSL Xs™ Certificates
Keytool -import -trustcacerts -alias INTER -file Digi-SignCADigi-SSLXs.crt -keystore domain.key

If you are using an alias then please include the alias command in the string. Example:

The password is then requested.

Then an information message will display as follows:

All the certificate are now loaded and the correct root certificate will be presented.

You will need to amend your configuration to use the new keystore file you created.

Update server.xml configuration file:

2. Find the following section:

After completing these configuration changes, you must restart Tomcat as you normally do, and you should be in business. You should be able to access any web application supported by Tomcat via SSL.

C2Net Stronghold

NOTE: You must install both the bundle CA [9] certificate and your server certificate to provide secure access to your Web server.

Get bundle CA file

On start-up, Stronghold loads CA certificates from the file specified by the SSLCACertificateFile entry in its 'httpd.conf' file.

To install the bundle CA certificate, reference it in the httpd.conf file.
Ensure that you have saved the bundle CA certificate as a text file.
Open your 'httpd.conf' file and find the SSLCACertificateFile entry. By default the entry will be SSLCACertificateFile='/ssl/CA/client-rootcerts.pem'. You will find 'httpd.conf' in the directory /conf.
Open the file identified by SSLCACertificateFile (for example, /ssl/CA/client-rootcerts.pem) in a text editor.
Open the file that contains the bundle CA certificate (ca_new.txt) in a text editor.
Copy the bundle CA certificate (including the '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' lines to the clipboard.
Paste the bundle CA certificate into the file identified by SSLCACertificateFile. In most cases you will want to insert the bundle CA certificate at the end of the file and add a comment to identify the certificate.
Save the modified file and close the text editor.
Restart your web server.

To install your server certificate:

Save your server certificate as a text file.
Install the new certificate using getca, this utility is normally installed in /bin:
Getca myhostname < /server certificate file location and name
Where: myhostname is the common name of the Web server for which the certificate was requested (this is the same as specified when you ran genkey) and '/server certificate file location and name' is the name of the server certificate file. This will save the certificate in the file /ssl/certs/myhostname.cert
Restart your web server

Apache via Ensim Webappliance 3.1.x

Step by Step Instructions

Step one: Loading the Site Certificate

You will receive an email from Digi-Sign with the certificate in the email (yourdomainname.cer). When viewed in a text editor, your certificate will look something like:

It is recommended that you make the directory that contains the private key file only readable by root.

Select Services, then Actions next to Apache Web Server and then SSL Settings. There should already be a 'Self Signed' certificate saved.

Select 'Import' and copy the text from the yourdomainname.cer file into the box

Select 'Save', the status should now change to successful.

Logout, do not select delete as this will delete the installed certificate.

Step two: Install the Intermediate/Root Certificates

You will need to install the Intermediate and Root certificates in order for browsers to trust your certificate. As well as your SSL certificate ( yourdomainname.cer) two other certificates, named UTN-USERFirst-Hardware.crt and Digi-SignCADigi-SSLXp.crt or
Digi-SignCADigi-SSLXs.crt, are also attached to the email from Digi-Sign. Apache users will not require these certificates. Instead you can install the intermediate certificates using a 'bundle' method.

Download a Bundled cert file

In the Virtual Host settings for your site, in the virtual site file, you will need to add the following SSL directives. This may be achieved by:

2. Add the following line to the virtual host file under the virtual host domain for your site (assuming /etc/httpd/conf is the directory mentioned in 1.), if the line already exists amend it to read the following:

SSLCACertificateFile /etc/httpd/conf/ca-bundle/ca_new.txt

If you are using a different location and certificate file names you will need to change the path and filename to reflect this.
The SSL section of the updated virtual host file should now read similar to this example (depending on your naming and directories used):

Save your virtual host file and restart Apache.
You are now all set to start using your Digi-Sign certificate with your Apache Ensim configuration.

Certificate on a Cobalt RaQ4/XTR

Installing the site certificate

Go to the Server Management screen.
Click the green icon (Wrench for RaQ4, Pencil for XTR) next to the SSL enabled virtual site
Click SSL Settings on the left side.
Copy the entire contents of the site certificate that you received, including

Install the Intermediate Certificates

You will need to install the Intermediate and Root certificates in order for browsers to trust your certificate. As well as your site certificate (yourdomainname.cer) two other certificates, named UTN-USERFirst-Hardware.crt and Digi-SignCADigi-SSLXp.crt or
Digi-SignCADigi-SSLXs.crt,, are also attached to the email from Digi-Sign. Cobalt users will not require these certificates. Instead you can install the intermediate certificates using a 'bundle' method.

Download a Bundled cert file

The following will require that you access the httpd config file. This may be achieved by telnetting into your webserver.
In the Global SSL settings, in the httpd.conf file, you will need to add the following SSL directive.
This may be achieved by:
Copying the bundle file to the same directory as httpd.conf (this contains all of the ca certificates in the Digi-Sign chain).
Add the following line to httpd.conf, if the line already exists amend it to read the following:

SSLCACertificateFile /etc/httpd/conf/ca-bundle/ca_new.txt

NOTE: If you are using a different location and certificate file names you will need to change the path and filename to reflect your server.

Hsphere

Installing your Certificate on Hsphere

1. After you receive your SSL certificate, firstly visit our web site download site file and the bundle file (rootchain) certificates to a secure location.

2. Click SSL on your control panel home page.

3. Go to the Web Service page and click the Edit icon in the SSL field.

4. In the form that opens, enter the SSL certificate into the box Install Certificate based on previously generated Certificate request and click Upload:

5. Enter the rootchain (bundle) certificate into the box Certificate Chain File and click Install:

6. Now you can use the SSL certificate.

IBM HTTP Server

Installing certifications on IBM HTTP Server

IKEYMAN for Certificate Installation

Digi-Sign sends more than one certificate. In addition to the certificate for your server Digi-Sign send an Intermediate CA Certificate (the Digi-Sign certificate) and a Root CA Certificate (UTN-USERFirst-Hardware). Before installing the server certificate, install both of these certificates. Follow the instructions in 'Storing a CA certificate'.

NOTE:If the authority who issues the certificate is not a trusted CA in the key database, you must first store the CA certificate and designate the CA as a trusted CA. Then you can receive your CA-signed certificate into the database. You cannot receive a CA-signed certificate from a CA who is not a trusted CA. For instructions see 'Storing a CA certificate'

Storing a CA Certificate:

Enter IKEYMAN on a command line on UNIX, or start the Key Management utility in the IBM HTTP Server folder on Windows.
Select "Key Database File" from the main User Interface, select Open.
In the Open dialog box, select your key database name. Click OK.
In the Password Prompt dialog box, enter your password and click OK.
Select "Signer Certificates" in the Key Database content frame, click the Add button.
In the Add CA Certificate from a File dialog box, select the certificate to add or use the Browse option to locate the certificate. Click OK.
In the Label dialog box, enter a label name and click OK.

To receive the CA-signed certificate into a key database:

Enter IKEYMAN on a command line on UNIX, or start the Key Management utility in the IBM HTTP Server folder on Windows.
Select "Key Database File" from the main User Interface, select Open.
In the Open dialog box, select your key database name. Click OK.
In the Password Prompt dialog box, enter your password, click OK.
Select Personal Certificates in the Key Database content frame and then click the Receive button.
In the Receive Certificate from a File dialog box, select the certificate file. Click OK.

Lotus Domino Server v4.6x & v5.0x

Installing certificates on Lotus Domino Server

Requires the certificates to be merged into the Key Ring file. This process must be completed for all three certificates provided.

In Notes, from the administration panel, click System Databases and choose Open Domino Server Certificate Administration (CERTSRV.NSF) on the local machine.
Click Install Certificate into Key Ring.
Enter the file name for the Key Ring that will store this certificate. The Key Ring file was created when you created the server Certificate Signing Request.
Detach the file from the email to your hard drive and unzip it.
Select File in the "Certificate Source" field. Enter the file name in the file name field.
Click "Merge Certificate into Key Ring."
Enter the password for the server key ring file and click OK to approve the merge.

For additional information, refer to your server documentation.

