InCommon Certificate Service - Sysadmin FAQ
- LEE KNUTSON
- Joshua Drummond
This page is available to list information and links to support pages with information useful for system administrators responsible for utilizing the InCommon Certificate Service.
Requesting a certificate (Generating a CSR - Certificate Signing Request)
IIS (Windows)
Requesting a new certificate
Follow these directions to generate a certificate signing request (CSR):
Windows 2003 Server: CSR Generation: Microsoft IIS 5.x & 6.x
Windows 2008 Server: CSR Generation: Microsoft IIS 7.x
Apache httpd (Linux/Unix)
Requesting a new certificate
Follow these directions to generate a certificate signing request (CSR): CSR Generation: Using OpenSSL (Apache & mod_ssl, NGINX)
Tomcat (Linux/Unix)
Requesting a new certificate
Follow these directions to generate a certificate signing request (CSR): http://www.digicert.com/csr-creation-tomcat.htm
Submitting the CSR
Follow these directions to submit the certificate signing request (CSR): InCommon Certificate Service - SSL Certificate Request
Installing a Certificate
IIS (Windows)
Installing a new certificate
Once you have been notified by InCommon that your certificate has been generated, follow these directions to install the certificate:
Windows 2003 Server: Certificate Installation: Microsoft IIS 5.x & 6.x
Windows 2008 Server: Certificate Installation: Microsoft IIS 7.x
Note that you should use the "PKCS#7 Base64 encoded" link to download the certificate for use with IIS.
NOTE: To ensure users do not receive errors visiting your site if they've never used a site with an InCommon Intermediate certificate, be sure to install the InCommon Intermediate certificate (and if necessary the AddTrust Root certificate) using the Root and Intermediate Certificate installation via MMC directions.
Replacing an existing certificate
By default, when using the IIS Certificate wizard in Windows to create a certificate signing request (CSR) for a new InCommon certificate, the wizard assumes that you are replacing the existing certificate. As a result, IIS also assumes you no longer want to use the existing certificate, leaving your site unavailable via https, an undesirable situation. However, you don't need to have your site unavailable while waiting for the certificate signing request to be processed by the certificate authority. You can use this information to get around this restriction in Windows: How to create a CSR without removing your current certificate in IIS
Migrate an existing certificate
If you are replacing a server that currently has an InCommon certificate in use, you can migrate the certificate to the new server, avoiding the need to issue a new CSR and wait for a new certificate to be generated. This can be done even if the new server is using a different version of Windows and IIS than the existing server. Here are the directions for Exporting and Restoring a PFX file to IIS
Apache httpd (Linux/Unix)
Installing a new certificate
Tomcat (Windows)
http://www.digicert.com/ssl-certificate-installation-tomcat.htm to install directly to Tomcat.
Or another method of getting SSL protection in Tomcat on Windows is to first request and install a certificate in IIS (even if no website is hosted by IIS), and the export the certificate from IIS, to import into Tomcat. To export an SSL certificate from IIS for use with Tomcat on Windows, follow these directions: Export SSL Certificate from IIS and Import into Tomcat
Tomcat (Linux/Unix)
Testing Certificate Installation
Verifying proper certificate chaining
- AddTrust Root Certificate
- InCommon Intermediate Certificate, and
- Client Certificate
For SHA-2:
- AddTrust Root Certificate
- USERTrust Root Certificate
- InCommon Intermediate Certificate, and
- Client Certificate
Pieces of the overall certificate can be missing, or installed in an improper order. To test that the certificate is working as expected, use one of the sets of directions below. (Testing should need to be done with only a single browser.)