Versions Compared

Version Old Version 6 New Version Current
Changes made by

LEE KNUTSON

LEE KNUTSON

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: correcting broken URLs

This page is available to list information and links to support pages with information useful for system administrators responsible for utilizing the InCommon Certificate Service.

...

Follow these directions to generate a certificate signing request (CSR):

Windows 2003 Server: CSR Generation: Microsoft IIS 5.x & 6.x

Windows 2008 Server: CSR Generation: Microsoft IIS 7.x

Apache httpd (Linux/Unix)

Requesting a new certificate

Follow these directions to generate a certificate signing request (CSR): CSR Generation: Using OpenSSL (Apache & mod_ssl, NGINX)

Tomcat (Linux/Unix)

Requesting a new certificate

Follow these directions to generate a certificate signing request (CSR): http://www.digicert.com/csr-creation-tomcat.htm

Submitting the CSR

Follow these directions to submit the certificate signing request (CSR): InCommon Certificate Service - SSL Certificate Request

Installing a Certificate

...

Once you have been notified by InCommon that your certificate has been generated, follow these directions to install the certificate:

Windows 2003 Server: Certificate Installation: Microsoft IIS 5.x & 6.x 

Windows 2008 Server: Certificate Installation: Microsoft IIS 7.x

Note that you should use the "PKCS#7 Base64 encoded" link to download the certificate for use with IIS.

...

If you are replacing a server that currently has an InCommon certificate in use, you can migrate the certificate to the new server, avoiding the need to issue a new CSR and wait for a new certificate to be generated. This can be done even if the new server is using a different version of Windows and IIS than the existing server. Here are the directions for Exporting and Restoring a PFX file to IIS 

Apache httpd (Linux/Unix)

...

Once you have been notified by InCommon that your certificate has been generated, follow these directions to install the certificate: Certificate Installation: Apache & mod_ssl Note that you should use the "X509 Certificate only, Base64 encoded" link to download the client certificate, and the "X509 Intermediates/root only Reverse, Base64 encoded" link to download the intermediate and rootcertificates, for use with httpd.

Tomcat (Windows)

The easiest http://www.digicert.com/ssl-certificate-installation-tomcat.htm to install directly to Tomcat.

Or another method of getting SSL protection in Tomcat on Windows is to first request and install a certificate in IIS (even if no website is hosted by IIS), and the export the certificate from IIS, to import into Tomcat. To export an SSL certificate from IIS for use with Tomcat on Windows, follow these directions: Export SSL Certificate from IIS and Import into Tomcat

Tomcat (Linux/Unix)

To import an existing SSL key and certificate in Linux/Unix to Tomcat, follow these instructions: Importing existing SSL key and certificate for tomcat

...

A common issue when installing a certificate is that the chain of certificates is not installed properly:
For SHA-1:
  • AddTrust Root Certificate
  • InCommon Intermediate Certificate, and
  • Client Certificate
are not installed properly.
  • Certificate

For SHA-2:

  • AddTrust Root Certificate
  • USERTrust Root Certificate
  • InCommon Intermediate Certificate, and
  • Client Certificate

Pieces of the overall certificate can be missing, or installed in an improper order. To test that the certificate is working as expected, use one of the sets of directions below. (Testing should need to be done with only a single browser.)

...