Microsoft IIS 4.x

Please note: To meet the most recent security standards [29], we strongly advise to update all servers running MS IIS 4.x with the most recent Service Packs for Windows NT 4.
We also advise to perform an upgrade on the server, of the MS Internet Explorer to at least version 5.5 Service Pack 2.

Step 1. Install the Server file certificate using Key Manager

Go to Key Manager

Install the new Server certificate by clicking on the key in the www directory (usually a broken key icon with a line through it), and select "Install Key Certificate".

Enter the Password

When you are prompted for bindings, add the IP and Port Number. "Any assigned" is acceptable if you do not have any other certificates installed on the web server.
Note: Multiple certificates installed on the same web server will require a separate IP Address for each because SSL does not support host headers.

Go to the Computers menu and select the option "Commit Changes", or close Key Manager and select "Yes" when prompted to commit changes.

The new Server certificate is now successfully installed.

Back up the Key in Key Manager by clicking on Key menu> Export -> Backup File. Store the backup file on the hard drive AND off the server.

Step 2: Installing the Root & Intermediate Certificates:

Your Certificate will have been emailed to you. The email will also contain two other Certificates: UTN-USERFirst-Hardware.crt and Digi-SignCADigi-SSLXp.crt or
Digi-SignCADigi-SSLXs.crt - save these Certificates to the desktop of the web server machine.

It is essential that you have installed these two Certificates on the machine running IIS4. You may also download them below:

> UTN-USERFirst-Hardware.crt
> Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt

Once you have installed the Certificates, restart the machine running IIS4. You must now complete one of the following procedures - the procedure you follow is dependent on the Service Pack that has been implemented on your machine running IIS4.

ServicePack 3:
Install the above certificates in your Internet Explorer by opening each certificate and clicking "Install Certificate". You may then use this IISCA batch file to transfer all root certificates from your Internet Explorer to the IIS (see Microsoft KnowledgeBase Q216339).

ServicePack 4:
Install the above certificates manually in a specific root store (you may also want to read (see Microsoft KnowledgeBase Q194788):

Repeat the same for the Digi-SignCADigi-SSLXp.crt or
Digi-SignCADigi-SSLXs.crt , however choose to place the certificates in the Intermediate Certification Authorities store.

ServicePack 5:
Same as SP4.

ServicePack 6:
Same as SP5.

Reboot the web server to complete the installation.

Microsoft IIS 5.x / 6.x

Installing the Root & Intermediate Certificates

You will have received 3 Certificates from Digi-Sign. Save these Certificates to the desktop of the web server machine, then:

Click the Start Button then select Run and type mmc
Click File and select Add/Remove Snap in
Select Add, select Certificates from the Add Standalone Snap-in box and click Add
Select Computer Account and click Finish
Close the Add Standalone Snap-in box, click OK in the Add/Remove Snap in
Return to the MMC
To install the UTN-USERFirst-Hardware.crt Certificate:

Right click the Trusted Root Certification Authorities, select All Tasks, and select Import.

Click Next.

Locate the UTN-USERFirst-Hardware.crt Certificate and click Next.
When the wizard is completed, click Finish.
To install the Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt:

Right click the Intermediate Certification Authorities, select All Tasks, and select Import.
Complete the import wizard again, but this time locating the Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt when prompted for the Certificate file.
Ensure that the UTN-USERFirst-Hardware root certificate appears under Trusted Root Certification Authorities
Ensure that the Digi-Sign CA Digi-SSL Xs or Digi-Sign CA Digi-SSL Xp appears under Intermediate Certification Authorities

Installing your SSL Certificate:

Select Administrative Tools
Start Internet Services Manager

Open the properties window for the website. You can do this by right clicking on the Default Website and selecting Properties from the menu.
Open Directory Security by right clicking on the Directory Security tab

Click Server Certificate. The following Wizard will appear:

Choose to Process the Pending Request and Install the Certificate. Click Next.
Enter the location of your certificate (you may also browse to locate your certificate), and then click Next.
Read the summary screen to be sure that you are processing the correct certificate, and then click Next.
You will see a confirmation screen. When you have read this information, click Next.
You now have a server certificate installed.

Important: You must now restart the computer or the IISAdmin Service to complete the installation

You may want to test the Web site to ensure that everything is working correctly. Be sure to use https:// when you test connectivity to the site

Microsoft IIS 7 Server 2008

Follow these instructions to install your SSL server certificate:

Your SSL server certificate will be sent to you by email. The email message includes the web server certificate that you purchased in the body of the email message. Copy the certificate from the body of the email and paste it into a simple text editor, such as Notepad
Save this as yourdomain.cer on your desktop or other location where you can find it later
Open the Internet Information Services (IIS) Manager. From the Start button select Programs > Administrative Tools > Internet Information Services Manager
In the IIS Manager, select the server node on the top left under Connections
In the Features pane (the middle pane), double-click the Server Certificates option located under the IIS or Security heading (depending on your current group-by view)
From the Actions pane on the top right, select Complete Certificate Request
On the Complete Certificate Request page browse to the SSL certificate file yourdomain.cer that you saved from step 2. Don't worry if your file saved as yourdomain.cer.txt, just change the Files of type drop down to browse for files of type *.*
Next, type a friendly name for the certificate in the Friendly name box, and then click OK. Something like www.yourdomain.com [15] will do
Your SSL server certificate is now installed on your server and you should see it listed in the Server Certificates view. Now you will need to configure your web site to use the certificate
If you have only one web site it will mostly likely be listed in IIS 7 as the Default web site. Select and right-click on the Default web site and select Edit Bindings. If you only see 'http' under the Type column of the Web Site Bindings dialog box click the Add button and select 'https' from the drop down box under Type. Then select the name of the SSL certificate from the SSL certificate list that you just installed and click Ok. Then click Close to complete the
Edit Bindings wizard

Important: You must now restart the computer or the IISAdmin Service to complete the installation

You may want to test the Web site to ensure that everything is working correctly. Be sure to use https:// when you test connectivity to the site

Microsoft ISA 2000 Server

Instructions to install certificates on Microsoft ISA 2000 Server

You must first export the SSL certificate of the IIS 4.x / IIS 5.x / IIS 6.x Web site with the associated Private Key. If you do not have this key, ISA server will not allow you to use this certificate for SSL:

NOTE: If you do not have the option to export the Private key then the private key has already been exported to another computer or the key never existed on this computer. You cannot use this certificate on ISA Server. You must request a new certificate for this site for ISA Server.

NOTE: Ensure that you keep the file safe the SSL protocol depends upon this file.

Copy the file that you created to ISA Server.

On the ISA Server, open the MMC:

Now you will need to import the root and intermediate certificates.

On the Microsoft ISA Server:

To install the UTN-USERFirst-Hardware.crt Certificate:

To install the Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt:

Right click the Intermediate Certification Authorities, select All Tasks, select Import
Complete the import wizard again, but this time locating the Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt when prompted for the Certificate file
Ensure that the UTN-USERFirst-Hardware.crt certificate appears under Trusted Root Certification Authorities
Ensure that the ComodoSecurityServicesCA appears under Intermediate Certification Authorities
You may need to reboot the ISA server so the registry changes could take affect

Important: You must now restart the computer to complete the install.

Under the Personal folder, when a subfolder called 'Certificates' is displayed, click "Certificates" and verify that there is a certificate with the name of the Web computer.

Right-click the certificate and then click Properties.

If the 'Intended Purposes' field of the certificate is set to 'All' rather than a list of specific purposes, the following steps must be followed before ISA Server can recognize the certificate:

In the Certificate Services snap-in, open the Properties dialog box of the relevant certificate. Change the Enable all purposes for this certificate option to the Enable only the following purposes option, select all of the items, and then click Apply.

Open the ISA Manager and complete the SSL install:

Right-click the server accepting the incoming connection, and click Properties.
Click the Incoming Web Requests tab.
Click the Internet Protocol (IP) address entry for the site that you are going to host, or the 'all IP addresses' entry if you do not have individual IP addresses set up.
Click Edit.
Click to select the Use a server certificate to authenticate to web users check box.
Click Select.
Select your previously imported certificate.
Click OK.
Click to select the Enable SSL listeners check box.
Expand the 'Publishing' folder and click on Web Publishing Rules.
Double click on the Web Publishing Rule that will route the SSL traffic.
On the Bridging tab, choose the option to Redirect SSL requests as: 'HTTP requests (terminate the secure channel at the proxy)'. Click OK.

