Assorted Guides: SSL Certificates

Table of Contents

1. Introduction
   1. Why SSL?
   2. Who needs SSL?
   3. What type of Web Server Certificate does Domain Contender offer?
   4. Features of a secure site
2. Billing
   1. Fee
   2. Payment options
3. Compatibility
   1. Browser compatibility
   2. Server compatibility
4. Application
   1. Application process
   2. Certificate Signing Request
   3. Distinguished Name
   4. More on the Common Name
5. Troubleshooting FAQs
6. Managing Certificate
   1. Check the size of the certificate
   2. Keep the private key secret
   3. Lost key
   4. Lost password
   5. Certificate replacement policy
   6. Certificate revoke policy
   7. Check expiration date
7. Technical Support
8. Appendix A -- Web Server Certificates Installlation Instructions
   1. Apache
   2. Apache + Raven
   3. Apache + Raven 1.5x
   4. Apache + SSLeay
   5. BEA Weblogic
   6. C2Net Stronghold
   7. CPanel
   8. Cobalt RaQ4/XRT
   9. Ensim Web appliance 3.1.x
   10. Hsphere Web Server
   11. IBM HTTP
   12. IBM WebSphere Advanced Single Server Edition 4.0
   13. iPlanet Enterprise Server 4.1
   14. Java Based Web Servers
   15. Lotus Domino Go 4.6.2.6 and higher
   16. Lotus Domino 4.6x and higher
   17. Microsoft Internet Information Server 4.0
   18. Microsoft Internet Information Server 5.x / 6.x
       1. Backup in Microsoft IIS 5.x ,6.x
   19. Microsoft: Outlook Web Access 2000
   20. Netscape Enterprise/Fast Track
   21. Novell ConsoleOne
   22. Novell I-Chain
   23. Plesk Server Administrator
   24. Plesk Server Administrator 6
   25. Plesk Server Administrator 7
   26. Stronghold 3
   27. WebSTAR 4.0 and higher
   28. Zeus Web Server v3
   29. SSL Accelerator: SSL Offloader
   30. SSL Accelerator: F5 Big IP
   31. SSL Accelerator: Intel NetStructure 7110
9. Appendix B -- Site Seal Installation Instructions

Introduction

Why SSL?

A Web Server Certificate, or Server ID, is a digital document containing unique codes that identify the holder of the certificate to the person accessing the site. On the Internet, website visitors usually have no reliable way to identify who owns the online store that they are doing business with. When customers visit a virtual store to make the purchase, their biggest concern is whom they will be paying and if the payment is conducted in a secure way. This is why you need SSL certificates to secure your server.

The Secure Sockets Layer (SSL) is a protocol originally developed by Netscape. It has become the universal standard on the Web for authenticating websites to Web browser users, and for encrypting communications between browser users and web servers. SSL is built into all major browsers and web servers, which means no matter where the protocol is implemented, the same implementation is operated. After a digital certificate, or Server ID, is installed, SSL capabilities are then enabled.

A Web Server Certificate is issued by a trusted third party called a Certification Authority (CA). CAs must audit the identity of the people or organizations to whom they issue certificates. Once the CA establishes an organization's identity, it issues a certificate that contains the organization's public key and signs it with the CA's private Key. SSL certificates hold information about web servers. They contain information about the owners of the certificates, the server to which the certificate was sold, when it was sold and when it expires. By checking the details of the certificate, your customers can assure themselves that the website they are dealing with is in fact the website they want to be dealing with. They also know that their credit card or personal details cannot be intercepted by a third party on the Internet.

Who needs SSL?

If your website has online ordering facilities and you want to assure customers that they are not exposed to any of the risks associated with sending data over the Internet, you should apply for an SSL certificate.

Please note currently Domain Contender's hosting server (TigerShark) does not support SSL. You will need to use another hosting service for your domain if you wish to establish a secure site.

What type of Web Server Certificate does Domain Contender offer?

Currently, we offer a 128-bit industry standard Premium SSL Certificate powered by domaincontender.com for a one year period. These certificates include:

Features of a secure site

A page is secure if:

1) The URL changes from http:// to https://.

2) A lock symbol appears in the lower left-hand status bar in Netscape Navigator

3) A lock symbol appears in the lower right-hand status bar in Internet Explorer

Billing

Fee

Our certificates cost $70.00 U.S. for a one year period of security.

Payment options

Users can use Domain Contender dollars to purchase certificates at a discount rate.