Restart ISA Server.

Microsoft SMTP Server

1. Installing the Root & Intermediate Certificates

You will have received 3 Certificates from Digi-Sign. Save these Certificates to the desktop of the webserver machine, then:

Click the Start Button then select Run and type mmc
Click File and select Add/Remove Snap in
Select Add, select Certificates from the Add Standalone Snap-in box and click Add
Select Computer Account and click Finish
Close the Add Standalone Snap-in box, click OK in the Add/Remove Snap in
Return to the MMC
To install the UTN-USERFirst-Hardware.crt Certificate:

Right click the Trusted Root Certification Authorities, select All Tasks, select Import.

Click Next.

Locate the UTN-USERFirst-Hardware.crt Certificate and click Next.
When the wizard is completed, click Finish.
To install the Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt:

Right click the Intermediate Certification Authorities, select All Tasks, select Import.
Complete the import wizard again, but this time locating the Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt when prompted for the Certificate file.
Ensure that the UTN-USERFirst-Hardware root certificate appears under Trusted Root Certification Authorities
Ensure that the Digi-Sign CA Digi-SSL Xs or Digi-Sign CA [9] Digi-SSL Xp appears under Intermediate Certification Authorities

Installing your SSL Certificate:

Select Administrative Tools
Start Internet Services Manager

Open the properties window for the SMTP Server the Certificate is for. You can do this by right clicking on the Default SMTP Virtual Server and selecting Properties from the menu
Open Access by clicking the Access tab.

Click Certificate. The following Wizard will appear:

Choose to Process the Pending Request and Install the Certificate. Click Next.

Enter the location of your certificate (you may also browse to locate your certificate), and then click Next.

Read the summary screen to be sure that you are processing the correct certificate, and then click Next.

You will see a confirmation screen. When you have read this information, click Finish.
You now have a server certificate installed.

2. Configuring SMTP Secure Communications:

Important: You must now restart the computer or the IISAdmin Service to complete the installation

Ironport

When you receive your certificates from Digi-Sign there will be your site certificate (named yourdomain.cer) plus 2 others (UTN-USERFirst-Hardware.crt and
Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt), these 2 must be installed as a Trusted Certificate Authority [9] CA and Certificate Chain.

*** Install the SSL Certificate ***

On Ironport's operating system, Async 5.5, you can't install the SSL certificate via the GUI. You must login to the command line (CLI). You can SSH into the CLI and type the following command sequence:

ironport> certconfig
[]> setup
ironport output: paste cert in PEM format (end with '.'):

Copy and paste the .crt/.cer file, including the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. If you're using windows, you may need to open this file with wordpad/notepad.

ironport output: paste key in PEM format (end with '.'):

Copy and paste the server.key.PEMunsecure file.

If you received an intermediate CA certificate, you need to perform an additional step:

ironport output: Do you want to add an intermediate certificate? [N]> Y

Copy and paste the contents of the intermediate CA certificate file here.

ironport>commit

I-Planet Web Server

Sign onto the Webserver and select the server to manage.
Select the 'Security' tab and then 'Install Certificate'

Select Trusted Certificate Authority [9] CA, enter the password and copy the text from the UTN-USERFirst-Hardware.crt to the Message Text box (including the BEGIN and END lines), then click 'OK'.
Accept the certificate.

NOTE: Do not shutdown or restart the server until all steps have been completed.

Repeat the steps from * above using the text from the Digi-SignCADigi-SSLXp.crt or
Digi-SignCADigi-SSLXs.crt and choosing the 'Certificate Chain' option.
For the site certificate again repeat the steps from * above, but this time choosing 'This Server' option.

At this stage all the certificates are installed and SSL now needs to be activated.

Select the Preferences tab and then Encryption On/Off.
Set encryption to 'On' and Port to 443, click OK, then Save and Apply.

Now shutdown and restart the server.

I-Planet Web Server 6.x

Step by step instructions

1. Select the Install Certificate link on the left side of the page.

Digi-SSL™

[5]

2. Select the Security Tab.

3. On the left frame, choose the Install Certificate link.

Certificate Authority

[9]

Select Trusted Certificate Authority CA, enter the password and copy the text from the
UTN-USERFirst-Hardware to the Message Text box (including the BEGIN and END lines), then click 'OK'.

Accept the certificate.

NOTE:: Do not shutdown or restart the server until all steps have been completed.

Repeat the steps from above using the text from the Digi-Sign CA Digi-SSL Xs™ or
Digi-Sign CA Digi-SSL Xp™and choosing the 'Certificate Chain' option.

4. Fill out the form to install your certificate:

5. Choose Message text (with headers) and paste the text you copied from your certificate file: your_domain.cer

6. Click the OK button at the bottom of the page.

You are shown some basic information about the certificate.

7. If everything looks correct, click the Add Server Certificate button.

On-screen messages tell you to restart the server. This is not necessary, as the web server instance has been shut down the entire time. You are also notified that in order for the web server to use SSL the web server must be configured to do so. Use the following procedure to configure the web server.

Configuring SSL on iPlanet Web Server 6.X

1. Click the Preferences tab near the top of the page.

2. Select the Edit Listen Sockets link on the left frame.

a. Alter the following fields:

b. Click the OK button to apply these changes.

In the security field of the Edit Listen Sockets page, there should now be an Attributes link.

3. Click the Attributes link.

4. Enter the user@realm-name password to authenticate to the user@realm-name on the system.

5. Select SSL settings from the pop-up window.

You can choose Cipher Default settings, SSL2, or SSL3/TLS. The default choice does not show the default settings. The other two choices require you to select the algorithms you want to enable.

6. Select the certificate for the user@realm-name followed by: Server-Cert (or the name you chose if it is different).

Only keys that the appropriate user@realm-name owns appear in the Certificate Name field.

7. When you have chosen a certificate and confirmed all the security settings, click the OK button.

8. Click the Apply link in the far upper right corner to apply these changes before you start your server.

9. Click the Load Configuration Files link to apply the changes.

If you click the Apply Changes button when the server is off, a pop-up window prompts you for a password. This window is not resizable, and you might have problem submitting the change.

There are two workarounds for the problem noted above:

10. Provide the requested passwords in the dialog boxes to start the server.

You are prompted for one or more passwords. At the Module Internal prompt, provide the password for the web server trust database.

11. At the Module user@realm-name prompt, enter the password you set when you created user in the realm-name using secadm.

12. Verify the new SSL-enabled web server at the following URL:

https://hostname.domain:

[30]

Note that the default server_port is 443.

Sun ONE 6.x

When you receive your Digi-SSL™ [5] certificate back from Digi-Sign, it will be encrypted with your public key so that only you can decrypt it. Only by entering the correct password for your trust database, can you decrypt and install your certificate.

There are three types of certificates:

A certificate chain is a hierarchical series of certificates signed by successive certificate authorities. A CA certificate identifies a certificate authority (CA) and is used to sign certificates issued by that authority. A CA certificate can in turn be signed by the CA certificate of a parent CA, and so on, up to a Root CA.

The server will use the key-pair file password you specify to decrypt the certificate when you install it. You can either save the certificates somewhere accessible to the server, or copy them in a text format and be ready to paste them into the Install Certificate form, as described here.

Installing a Certificate

To install a certificate, perform the following steps:

1. Access either the Administration Server or the Server Manager and choose the Security tab.

For the Server Manager you must first select the server instance from the drop-down list.

2. Click the Install Certificate link.

3. Check the type of certificate you are installing:

This Server is for a single certificate associated only with your server
(your Digi-SSL certificate™).
Server Certificate Chain is for a Digi-Sign CA certificate to include in a certificate chain.

Digi-Sign provides Digi-SSL™ certificates signed by either of the following CAs:

Digi-Sign CA Digi-SSL Xs [5]
Digi-Sign CA Digi-SSL Xp [5]

In the email from Digi-Sign, you will find the correct CA certificate to use for the installation.