The Domain Contender dollars rates charged by Domain Contender may vary from time to time. The current discount rates charged by Domain Contender with other payment options will always be located at https://secure.domaincontender.com/myaccount/bulk/payment.php.

The current discount rates charged by credit card are located at: https://secure.domaincontender.com/myaccount/bulk/

Compatibility

Browser compatibility

Domain Contender powered SSL certificates support the following browsers:

AOL Browser 5.x and higher

Microsoft Internet Explorer 5.00 and higher

Netscape Navigator 4.x and higher

Opera 5 and higher

Galeon

Konqueror

Mozilla

Root Certificate comes pre-installed with:

Windows 98SE, ME, 2000, and XP

Mac OS 8.5, OS 9.x, OS X

CA certificates required for installation are located at: https://secure.domaincontender.com/help/guides/ca-certs.zip

*** NOTE *** You must load the certificates above into your web server, otherwise an error such as "certificate was issued by a company you have not chosen to trust" will be displayed by visitors' browsers.

Server compatibility

Domain Contender certificate supports all current releases of commercial and freeware web servers that support SSL v.3. Supported servers include:

Apache 2.x

Apache + MOD SSL

Apache + Raven

Apache + ApacheSSL

C2Net Stronghold

Cobalt RaQ3/RaQ4/XTR

Ensim

IBM HTTP

Jakarta Tomcat

IBM-Lotus Domino Go 4.6.2.6+

Lotus Domino 5.0x

Microsoft Internet Information Server 4.0

Microsoft Internet Information Server 5.0

Netscape Enterprise/Fast Track

Plesk

WebLogic 5.1

WebLogic 6.x

WebSTAR 4.0 and higher

Zeus Web Server v3

Application

Application process

Here are the steps to apply for a certificate at Domain Contender:

1. Log into the Domain Contender account at www.domaincontender.com/myaccount/
2. Click on the SSL Certificate link under "Advanced Options."
3. Select the domain you want to purchase the certificate for, and then press the Continue button.
4. Select the type of server you wish to purchase a certificate for, and then continue.
5. Follow the instructions provided to produce your Key and CSR, and then continue.
6. Enter your CSR into the edit box provided with all pertinent lines included, and then continue.
7. Click the Continue button to proceed to the checkout page. Enter your payment information.

When your certificate is approved, we will email it to the address you supplied during the ordering process. To install your certificate, follow the instructions provided below for your web server.

Certificate Signing Request

A CSR is a text file, generated through a web server that is submitted to the Certification Authority during the digital certificate application process and used to generate a signed digital certificate. It contains the following:

1. Identifying information about the company applying for the digital certificate

2. The company's public key

3. The type of web server on which the certificate will be installed

It is usually transferred via email, but formatted so that is unreadable (although it is not encrypted).

A CSR should look similar to the following example:

-----BEGIN CERTIFICATE REQUEST-----
MI711iCWRAwgZIxCzAJBgNVBNiiWlVTMREwDwYDItqIEwhOZXcgWW9yazERMA8GW1
UEBxMITmVZBgNVBWoTElJlZ2lzdwyLmNwgSW5jLjEZaWzQHJlZ2lzdGVyLmqhkiG9
w0lAQEYEWzMrdydBoI8K+5LEj/yLZ8YVsGasKIJ2rod8anVty9pzPKGxmWiUb2h2i
xd3d3LqGSIb3DQc3lzYWRtVvzWHkfMDq6q0jXQGI4yJKLFg8WMAcjJgzE5bopWybK
eofWL0ZNGcsImfy3WeR9cydfwrJ05mgPUzAwEMBsGCSqGSIbBzELEwl0ZXzdQADgY
EAgvJs5PTvo3O2OaUSdm+/58fG3Wcsy/OKivjPIVQ+Mot3HSchd04D++zBWn5Ih2/
QMCxzlq7oXQFwSFe0IDXPRhCLWcWkz991+CdGdmw25g=
-----END CERTIFICATE REQUEST-----

When entering the CSR in the appropriate field to copy and paste the entire CSR, the user should include the beginning and ending dash marks.

Reminder: Please do not set a password for the CSR. If you encrypt the Certificate Signing Request, we will email you to re-create the CSR since we will be unable to process the order.

Distinguished Name

A user will be asked to enter the server's distinguished name when generating the CSR. Distinguished names uniquely identify individual servers, and contain the following information:

1) Common Name: The Common Name is the fully qualified domain name used for DNS lookups of a server (such as www.domaincontender.com). This information is used by browsers to identify the website. Client browsers connecting to your host will check for a match between the certificate's common name and the URL. Do not include the "http://" or "https://" in the Common Name.

2) Organization or Company: This should be the organization that owns the domain name. The organization name (corporation, limited partnership, university, or government agency) must be registered with some authority at the national, state, or city level. Use the legal name under which your organization is registered. Do not abbreviate or use any of these symbols: ! @ # $ % ^ * ( ) ~ ? > < /

3) Organizational Unit: This is an optional field used to differentiate between divisions within an organization, for example, "Marketing" or "Research and Development." If the organization is doing business as ("dba") a trade name, you may specify the trade or dba name in this field.

4) City/Locality: This is an optional field in most situations. Do not use abbreviations. For example, spell "New Orleans," instead of "N.O." If the organization is registered locally only, for example by virtue of having a business license registered with the City Clerk, the Locality/City field must contain the name of the city where registered. In this case, the State/Province field is required.

5) State/Province: U.S. and Canadian customers must enter a State or Province name. In the United States, if your organization is incorporated in the state of Washington, but is operating within Louisiana, use Louisiana. Do not abbreviate. International customers must enter either a State/Province or a City/Locality. Do not abbreviate.

6) Country: This is the 2-character ISO format country code. For example, AU is the code for Australia, and BR is the valid code for Brazil.

More on the Common Name

When generating a Certificate Signing Request (CSR) from the web server, a user will be required to enter Common Name.

The Common Name is typically composed of Host + Domain Name and will look like "www.mycompany.com" or "mycompany.com." Our Server IDs are specific to the Common Name that they have been issued to at the Host level. The Common Name must be the same as the Web address you will be accessing when connecting to a secure site. So please be careful when you decide the Common Name. This information cannot be changed after the certificate is issued. For example: If the user types in Common Name as xyz.com and is directing visitors to www.xyz.com or secure.xyz.com, as www.xyz.com and secure.xyz.com are different from xyz.com, the visitors will see the Certificate Name Check alert box when using their browser until the user either redirect or purchase a new certificate for the common name www.xyz.com or secure.xyz.com.

When the Server ID will be used on an Intranet (or internal network), the Common Name may be one word, and it can also be the name of the server.

We do not offer Wild Card Certificates such as: *.yourdomain.com

Troubleshooting FAQs

Can I use symbols when generating CSR? The following characters can not be accepted: < > ~ ! @ # $ % ^ * / ( ) ?.

My CSR has been rejected during the application process. How can I proceed? To apply for your Web Server Certificate, you must have a CSR that is valid and properly formatted. If your CSR has been rejected, please be sure that you have cut and pasted the entire CSR into the appropriate field, including the dash marks at the beginning and ending of the text area. If your CSR is still rejected, you will need to regenerate it using the web server on which you plan to host your secure website.

What should I do if the WHOIS information doesn't match the information generated by the CSR? If the WHOIS information for your domain name doesn't match the information generated by the CSR, you can either change the WHOIS information or regenerate your CSR with the correct information.

What can I do if my application has been rejected? The most common reason for a certificate application to be rejected is inconsistency with the WHOIS information, CSR information and contact information that you provided during the application process. If your application has been rejected, you can contact our Customer Support Department and we will assist you to find out what caused the application failure. When you resubmit your certificate request, please ensure that all of the information provided is correct and consistent.

I can't install my certificate. What do I do? First of all, please check the webserver software-specific installation FAQs listed on our website. If you've lost your key or password, and don't have a backup, then you will have to purchase a new certificate.

I am receiving an error “Certificate was issued by a company you have not been choosen to trust.” What does this mean? This error is usually generated due to an incomplete installation. You must load the Certificate Authority certificates listed below into your web server, otherwise an error will occur.

Please install the CA certificates required: https://secure.domaincontender.com/help/guides/ca-certs.zip

The security padlock is not displayed in my browser when accessing my secure page. What’s wrong? If your site is set up in a frame, then this can be the problem. Frames are usually located in a non-secure http directory on your server. When you access an SSL page, with non-secure frames, you will not see a padlock, even though the page is encrypted and secure. You can check the page information for details about that page. If you want the padlock displayed on your secure page, you can decide not to use frames.

How can I specify the frames I use on my website to be secure? Please make sure that you have sourced the frames from https in your HTML.

How can I renew my Microsoft IIS server certificate? The renewal feature on the IIS servers are inconsistent and we do not suggest using this tool to create your replacement CSR. The suggested renewal for an IIS server is to first verify your server has all the recent updates and patches installed. Next create a test site for your new CSR generation so you do not have to remove your current certificate from the server.