Trusted Certificate Authority [9] (CA) is for a certificate of a CA that you want to accept as a trusted CA.

Digi-Sign provides Digi-SSL™ certificates, that inherit trust from the UTN-USERFirst-Hardware Root CA globally recognized as a trusted Certification Authority. In the email from Digi-Sign, you will find the correct Root CA certificate to use for the installation.

4. Select the Cryptographic Module from the drop-down list.

5. Enter the Key-Pair File Password.

6. Leave the a name for the certificate field blank if it is to be the only one used for this server instance, unless:

7. Select either:

8. Click OK.

9. Select either:

10. Repeat steps from point 2 to 9 for each individual certificate you received from Digi-Sign and ensure you select the correct certificate type, that you are installing. We recommend, that you install certificates in the following order:

11. For the Server Manager, click Apply, and then Restart for changes to take effect.

-cert7.db. For example: https-serverid-hostname-cert7.db

Oracle Web Application Server

Step by step instructions

Delete ALL text from this file that appears before -----BEGIN CERTIFICATE. Your document should contain only certificate information within this email. After you delete extra text, save this file inside your temporary directory as TEXT and filename "mycert.der".

To configure OAS 4.0.8 listener with your SSL files, go to OAS 4.0.8 Node Manager page (Usually on port 8888). Click on "OAS Manager".

Wait for the Java Applet menu to load and expand -> Website40 Site -> HTTP listener - WWW -> Security -> SSL.

Type in first ROW of data

[9]

To configure the Network section for WWW listener, go to HTTP listener -> WWW -> Network. Add a new ROW of information:

Now, you are ready to recycle OAS for changed to take place. Go to Website40 Site or First Icon on Your Java Applet menu. Click on "Select All" radio button. Click on the (Reload) button in toolbar. This will properly shut down and restart all OAS processes in the right order.

If everything starts successfully, then try to access your secure page. SSL runs on HTTPS protocol, URL format may look like:

https://myhost.yoursitename.com

[31]

If you get errors while trying to start WWW listener after making these changes, then check your NT Event Log or svwww.err file. Both logs will point out what is going wrong. Some common mistakes for SSL configuration include incorrect filename spellings and directory structures, problems with certificate file because of copy/pasting, etc. Log files tend to give very specific information in that case for debugging.

Plesk Server Administrator 2.5

Step by Step Instructions

Important: Installation is a two-step process - ensure you follow both steps listed below:

Step 1: Upload your SSL certificate

Upload a New SSL Certificate

You will be sent 3 certificates via email from Digi-Sign. The certificate named after your domain name or server is the only file from the email that you will need - this is your SSL Certificate.

2. When you applied for a Certificate your Plesk console will have emailed you a CSR [32] and a Private Key. Locate the email and copy the Private Key (not the CSR) into the text file you have just created containing your SSL Certificate. It should look something like:

-----BEGIN CERTIFICATE-----
[[ENCODED BLOCK OF TEXT]]
-----END CERTIFICATE-----

Make sure the -----BEGIN CERTIFICATE----- etc are still displayed within the text file.
Save this file as a TXT file somewhere easily accessible from your Plesk console.

3. In Plesk access the domain management function by clicking on the Domains button at the top of the PSA interface. The Domain List page appears.

4. Click the domain name that you want to work with. The Domain Administration page appears.

5. Click the Certificate button. The SSL Certificate page appears.

6. In the Uploading Certificate File section click browse and locate the saved file just created.

7. Then, click Send File to copy the certificate to the server. Or, if you want to type in the text of the certificate without downloading a specific file, click in the text box and enter and paste the certificate information.

8. Click Send Text to implement the text on the server.

When you download the certificate to the server, PSA checks for errors. If an error is detected, PSA restores the old version of the SSL certificate, and PSA warns you to update the certificate. At this point, you can try again to enter text or to download the certificate file.

When you are satisfied that the SSL certificate is correctly implemented, click Up Level to return to the Domain Administration page.

Step 2: Uploading the Rootchain Certificate

To ensure your Certificate is trusted by all browsers you need to install a rootchain certificate for the domain:

2.Click the domain name that you want to work with. The Domain Administration page appears.

3.Click the Certificate button. The SSL Certificate setup page appears.

4.The icon next to Use rootchain certificate for this domain appears on this page.

5.If the icon is [ON] then the rootchain certificate will be enabled for this domain. If the icon is [X] this function will be disabled.

6.Ensure the icon is [X] before continuing to step 7.

7.To upload your rootchain certificate, first make sure that it has been saved on your local machine or network (save it to disk now by clicking here). Use the Browse button to search for and select the appropriate rootchain certificate file.

8.Then click the Send File button. This will upload your rootchain certificate to the server to assure proper authentication of the InstantSSL certificate authority.

9.Click the icon button again to set it to the [ON] state.

10.When you are satisfied that the rootchain certificate is correctly implemented, click Up Level to return to the Domain Administration page.

Advanced Notes on Certificates:

In order to use SSL certificates for a given domain, the domain MUST be set-up for IP-Based hosting.
When an IP-based hosting account is created with SSL support, a default SSL certificate is uploaded automatically. However, this certificate will not be recognized by a browser as one that is signed by a certificate signing authority.
If the given domain has the www prefix enabled, you must set-up your CSR or self-signed certificate with the www prefix included. If you do not, you will receive a warning message when trying to access the domain with the www prefix.
All certificates are located in the ../vhosts/'domain name'/cert/httpsd.pem file. Where this directory reads "domain name", you must enter the domain name for which the certificate was created.

Certificate with Plesk 5.0

Step by Step Instructions

Important: Installation is a two-step process - ensure you follow both steps listed below.

Step 1: Upload your SSL certificate

From inside PSA, choose the domain in which you are installing the SSL certificate.
Access the domain's SSL section by clicking on the 'certificate' button.
When a CSR [32] (certificate signing request) is generated there are two different text sections, the RSA Private Key (which was emailed to you by Plesk) and the Certificate Request. When installing a certificate, the RSA Private Key text needs to be pasted into the block preceding the web server site certificate. Example:
Paste the Private Key with the Certificate text into the Enter Certificate Text: text box and press the Send Text button.

If successful a message is returned 'Certificate Successfully Installed'.
If there are any errors the old certificate will replace the new certificate that you have just sent to the server and you will be required to enter it again.
Now click Up Level to return to the Domain Administration page.

Step 2: Uploading the Rootchain Certificate/

To ensure your certificate is trusted by all browsers you need to install a rootchain certificate for the domain.

From inside PSA, choose the domain in which you are installing the SSL certificate.
Access the domain's SSL section by clicking on the 'certificate' button.
The icon next to Use rootchain certificate for this domain appears on this page.
If the icon is [ON] then the rootchain certificate will be enabled for this domain. If the icon is [X] then it is disabled.
Ensure the icon is [X] before continuing (you may need to click the ON/OFF button if the icon is set to [ON]):

Click the browse button and locate the Digi-SignCADigi-SSLXp.crt or
Digi-SignCADigi-SSLXs.crt file you have saved from your issuance email earlier.
Then click the Send File button. This will upload your Intermediate certificate to the server.
Click the icon again to set it to the [ON] state.
Now click Up Level to return to the Domain Administration page.

Using your SSL Certificate to secure logging into your Plesk Administrator

If you are applying your certificate to the Plesk control panel (in order to secure your login) you will need to login to Plesk Administrator and select Server.
Select Certificate and complete the above instructions as per applying your SSL certificate to a domain.

Plesk 6.0

Uploading certificate parts

If you have already obtained a certificate containing private key and certificate part (and may be CA certificate), follow these steps to upload it:

You can upload an existing certificate in two ways:

Uploading a CA certificate

For the Digi-Sign CA [9] Digi-SSL Xs or Digi-Sign CA Digi-SSL Xp is the CA Certificate, or rootchain certificate. The CA Certificate is used to appropriately identify and authenticate the certificate authority, which has issued your SSL certificate. To upload your CA Certificate, follow these steps:

NOTE: When you add a certificate, it is not installed automatically onto the domain or assigned to an IP address, but only added to the Certificate repository. You can assign a certificate to an IP address at the Client's IP pool

Plesk 7.0

Step by Step Instruction

9. Click the 'Send Text' button.
10. Now click 'Up Level' from the top right of the screen and choose 'Setup'.
11. At the top of the page, change the 'SSL Certificate' drop-down menu to the certificate you have just installed.
12. Click the 'Server' item from the left hand menu.
13. Click on the 'Service Management' menu item.
14. You now need to Stop and Start the Apache process.