Managing Certificate

Check the size of the certificate

After you have installed your certificate, connect to a secure page on your server using a Web browser.

1) If you are using Internet Explorer, click on File > Properties.

2) If you have OpenSSL, you can use the following command to check: opens x509 -noout -text -in

3) Some webservers will display key size information in the properties of your key/cert.

Keep the private key secret

Your digital private key is the critical portion of your online identity. Once you receive your own digital signing certificates, keep your private key as secure as possible. If another person got a hold of your private key, they would have the potential to distribute information on the Internet or intranet in your name. Specifically, do not place your private key on removable media, on shared drives, or send it in e-mail.

If your key was compromised, you could be held legally responsible for the actions of someone else. If the private key of your digital certificate has been compromised you should notify us and revoke the certificate at once. Domain Contender provides certificates, but you are the person who is responsible for key management.

Lost key

If you lose your private key, no one can help you. We cannot generate a private key for you. Only you have the access to your private key, which makes the whole system secure.

If you cannot find your private key, you may first check your backups and see if you can re-install the private key. If you don't know how to re-install the key from your backups, please read the manuals. If you still cannot reinstall your private key, you can contact your server software vendor for technical support. So if you use MS IIS, then please contact Microsoft support or take a look at their Website knowledge base. Once you've gone through these steps but still not been able to re-install the certificate, you will have to get a new certificate and generate your CSR again. We can replace any order within the year you purchased it as long as you are requesting the same Common Name.

Lost password

The password protects your system security and integrity. Losing the password effectively means you have lost your key. You will have to receive a new certificate. So please make backups for any important information. Our current certificates do allow you one year to request placement of any order, only under the same Common name.

Certificate replacement policy

We will replace, revoke, and refund domaincontender.com powered certificates that have been issued within twenty (20) days of the certificate issue date.

If you need a new certificate with a new Common name after twenty days, you will be responsible for purchasing a new server certificate.

Certificate revoke policy

You may request revocation of your certificate any time for any reason. To revoke a certificate, send a Trouble ticket from your account or a fax request to us at 504-566-0484. Please include the following information in your fax:

· The subject line should read "SSL Revocation Request"

· The domain name of the certificate or the certificate reference number

· Organization contact

· Reason for revocation

· The telephone number and email address of the contact who should be notified of the revocation

· Signature and date

Upon receipt of this request, we will contact the appropriate person within your organization and revoke your certificate within 72 hours.

Check expiration date

After you install your certificate, you can visit your secure website and check the expiration date of your certificate by performing the following steps depending on which type of Internet browser you are using:

Internet Explorer:

1. Click "File" in the main menu.
2. Select "Properties".
3. Depending on the version of Internet Explorer you are using, click either the "Security" tab or the "Certificates" button.
4. Read the certificate information that pops up in a new window.

Netscape Navigator:

1. Click the "Security" button in the menu bar.
2. Click the "View Certificate" button in the window that pops up.
3. Read the certificate information that pops up in a new window.

Security information often appears in the lower right hand corner of an open browser as a key or padlock. On a non-secure page, the padlock will appear to be open or the key will appear broken. The key will be whole or the padlock locked on a secure site. Click on the key or the padlock to view security information for the page you are viewing.

Technical Support

For the most up-to-date and accurate assistance with your problems you might have with SSL certificates, refer to Domain Contender Help file at our website: http://www.domaincontender.com

If you cannot find the answers to your questions, please contact us using our Trouble Ticket System at: http://www.domaincontender.com/tts/

Appendix A -- Web Server Certificates Installlation Instructions

Certificate installation instructions are available for the Web servers listed below.

Please note if your Web server is operated by an ISP or hosting service, they will install your Web server certificate for you.

Apache

Step one: Copy your certificate to a file

You will receive an email with the certificate. When viewed in a text editor, your certificate will look something like:

-----BEGIN CERTIFICATE-----
MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAmowggHXAhAF
UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNVBAYTAlVTMSAw
(.......)
E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6
K99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS/16S36ITclu4AADEAAAAAAAAA
-----END CERTIFICATE-----

Copy your Certificate into the directory that you will be using to hold your certificates.

It is recommended that you make the directory that contains the private key file only readable by root.

Step two: Install CA Certificates

You will need to install the chain certificates (intermediates) in order for browsers to trust your certificate. Apache users can install the intermediate certificates using a 'bundle' method.

In the Virtual Host settings for the appropriate site, in the httpd.conf file, you will need to complete the following:

1. Copy the ca-bundle.crt (this file was included in the ca-certs.zip file emailed to you) file to the directory where you store your certificate files.

2. Add the following line to the SSL section of the httpd.conf (assuming /usr/local/etc/apache/ssl.crt/ is the directory to where you have copied the ca-bundle.crt file). If the line already exists make sure you replace it.

SSLCACertificateFile /usr/local/etc/apache/ssl.crt/ca-bundle.crt

If you are using a different location you will need to change the path and filename to reflect your server.

The SSL section of the updated httpd config file should now read similar to this example (depending on your naming and directories used):

SSLCertificateFile /usr/local/etc/apache/ssl.crt/yourhostname.crt
SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/private.key
SSLCACertificateFile /usr/local/etc/apache/ssl.crt/ca-bundle.crt

Save your httpd.conf file and restart Apache.

Apache + Raven

You will receive your new certificate via email. It is pasted in the body of the email and also attached as a text file. You can either rename the attached text file and ftp it to your web server, or copy the certificate from the body of the email and create a text file.

****Note: The examples below use the following naming convention: "Your Web Server Certificate" = "mydomain.com.cert"

Start the Raven PKI Certificate Manager, using the command: /usr/local/raven/bin/ravenctl

Choose Install CA Signed Certificate.

You will be prompted for the location of your web server certificate (mydomain.com.cert). Identify the temporary location (/tmp) and the name of your web server certificate. The certificate will be installed in the following directory:

/usr/local/raven/module/pki/certs

Edit Apache's HTTPDS.CONF file to point the Raven SSL module to the new certificate and key. SSLCertificateFile /usr/local/raven/module/pki/certs/servername.cert SSLCertificateKeyFile /usr/local/raven/module/pki/keys/servername.key

Save the HTTPDS.CONF file

Restart the Server: /usr/local/apache/bin/httpsdctl restart

Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP.

Note: The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly.

Apache + Raven 1.5x

Start RavenCTL cd /usr/local/raven/bin, ./ravenctl

Enter the path to the server certificate that you received via email to install the CA Signed Certificate.

Start RavenCTL

Change directories to the /apacheserverroot/conf directory;

cd /usr/local/apache/conf

Edit Apache's HTTPDS.CONF file to point the Raven SSL module to the new certificate. SSLCertificateFile /usr/local/raven/module/pki/certs/servername.cert SSLCertificateKeyFile /usr/local/raven/module/pki/keys/servername.key

Start your web server

Apache + SSLeay

You will receive your certificate via email, pasted in the body of the email and also attached as a text file. You can either rename the attached text file and ftp it to your web server or copy the certificate from the body of the email and create a text file.

***Note: The examples below use the following naming conventions: "Your Web Server Certificate" = "mydomain.com.cert"

Change directories to apacheserverroot/conf directory.

****Note: Copy the entire certificate contents from the
-----BEGIN CERTIFICATE-----
up to and including the
-----END CERTIFICATE----- lines.

If you have not already set up a secure virtual host, refer to the following link for more information:
http://www.linuxdoc.org/HOWTO/SSL-RedHat-HOWTO.html#toc4

Open the httpd.conf file in a text editor.

Locate the secure virtual host that you have purchased the certificate for. You should have the following directives within this virtual host. Please add them if you do not.

SSLCertificateFile /apacheserverroot/certs/mydomain.com.crt SSLCertificateKeyFile /apacheserverroot/mydomain.com.key (or server.key)

Save the changes and exit the text editor.

Start or restart your apache web server.

apacheserverroot/bin/httpd restart
or
apacheserverroot/bin/httpd start

Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP.

Note: The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly.

BEA Weblogic

When you receive your certificates you need to store them in the mydomain directory.

Note: If you obtain a private key file from a source other than the Certificate Request Generator servlet, verify that the private key file is in PKCS#5/PKCS#8 PEM format.

To use a certificate chain, append the additional PEM-encoded digital certificates to the digital certificate that Comodo CA issued for the WebLogic Server. This is the intermediate CA. The last digital certificate in the file chain will be the GTECybertrust digital certificate that is self-signed (that is, the rootCA certificate).

Configure WebLogic Server to use the SSL protocol, you need to enter the following information on the SSL tab in the Server Configuration window:

In the Server Certificate File Name field, enter the full directory location and name of the digital certificate for WebLogic Server. In the Trusted CA File Name field, enter the full directory location and name of the digital certificate for Comodo who signed the digital certificate of WebLogic Server. In the Server Key File Name field, enter the full directory location and name of the private key file for WebLogic Server.