NOTE: Restarting Apache will NOT work. You must stop the service, then start it again to complete the installation

Plesk 7.5

Accessing the Domain SSL Certificates Repository

To access the Domain certificates repository page, click

the Certificates icon at the Domain administration page. The certificates repository page will open displaying the list of available certificates:

The four icons, preceding the certificate name in the list, indicate the present parts of a certificate. The icon displayed in the R column indicates that the Certificate Signing request part is present in the certificate, the icon in the K column indicates that the private key is contained within the certificate, the icon in the C column indicates that the SSL certificate text part is present and the icon in the A column indicates that CA certificate part is present. The number in the Used column indicates the number of IP addresses the certificate is assigned to.

Uploading a certificate file with finding the appropriate private key

After you have received your signed SSL certificate from the certificate authority you can upload it from the Certificate repository page. First make sure that the certificate file has been saved on your local machine or network. Use the Browse button to locate the certificate. Click Send File. The existing certificate with appropriate private key will be found and the certificate part will be added to the repository.

Changing a certificate name

Uploading certificate parts

Add Certificate icon. You will be taken to the SSL certificate creation page.
2. In the Upload certificate files section of the page, use the Browse button to locate the appropriate certificate file or a required certificate part.

NOTE: Your certificate can be contained within one or several files, so you may upload the certificate by parts or as a single file, selecting it in several fields (Plesk will recognize the appropriate certificate parts and upload them correspondingly).

3. Click Send File. This will upload your certificate parts to the repository.

You can upload an existing certificate in two ways:

2. Type in or paste the certificate text and private key into the text fields and click the Send Text button.

Uploading a CA certificate

2. Use the Browse button, within the section related to the certificate uploading, to locate the appropriate CA Certificate file.

3. Click Send File. This will upload your CA Certificate to the repository.

You can upload an existing certificate in two ways:

Removing a certificate part

BEA Systems Weblogic

When you receive your certificates you need to store them in the mydomain directory.

NOTE: If you obtain a private key file from a source other than the Certificate Request Generator servlet, verify that the private key file is in PKCS#5/PKCS#8 PEM format.

To use a certificate chain, append the additional PEM-encoded digital certificates to the digital certificate that issued for the WebLogic Server (the intermediate CA certificate). The last digital certificate in the file chain will be the Root certificate that is self-signed. (example below:)

MIIB+jCCAWMCAgGjMA0GCSqGSIb3DQEBBAUAMEUxCzAJBgNVBAYTAlVTMRgwFgYD
.....(your Intermediate CA certificate).....
bW1EDp3zdHSo1TRJ6V6e6bR64eVaH4QwnNOfpSXY

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIE0DCCA7igAwIBAgIQMKeebbHpGVqxyFDTln1j1TANBgkqhkiG9w0BAQUFADBv

.....(your Root CA certificate).....

WjEZgqr9NaoNZCZpyfZxPsOFYzoxLYEmJs3AJHxkhIHg6YQU

-----END CERTIFICATE-----

Configure WebLogic Server to use the SSL protocol; you need to enter the following information on the SSL tab in the Server Configuration window:

In the Server Certificate File Name field, enter the full directory location and name of the digital certificate for WebLogic Server.
In the Trusted CA File Name field, enter the full directory location and name of the digital certificate for Digi-Sign who signed the digital certificate of WebLogic Server. In the Server Key File Name field, enter the full directory location and name of the private key file for WebLogic Server.
Use the following command-line option to start WebLogic Server.

-Dweblogic.management.pkpassword=password where password is the password defined when requesting the digital certificate.

Storing Private Keys and Digital Certificates

Once you have a private key and digital certificate, copy the private key file generated by the Certificate Request Generator servlet and the digital certificate you received into the mydomain directory. Private Key files and digital certificates are generated in either PEM or Definite Encoding Rules (DER) format. The filename extension identifies the format of the digital certificate file. A PEM (.pem) format private key file begins and ends with the following lines, respectively:

NOTE: Typically, the digital certificate file for a WebLogic Server is in one file, with either a .pem or .der extension, and the WebLogic Server certificate chain is in another file. Two files are used because different WebLogic Servers may share the same certificate chain.

The first digital certificate in the certificate authority file is the first digital certificate in the WebLogic Server's certificate chain. The next certificates in the file are the next digital certificates in the certificate chain. The last certificate in the file is a self-signed digital certificate that ends the certificate chain. A DER (.der) format file contains binary data. WebLogic Server requires that the file extension match the contents of the certificate file.

NOTE: If you are creating a file with the digital certificates of multiple certificate authorities or a file that contains a certificate chain, you must use PEM format. WebLogic Server provides a tool for converting DER format files to PEM format, and visa versa.

Website Pro 3.x

When your certificate is issued you will receive 4 certificates:

Yourdomain.cer
Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt
UTN-USERFirst-Hardware.crt

WebStar 4.x

Step by step Instructions

Step 1: Copy your SSL Certificate to file

You will receive an email from us with your SSL certificate in the email. Copy & paste your SSL Certificate (including the -----BEGIN NETSCAPE CERTIFICATE CHAIN----- and -----END NETSCAPE CERTIFICATE CHAIN----- headers) into a raw text editor such as BBEdit or Notepad, ensuring that no extra line spaces or extra characters are inserted into the data. Choose to save the file as yourdomainname.txt.

Step 2: Install your SSL Certificate

Make sure that your web server has SSL capabilities. It should say "SSL" in the Status window on the server, and have an SSL Security item in the list of Settings in WebSTAR Admin.
To install an SSL server, you may need to install WebSTAR from the distribution CD.
Make sure the Status window is open on the server machine.
In WebSTAR Admin, Settings window (on any machine), select SSL Security.
The top area lists the IP addresses you have set using the IP Secondary Addresses file.
The lower area sets your security options, including certificate and private key data. The checkboxes set your policy regarding incoming connections.
Each IP address uses a different certificate. You can have certificates for several of these addresses, but one IP address can only have a single certificate.
Select the item for the IP address, which corresponds to the host name of the current Certificate.
On the Security popup menu, select SSL 2 and SSL 3.
Use the Certificate Choose button to select the certificate file you have saved (yourdomainname.txt).
Use the Private Key File Choose button to select the private key file you used to generate your Certificate Signing Request.
Type your Private Key Password into the appropriate field.
Click the Save button.
Look at the server Status window. You should see a message confirming that the SSL certificate was accepted:

SSL context for xxx.xxx.xxx.xxx:443 created.

Encryption Ciphers
The cipher checkboxes indicate which encryption algorithms you will support. The client can connect only if they support at least one of the cipher you enable, and they negotiate to find the best fit.

Very high-security sites will just enable 3DES and RC4-128.
Some U.S. government sites require DES only, so if you are in that situation, do not enable the RC4 options.
If you decide that your server does not require DES as the primary method, consider whether to allow your server to negotiate DES (which is more computationally intensive), or to allow only RC4.
Most sites that want to allow overseas users will need to turn on DES, DES-40 and RC4-40. RC4-40 is the only supported encryption method that can be exported from the United States to other countries.
MAC is a little different, and should only be used if you need to allow users to connect to your SSL server in an insecure mode. There are a few countries where authentication is allowed but encryption is not, and clients in these countries sometimes use the MAC cipher. The MAC cipher will send your certificate to the client and ensure the integrity of the data you send, but it won't encrypt the data.

When you have chosen your cipher settings, click Save again to send the information to the server.

WS FTP Server

Applying certificates

To apply a certificate that was sent to you as keyname.cer:

2. Navigate to your host's Security directory on the hard drive. If you are unsure what this is, open Server Manager and at Local System, select the Modify General System Settings button. Note the directory listed in the Security directory field. Each host on your system will have its own folder in this directory. The folder for the host should match the name of the host.