Use the following command-line option to start WebLogic Server. -Dweblogic.management.pkpassword=password where password is the password defined when requesting the digital certificate.

Storing Private Keys and Digital Certificates

Once you have a private key and digital certificate, copy the private key file generated by the Certificate Request Generator servlet and the digital certificate you received into the mydomain directory. Private Key files and digital certificates are generated in either PEM or Definite Encoding Rules (DER) format. The filename extension identifies the format of the digital certificate file. A PEM (.pem) format private key file begins and ends with the following lines, respectively:

-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
A PEM (.pem) format digital certificate begins and ends with the following lines, respectively:
-----BEGIN CERTIFICATE-----
----END CERTIFICATE-----

Note: Typically, the digital certificate file for a WebLogic Server is in one file, with either a .pem or .der extension, and the WebLogic Server certificate chain is in another file. Two files are used because different WebLogic Servers may share the same certificate chain.

The first digital certificate in the certificate authority file is the first digital certificate in the WebLogic Server's certificate chain. The next certificates in the file are the next digital certificates in the certificate chain. The last certificate in the file is a self-signed digital certificate that ends the certificate chain. A DER (.der) format file contains binary data. WebLogic Server requires that the file extension match the contents of the certificate file.

Note: If you are creating a file with the digital certificates of multiple certificate authorities or a file that contains a certificate chain, you must use PEM format. WebLogic Server provides a tool for converting DER format files to PEM format, and visa versa.

C2Net Stronghold

Note: There are TWO certificates that need to be installed during this process. The first is the "Site" certificate, contained in the email from domaincontender.com. The second is the "Bundled intermediate certificate" you can use the zip file for this or it can be obtained from our web site: https://secure.domaincontender.com/help/guides/ca-certs.zip

If you already have a temporary certificate in your /ServerRoot/ssl/certs directory, move, rename or delete it. Run the command "getca servername" where "servername" is the same name created during generation of the key or certificate request "genkey servername" or "genreq servername"). Open the site certificate in the e-mail from Domain Contender with a text editor and copy the content (including the lines below), as shown below to your clipboard:

Include the headers and footers of the certificate; beginning with

-----BEGIN CERTIFICATE-----
and including
-----END CERTIFICATE----- .

Paste the contents into the terminal window where you ran "getca". Enter Control-D or the appropriate EOF character for your terminal.

Before restarting the server please install the intermediate certificate as below.

Next retreive the Certificate Authority information from the ca-certs.zip certificate from the email and copy the certificate content (including the lines below), as shown below to your clipboard:

Include the headers and footers of the certificate; beginning with

-----BEGIN CERTIFICATE-----
and including
-----END CERTIFICATE----- .

Paste the content into the file "ssl/certs/ca_new.txt" located in your ServerRoot directory. Change the SSLCACertificateFile directive in your httpd.conf file to point to the bundle file (ca_new):
SSLCACertificateFile ssl/certs/ca_new.txt

Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP.

Note: The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly.

CPanel

Once you have received the SSL certificates you can install the certificate using Webhost Manager. You need both the certificate and key files to install the certificate.

Click on the 'Install an SSL Certificate and Setup the Domain' link in the SSL/TLS menu.

Enter the domain, user name, and IP address for the certificate in the 'Domain', 'User', and 'IP Address' fields.

Click on the 'Fetch' button to pull the .key and .crt files for the domain into the available display spaces, if they are currently on your server. Otherwise, copy and paste the .key and .crt files into the available display areas.

Note: If you generated the certificate using Webhost Manager, the certificate files will be available. Open the ComodoClass3SecurityServicesCA.crt in a text editor. Paste the text from the ComodoClass3SecurityServicesCA.crt into the 'Install an SSL Cert' display area.
Click on the 'Do it' button.

Cobalt RaQ4/XRT

Installing the site certificate

Go to the Server Management screen.
Click the green icon (Wrench for RaQ4, Pencil for XTR) next to the SSL enabled virtual site.
Click SSL Settings on the left side.
Copy the entire contents of the site certificate that you received, including

-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----

Paste the new certificate information that you copied into the "Certificate" window.
Select "Use manually entered certificate" from the pull-down menu at the bottom.
Click Save Changes.

Install the Intermediate Certificate

You will need to install the intermediate CA certificate in order for browsers to trust your certificate. The intermediate CA certificate was included in the email we sent you with the certificate and it is in the link below.

https://secure.domaincontender.com/help/guides/ca-certs.zip

The following will require that you access the httpd config file.