3. Make a backup of the keyname.cer that should already exist in this directory. Save the keyname.cer file sent to you by the Certificate Authority [9] in its place.

4. Open Server Manager, expand Local System and then select the SSL window under your host.

5. Verify that Certificate field is your keyname.cer you received from the CA.

6. Restart the WS_FTP Server service.

To apply a certificate that was sent to you as text in an email:

3. Make a backup of the keyname.cer that should already exist in this directory.

4. Open keyname.cer in a text-only editor (such as Notepad.exe) and replace the information in the file with the information from your CA.

5. After saving the file, restart the WS_FTP Server service.

Zeus

When you receive your certificates there will be 3 files, open a text editor and then copy the text from each certificate into the text editor to form one file. The certificates should be pasted in the following sequence, your site Certificate named yourdomain.cer, Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt , UTN-USERFirst-Hardware.crt, and the resulting file should look like the following:

-----BEGIN CERTIFICATE-----
(Class3CertificateAthority Encoded Text)
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
(TrustRootCertificateAuthority Encoded Text)
-----END CERTIFICATE-----

Please note: Make sure you include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- as displayed above.

1. Login to the web server.

2. Select SSL certificates

3. Select Generate CSR [32] (or Replace Certificate) against the certificate set

4. Copy/Paste the text from the text editor into the Signed Certificate box and click OK.

5. Then select Accept this Certificate

6. The certificate set now needs assigning to the web site. Click on the Home icon. Put a tick in the box next to the virtual server to configure and select configure.

7. Click on SSL Enabled.

8. Enable SSL and select the certificate set to use.

9. Apply and commit the changes then restart the web server.

SSL FAQ

Frequently Asked Questions on Digi-SSL™

The following are frequently asked questions on the most popular web servers that use Digi-SSL™ Secure Soctket Layer [SSL] security.

Frequently Asked Questions - Apache

Do I need to install all the certificates that I received?

No, Apache users should use the bundle file on the support page instead of the Digi-Sign and GTE certificate:
http://www.digi-sign.com/support/digi-ssl/install+certificate/index [33]
If you do not install the bundle file you will receive not trusted messages when you go to the secure area of your web site.

I have accidentally deleted my Private Key

First check your backups and see if you can re-install the Private Key. If you don't know how to re-install the key from your backups, then contact your systems administrator. Failing that, contact your server software vendor for technical support. The only alternative course of action available is a re-issuance of the certificate following the re-submitting of a replacement CSR.

I am being told that my Certificate/Key is invalid

There may not be a corresponding Private Key or the key that is found is not the one that matches the certificates.
You may also see this error: "OpenSSL: error:0B080074:x509 certificate
outines:x509_check_private_key:key values mismatch"

Do I need to use IP based hosting or Name based hosting?

Name based hosting is rarely used in production environments. IP based hosting should be used due to the way that the SSL protocol works.

What is the difference between Apache Mod_SSL and OpenSSL when installing my certificate?

There is no difference, the process is the same and the directives used are the same. Apache fails on start up, what could cause this?
If the key file has a Passphrase you need to remove it, as Apache cannot read this on start-up, you can do that with the following command: openssl rsa -in file1.key -out file2.key
file2.key will contain your unencrypted key If you used Mozilla to download the file, it may have saved the file in compressed format.

Can I change the IP address?

The certificate is not bound to any specific IP address. It is bound to the fully qualified domain name such as www.digi-sign.com [8].

I get 'The Page Cannot Be Displayed' when going to the HTTPS page

Is the SSL port opened, this is usually port 443. (listen 443) Is the firewall set to allow the SSL port through. Has the server been rebooted Make sure 'Use SSL 3.0' is ticked in the web browser options.

Normal PC browsers work OK, but I get 'Not Trusted' messages when I go to the same page with the MAC

This is usually caused by the directive SSLCertificateChainFile being used instead of the SSLCACertificateFile directive.

Error: "Data decryption error"

This error message occurs because there are directives missing from the httpd.conf file. Most web servers can be configured to 'talk' to various browser versions in a different way, the fix for this particular problem is to add the following directives to the httpd.conf file so allowances can be made for Internet Explorer on the Mac:
SSLSessionCache dbm:/var/cache/httpd/ssl_cache
SSLSessionCacheTimeout 300.

I get the message "There are secure and non-secure items on the page, Would you like to proceed?"

The error means that there are embedded objects or HTML tags on the page that are not being called absolutely secure. For example, a page that is loaded securely (HTTPS), and contains an image tag within the source code such as IMG SRC =http://www.yyy.com/image.gif. In this case the image is being called absolutely using the non-secure (HTTP) protocol.

When I access my secure site, a certificate for another site is displayed

This problem occurs if you assign the same IP address to each host in your config file. SSL does not support name based virtual hosting (host headers are encrypted in SSL), so only the first certificate listed in your config file will be used.

Browsers are saying that something is not trusted

The Root Certificates and/or Intermediate Certificates may not be installed correctly. This can be checked by clicking on 'View Certificates' when you get the error message and seeing if all three certificates are visible.
It may also be that the certificate being used is not for the Fully Qualified Domain Name, check again using 'View Certificates' to see if the domain name on the certificate matches the domain name in the URL that you are going to.
Check your 'Internet Options' and make sure that 'Use SSL 3.0' is ticked in the 'Advanced' section. Check your .conf file to ensure that SSL Protocol version 3 is allowed.

I get an intermittent server not found message when trying to access my site

If the web server is set to check the Certificate Revocation List and the server is down, this can cause a time-out of the operation. This will not be the certificates, but something related to the browser timing out on the operation.

When I connect via HTTPS to an Apache with Mod_SSL or OpenSSL server with Microsoft Internet Explorer (MSIE) I get various I/O errors. What is the reason?

The first reason is that the SSL implementation in some MSIE versions has some subtle bugs related to the HTTP keep-alive facility and the SSL close notify alerts on socket connection close. Additionally the interaction between SSL and HTTP/1.1 features are problematic with some MSIE versions, too. You've to work-around these problems by forcing Apache with Mod_SSL or OpenSSL to not use HTTP/1.1, keep-alive connections or sending the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host section:

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

Additionally it is known some MSIE versions also have problems with particular ciphers. Unfortunately you cannot workaround these bugs only for those MSIE particular clients, because the ciphers are already used in the SSL handshake phase. So a MSIE-specific SetEnvIf doesn't work to solve these problems.
Instead you have to do more drastic adjustments to the global parameters. But before you decide to do this, make sure your clients really have problems. If not, do not do this, because it affects ALL of your clients.

Error: "no start line:pem_lib.c" or "no end line:pem_lib.c"

Apache-SSL uses a toolkit called OpenSSL for its security routines. OpenSSL is very particular about the format of certificate requests and certificates. This error is specifically related to the format of the certificate.

Check that there are 5 dashes before and after the BEGIN and END text, and they must form the first and last lines of the certificate.
In particular, the BEGIN and END lines must look like:

-----BEGIN CERTIFICATE-----
Encoded Certificate
-----END CERTIFICATE-----

Be careful when you cut and pasted the certificate from the browser window into a text editor to create the certificate text file.
Make sure you remove any trailing spaces, before and after the BEGIN or END lines, or you will see this error.

Error: "Unable to configure RSA server private key"

Specify the correct private key for the certificate.

Compare the modulus of certificate against the modulus of the private key to see if they match by using the following commands:

To view the certificate modulus:

Openssl x509 -noout -text -in certfile –modulus

To view the key:

Openssl rsa -noout -text -in keyfile –modulus

Check that the certificate and private key is saved in notepad and that it has no trailing spaces.

The "modulus" and "public exponent" portions in the key and the certificate must match exactly

Error: "OpenSSL: error:0B080074:x509 certificate outines: x509_check_private_key: key values mismatch"

This error message occurs if you are using the incorrect certificate or private key during installation. So you need to use the matching key and certificate files. To check that the public key in your cert matches the public portion of your private key, view both files, and compare the modulus values with the following instructions:

To view the certificate:
Openssl x509 -noout -text -in certfile

To view the key:
Openssl rsa -noout -text -in keyfile

The "modulus" and "public exponent" portions in the key and the certificate must match exactly. If the "modulus" do not match exactly then you are using either the incorrect private key or certificate.