In the GlobalSSL Setting in the httpd.conf file, you will need to complete the following:

Copy the intermediate CA to the same directory as httpd.conf and name it ca.txt
Add the following line to the SSL section of the httpd.conf (assuming /etc/httpd/conf is the directory to where you have copied the intermediate CA file)
If the line already exists amend it to read the following:
SSLCACertificateFile /etc/httpd/conf/ca.txt

Note: If you are using a different location and certificate file names you will need to change the path and filename to reflect the path and file name that you are using.

Cobalt Raq Guides:

RAQ 4 http://domaincontender.com/help/guides/raq4.pdf
RAQ 550 http://domaincontender.com/help/guides/raq550en.pdf
RAQ XTR http://domaincontender.com/help/guides/raqxtr.pdf

Ensim Web appliance 3.1.x

Step One: Loading the Site Certificate

You will receive an email from Comodo with the certificate in the email (yourdomainname.crt). When viewed in a text editor, your certificate will look something like:

-----BEGIN CERTIFICATE-----
MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAmowggHXAhAF (.......)
K99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS/16S36ITclu4AADEAAAAAAAAA
-----END CERTIFICATE-----

Copy your Certificate into the directory that you will be using to hold your certificates. In this example we will use /etc/ssl/crt/. Both the public and private key files will already be in this directory. The private key used in the example will be labelled private.key and the public key will be yourdomainname.crt.

It is recommended that you make the directory that contains the private key file only readable by root.

Login to the Administrator console and select the site that the certificate was requested for.

Select Services, then Actions next to Apache Web Server and then SSL Settings. There should already be a 'Self Signed' certificate saved.

Select 'Import' and copy the text from the yourdomainname.crt file into the box.

Select 'Save', the status should now change to successful.

Logout, do not select delete as this will delete the installed certificate.

Step two: Install the Intermediate/Root Certificates

You will need to install the Intermediate and Root certificates in order for browsers to trust your certificate. As well as your SSL certificate ( yourdomainname.crt) two other certificates, named GTECyberTrustRootCA.crt and ComodoClass3SecurityServicesCA.crt, are also attached to the email from Comodo. Apache users will not require these certificates. Instead you can install the intermediate certificates using a 'bundle' method.

CA certificates required for installation:
https://secure.domaincontender.com/help/guides/ca-certs.zip

In the Virtual Host settings for your site, in the virtual site file, you will need to add the following SSL directives. This may be achieved by:

1. Copy this ca-bundle file to the same directory as the certificate (this contains all of the ca certificates in the Comodo chain, exept the yourdomainname.crt).

2. Add the following line to the virtual host file under the virtual host domain for your site (assuming /etc/httpd/conf is the directory mentioned in 1.), if the line already exists amend it to read the following:

SSLCACertificateFile /etc/httpd/conf/ca-bundle/ca_new.txt

If you are using a different location and certificate file names you will need to change the path and filename to reflect this.

The SSL section of the updated virtual host file should now read similar to this example (depending on your naming and directories used):

SSLCertificateFile /etc/ssl/crt/yourdomainname.crt
SSLCertificateKeyFile /etc/ssl/crt/private.key
SSLCACertificateFile /etc/httpd/conf/ca-bundle/ca_new.txt

Save your virtual host file and restart Apache. You are now all set to start using your Comodo certificate with your Apache Ensim configuration.

Hsphere Web Server

1. After you receive your SSL certificate, firstly visit our web site download site file and the bundle file (rootchain) certificates to a secure location.
https://secure.domaincontender.com/help/guides/ca-certs.zip

2. Click SSL on your control panel home page.

3. Go to the Web Service page and click the Edit icon in the SSL field.

4. In the form that opens, enter the SSL certificate into the box Install Certificate based on previously generated Certificate request and click Upload:

5. Enter the rootchain certificate into the box Certificate Chain File and click Install:

6. Now you can use the SSL certificate.

IBM HTTP

Domain Contender sends more than one certificate. In addition to the secure SSL certificate for your server you will also receive an Intermediate CA Certificate and a Root CA Certificate. Before installing the server certificate, install both of these certificates. Follow the instructions for 'Storing a CA certificate'.

Note: If the authority who issues the certificate is not a trusted CA in the key database, you must first store the CA certificate and designate the CA as a trusted CA. Then you can receive your CA-signed certificate into the database. You cannot receive a CA-signed certificate from a CA who is not a trusted CA. For instructions see 'Storing a CA certificate'.