Frequently Asked Questions - IIS 5.x & 6.0

Do I need to install all the certificates that I received?

Yes, if you do not install all the received certificates you will receive not trusted messages when you go to the secure area of your web site.

I have accidentally deleted my "pending request" or "private key"

First check your backups and see if you can re-install the "pending request" or "private key". If you don't know how to re-install the key from your backups, then contact your systems administrator. Failing that, contact your server software vendor for technical support. The only alternative course of action available is a re-issuance of the certificate following the re-submitting of a replacement CSR.

I am being told that my Certificate/Key is invalid

There may not be a corresponding 'private key' or 'pending request' or the key that is found is not the one that matches the certificates.

Do I need to use IP based hosting or Name based hosting?

Name based hosting is rarely used in production environments. IP based hosting should be used due to the way that the SSL protocol works.

I get 'The Page Cannot Be Displayed' when going to the HTTPS page

Is the SSL port opened, this is usually port 443.
Is the firewall set to allow the SSL port through?
Has the server been rebooted?
Make sure 'Use SSL 3.0' is ticked in the web browser options.

I get the message "There are secure and non-secure items on the page? Would you like to proceed?"

Can I change the IP address?

The certificate is not bound to any specific IP address. It is bound to the fully qualified domain name such as www.digi-sign.com [8].

When I access my secure site, a certificate for another site is displayed

Browsers are saying that something is not trusted

Error: 'This page must be viewed over a secure channel'

Microsoft IIS is configured to require a secure channel.
The following steps will allow non-secure (http) connections to your site:
Within Microsoft Internet Information Server, right click on your web site.
Under Secure Communications, click on Edit.
Un-check the box that says 'Require Secure Channel'

I get an intermittent server not found message when trying to access my site

If the web server is set to check the Certificate Revocation List and the server is down, this can cause a time-out of the operation.
This will not be the certificate, but something related to the browser timing out on the operation.

How do I back up my private key in IIS 5?

Start, run, type mmc

Go into the Console Tab, Add/Remove Snap in

Click on Add, Double Click on Certificates and Click on Add > OK

Choose Computer Account

Choose Local Computer

Open up the Certificates Consol Tree

Look for a folder labelled REQUEST, then select Certificates

Highlight the key that you wish to back up

Right click on the file and choose, All Tasks, Export

Follow the Certificate Export Wizard

Choose to mark the Private key as exportable

Leave default settings

Choose to save file on a set location.

Click Finish

You will get message that the export was successful

Note: Once the Pending Request is completed the Key is no longer available

How do I move the certificate and key from IIS5 to Apache?

Start the certificates mmc for the web server and select 'All Tasks', 'Export' against the site certificate. Do not choose to export the CA certificates. Specify a password. Specify a filename (e.g. mypkcs12.pfx). Copy the resulting .pfx file to your Apache web server.

Then import the private key and cert file into Apache using the following commands:

openssl pkcs12 -in mypkcs12.pfx -out pfxoutput.txt

You'll need to enter the password at least once.

Load pfxoutput.txt into a text editor and save each certificate as a separate file.
Also save the private key as a separate file (e.g. myencrypted.key).

The private key will probably be encrypted at the moment. i.e. looking something like.....

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,.........
.........
-----END RSA PRIVATE KEY-----

If the version of Apache we're using doesn't allow encrypted private keys, to decrypt the private key run the following command:

Openssl rsa -in myencrypted.key -out my.key

How do I force SSL for specific pages?

To use ASP to force SSL for specific pages follow the directions at the following url:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239875 [34]

How do I export the key in IIS 5?

Please refer to the following URL on Microsoft's Knowledgebase: http://support.microsoft.com/support/kb/articles/Q232/1/36.ASP [35]

How do I import the server certificate in IIS 5?

Please refer to the following URL on Microsoft's Knowledgebase: http://support.microsoft.com/support/kb/articles/Q232/1/37.ASP [36]

How do I create a renewal CSR in IIS 5?

Create a new web site in IIS, then go to the 'Properties', 'Directory Security', 'Server Certificate' tab.

Use the certificate wizard to create your new Key/CSR file

Backup the private key file by following the instructions:

Start, run, type mmc, select OK

Go into the Console Tab, Add/Remove Snap in

Click on "Add". Double Click on "Certificates" and Click on "Add", click "OK"

Choose Computer Account, then Local Computer

Open up the Certificates Consol Tree

Look for a folder called REQUEST, Certificates

Highlight the key that you wish to back up

Right click on the file and choose, All Tasks, Export

Follow the Certificate Export Wizard

Choose to mark the Private key as exportable

Leave default settings

Choose to save file on a set location.

It is important to take a copy of the private key and store it off the server; in the event

that the server crashes.

Click Finish

You will get message that the export was successful

Save the resultant CSR file to your hard drive indicating it is a renewal CSR

Use this CSR during the purchase process.

Once you receive the renewed certificate, install it using the wizard you used to create it
on the same NEW website you created.

Once installed, go to the correct website you want the certificate to run on.

Go to 'Properties', 'Directory Security', 'Server Certificate', remove the certificate currently installed, and assign the certificate you installed in the previous step

Restart the WWW service

Error: "The string contains an invalid X470 name, attribute key, OID, value or delimiter"

To avoid this error, create a new certificate and verify that there are no special characters in any of the fields in the distinguished name.

In particular, do not include a comma in the company name.

The following characters are not allowed in any of the CSR fields:
[! @ # $ % ^ * ( ) ~ ? > < & / \ , . " ']

Error: "The pending certificate request for this response file was not found. This request may be cancelled. You cannot install selected response certificate using this Wizard"

You are attempting to install a certificate that does not match the private key (Pending request) that is currently residing in the Certificate Wizard. Microsoft IIS 5 only allows you to make one request per site. If you create a new CSR for the same website, your original request (and private key) will be overwritten.
If you have a backup of the private key, you can install the certificate via the MMC if you can restore the request to the REQUEST folder.
Unless you can find the matching private key for the certificate, you will need to have the certificates reissued.

My browser stopped responding to my SSL server, other browsers can connect from a different location?

Microsoft has released a fix for this error. Please refer to the relevant knowledge base article Q285821, which can be found at the following url:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q285821 [37]

How do I backup the certificate and key in IIS5?

Start the certificates mmc for the web server and select 'All Tasks', 'Export' against the site certificate. Choose to export the CA certificates. Specify a password. Specify a filename (e.g. mypkcs12.pfx). Save the .pfx file in a safe place off the server.

Frequently Asked Questions - Cobalt Raq

I have accidentally deleted my Private Key

I am being told that my Certificate/Key is invalid

There may not be a corresponding Private Key or the key that is found is not the one that matches the certificates.
You may also see this error: "OpenSSL: error:0B080074:x509 certificate outines:x509_check_private_key:key values mismatch"

Do I need to use IP based hosting or Name based hosting?

Name based hosting is rarely used in production environments.
IP based hosting should be used due to the way that the SSL protocol works.

Cobalt (Apache) fails on start up, what could cause this?

If the key file has a pass phrase you need to remove it, as Apache cannot read this on start-up, you can do that with the following command:
Openssl rsa -in file1.key -out file2.key
File2.key will contain your unencrypted key
If you used Mozilla to download the file, it may have saved the file in compressed format
I get 'The Page Cannot Be Displayed' when going to the HTTPS page
Is the SSL port opened, this is usually port 443. (Listen 443)?
Is the firewall set to allow the SSL port through?
Has the server been rebooted?
Make sure 'Use SSL 3.0' is ticked in the web browser options.

Error: "Data decryption error"

I get the message "There are secure and non-secure items on the page? Would you like to proceed?"

Can I change the IP address?

The certificate is not bound to any specific IP address. It is bound to the fully qualified domain name such as www.digi-sign.com [8].

When I access my secure site, a certificate for another site is displayed

Browsers are saying that something is not trusted

The Root Certificates and/or Intermediate Certificates may not be installed correctly. This can be checked by clicking on 'View Certificates' when you get the error message and seeing if all three certificates are visible.
It may also be that the certificate being used is not for the Fully Qualified Domain Name, check again using 'View Certificates' to see if the domain name on the certificate matches the domain name in the URL that you are going to.
Check your 'Internet Options' and make sure that 'Use SSL 3.0' is ticked in the 'Advanced' section.
Also ensure that SSL Protocol version 3 is supported.
The bundle file must also be specified in the Global SSL section of the. conf file.

I get an intermittent server not found message when trying to access my site

When I connect via HTTPS to an Apache with Mod_SSL or OpenSSL server with Microsoft Internet Explorer (MSIE) I get various I/O errors. What is the reason?

Open the file with any text editor and carefully insert the code piece below in the appropriate place, around the directive for "SSLengine on", you may have to insert it in both the IF and the ELSIF portions of the setup:

$PerlConfig .= "Listen $ip:443\n";
$PerlConfig .= "\n";

# ------------- INSERT THIS CODE -------------
$PerlConfig .= "SetEnvIf User-Agent \".*MSIE.*\" \\n";
$PerlConfig .= " nokeepalive ssl-unclean-shutdown \\n";
$PerlConfig .= " downgrade-1.0 force-response-1.0 \n";
# ------------- END INSERT -------------------

$PerlConfig .= "SSLengine on\n";
$PerlConfig .= "SSLCertificateFile /home/sites/$group/certs/certificate\n";
$PerlConfig .= "SSLCertificateKeyFile /home/sites/$group/certs/key\n";
$PerlConfig .= join('', @ssl_conf);

Additionally it is known some MSIE versions have also problems with particular ciphers. Unfortunately one cannot workaround these bugs only for those MSIE particular clients, because the ciphers are already used in the SSL handshake phase. So a MSIE-specific SetEnvIf doesn't work to solve these problems. Instead one has to do more drastic adjustments to the global parameters. But before you decide to do this, make sure your clients really have problems. If not, do not do this, because it affects all (!) your clients, i.e., also your non-MSIE clients.

Frequently Asked Questions – Webstar

What format do I need the certificates in to load them using Webstar V4?

The certificates must be provided in a single chain file in Netscape format. Please request this from support@digi-sign.com [38]

What format do I need the certificates in to load them using Webstar V5?

The certificates must be provided in a single text file in this order:

The customer certificate
Digi-SignClass3CA.cer
GTECyberTrustRootCA.cer
And there MUST be a blank line between

-----END CERTIFICATE-----
and
-----BEGIN CERTIFICATE-----

Error: "bad unsupported format" when importing certificate

This error happens when using the Certificate Extractor utility. If you do not use the extractor to import the certificate, it should work OK.

Error: "Netscape cannot communicate securely with this server. No common encryption algorithms"

This error is a known bug in earlier versions of 4D Webstar Server Suite/SSL. You should upgrade to the latest version, and make sure all fixes and updates have been applied.

If you are using the latest version, check that your SSL settings are correct. The server should be listening on Port 443 for SSL connections, and have the correct certificate and key file specified. Enable all ciphers. If you have not set up your server correctly for SSL, you may receive this error.

Digi-SSL™

Source URL: http://www2.digi-sign.com/support/digi-ssl

Links:
[1] http://www2.digi-sign.com/about/announcements/2048
[2] http://www2.digi-sign.com/support/knowledgebase/digi-ssl
[3] http://www2.digi-sign.com/user/login
[4] http://www2.digi-sign.com/user/register
[5] http://www2.digi-sign.com/digi-ssl
[6] http://www2.digi-sign.com/en/node/add/forum/11
[7] http://www.sun.com/hardware/serverappliances/documentation/manuals.html
[8] http://www.digi-sign.com
[9] http://www2.digi-sign.com/certificate+authority
[10] http://www.company.com
[11] http://www2.digi-sign.com/support/digi-ssl/Microsoft+iis+5+iis+6
[12] http://www2.digi-sign.com/http
[13] http://www.digi-sign.com/product/digi-ssl/
[14] http://www2.digi-sign.com/digi-ca
[15] http://www.yourdomain.com
[16] http://www2.digi-sign.com/digital+certificate
[17] http://www.yoursitename.com
[18] mailto:sleuniss@yoursitename.com
[19] http://www.domainname.com
[20] https://hostname:port/Certificate
[21] https://server:7002/certificate
[22] https://www.digi-sign.com/downloads/download.php?id=aacd-digi-ssl-pdf
[23] http://www2.digi-sign.com/download/certificate/UTN-USERFirst-Hardware.crt
[24] http://www2.digi-sign.com/download/certificate/Digi-SignCADigi-SSLXs.crt
[25] http://www2.digi-sign.com/download/certificate/Digi-SSLXsCA_Chain.pem
[26] http://www2.digi-sign.com/download/certificate/Digi-SignCADigi-SSLXp.crt
[27] http://www2.digi-sign.com/download/certificate/Digi-SSLXpCA_Chain.pem
[28] http://www.digi-sign.com/support/digi-ssl/install%20certificate/index
[29] http://www2.digi-sign.com/compliance/introduction
[30] https://hostname.domain:
[31] https://myhost.yoursitename.com
[32] http://www2.digi-sign.com/support/digi-ssl/generate+csr
[33] http://www.digi-sign.com/support/digi-ssl/install+certificate/index
[34] http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239875
[35] http://support.microsoft.com/support/kb/articles/Q232/1/36.ASP
[36] http://support.microsoft.com/support/kb/articles/Q232/1/37.ASP
[37] http://support.microsoft.com/default.aspx?scid=kb;EN-US;q285821
[38] mailto:support@digi-sign.com

Digi-SSL™ Certificates

CSR Generation

Apache Mod_SSL

Step-by-Step Instructions

OpenSSL

Step-by-Step Instructions

Cobalt RaQ4/XTR

Apache via Ensim Webppliance 3.1.x

Stronghold Server

Hsphere

IBM HTTP Server

Using IKEYMAN for CSR Generation

Java Server

Tomcat Server

Lotus Domino Server versions 4.6x and 5.0x

Microsoft IIS 4.x

Microsoft IIS 5.x / 6.x

Microsoft IIS 7 Server 2008

Microsoft ISA 2000 Server

Microsoft Office Communications Server [OCS] 2007

Microsoft Office Communications Server [OCS] 2007

Microsoft SMTP Server

Ironport

I-Planet Web Server

I-Planet Web Server 6.x

Sun ONE 6.x

Request a certificate

Oracle Web Server

Plesk Server Administrator 2.5

Plesk 5.0

Plesk 6.0

Generating a certificate signing request

Plesk 7.0

Plesk 7.5

Accessing the Domain SSL Certificates Repository

BEA Systems Weblogic

Requesting a Private Key and Digital Certificate

Website Pro 3.x

WS FTP Server

Zeus

Login to the web server

Install Digi-SSL™

Installing Apache Mod SSL

Step-by-Step Instructions

Apache OpenSSL

Step by Step Instructions

Java Server

Tomcat Server

C2Net Stronghold

Apache via Ensim Webappliance 3.1.x

Step by Step Instructions

Certificate on a Cobalt RaQ4/XTR

Installing the site certificate

Hsphere

Installing your Certificate on Hsphere

IBM HTTP Server

Installing certifications on IBM HTTP Server

Lotus Domino Server v4.6x & v5.0x

Installing certificates on Lotus Domino Server

Microsoft IIS 4.x

Microsoft IIS 5.x / 6.x

Installing the Root & Intermediate Certificates

Microsoft IIS 7 Server 2008

Microsoft ISA 2000 Server

Instructions to install certificates on Microsoft ISA 2000 Server

Microsoft SMTP Server

Ironport

I-Planet Web Server

I-Planet Web Server 6.x

Step by step instructions

Configuring SSL on iPlanet Web Server 6.X

Sun ONE 6.x

Oracle Web Application Server

Step by step instructions

Plesk Server Administrator 2.5

Step by Step Instructions

Certificate with Plesk 5.0

Step by Step Instructions

Plesk 6.0

Uploading certificate parts