Storing a CA Certificate:

To receive the CA-signed certificate into a key database:

Note: The configuration file httpd.conf contains default settings. If you have installed a previous version of the Web server, your existing configuration file is preserved as httpd.conf and the default configuration file is renamed httpd.conf.default.

Restart your web server.

Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP.

Note: The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly.

IBM WebSphere Advanced Single Server Edition 4.0

Before being able to enable SSL on WebSphere, you need to have your own certificate. This certificate can be a self-certificate for testing purpose but in any production case, you should have a certificate issued by a Trusted CA. The following steps describe how to get your own certificate and later how to configure WebSphere to use it.

Installing a certificate chain

Before you can add your certificate into the keystore, you must first include the certificates chain. You must install the following public certificates:

Root (GTE root certificate) Root
Primary Server certificate (ComodoSecurityServicesCA certificate) PrimServer
Server certificate Server

You can add the certificates chain from the Signer Certificates screen.

Click on the Add button. A dialog box will appear where you have to enter the data, the Certificate file name (the certificate file you received) and its location. Once all of this information is entered click on OK.

Installing your site certificate

You can import it into your keystore. In the IBM Key Management console, select in the dropdown the option Personal Certificates.

Then click on the button Receive. A dialog box will appear where you have to enter the data, the Certificate file name (the certificate file you received) and its location. Once all of this information is entered click on OK.

Enabling SSL

Once your keystore has been successfully configured with your certificate, you can now enable SSL in WebSphere Application Server.

In IBM WebSphere, SSL can be configured for each component. For more information on how to enable/configure it for each of them, please go to the IBM Web site at http://www-4.ibm.com/software/webservers/appserv/support.html

iPlanet Enterprise Server 4.1

Start Netscape Suitespot Server Administration page.

Log in as the web server administrator.

Select Security tab at the Server Administration page.

Click Install Certificate on the left side menu frame.

*Open the GTECyberTrustRootCA.crt in a text editor.

Select Server Certificate Chain, enter the password.

Select Message Text with headers.

Cut and paste the contents of Your Web Server Certificate.

Include the headers and footers of the certificate; beginning with
-----BEGIN CERTIFICATE----- and including -----END CERTIFICATE----- .

Click OK.

Accept the certificate.

NOTE: Do not shutdown or restart the server until all steps have been completed.

Repeat the steps from * above using the text from the Open the GTECyberTrustRootCA.crt in a text editor.

For the site certificate again repeat the steps from * above, but this time choosing This Server instead of Server Certificate Chain.

At this stage all the certificates are installed and SSL now needs to be activated.

Go to Preferences and select View Server Settings to check your security settings.

Click on Security.

The Encryption On/Off page is displayed.

The Encryption should be On. The port number is 443.

Click OK in the warning box.

Type the password you used when you generated the key pair in the popup window.

Save and apply the changes.

Click OK to return to the previous page.

Now add Server for Port 80

Click on Servers.

Select Add Server.

Click OK to return to the previous page.

Click View Server Settings to verify the settings for port 80 and port 443.

Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP.

Note: The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly.

Java Based Web Servers

The certificates you receive will be:
GTECyberTrustRoot.crt
ComodoSecurityServicesCA.crt
domain.crt

These must be imported in the correct order:
GTECyberTrustRoot.crt
ComodoSecurityServicesCA.crt
domain.crt

Note: Please replace the example keystore name 'domain.key' with your keystore name.

All the certificate are now loaded and the correct root certificate will be presented.

Lotus Domino Go 4.6.2.6 and higher

Start the MKKF utility by typing mkkf in a DOS window.

Select "O" to Open an existing key ring file. Type the name of the file (usually keyfile.kyr). You will be prompted for the password.

*Note: If you start the "mkkf" utility from the directory that contains your certificate you will not need to include the path.

Select "R" to receive a certificate into the Key Ring File.

Enter the server certificate file name (eg. "server.txt").

Select "W" to Work with keys and certificates..

Select "L" to List/Select the key to work with. Select "N" until you find the servername.key file.

Select "S" to Select this certificate.

Select "F" to mark this key as the selected deFault key.

Select "X" to exit this menu..

Select "C" to Create a "stash file" for the key ring.

Note: This is an important step, which is often overlooked!

Select "X" to exit the menu.

Select "Y" - Yes - to save all changes to the key file and confirm the update.

Repeat the steps above to install the CA certificate before enabling SSL and restarting your server.

Enabling SSL on your Domino Go Web Server

Access the web server via your browser. Select "Configuration and Administration Forms" .

Scroll down to security. Select Security Configuration.

Ensure that "Allow SSL connections using port 443" is selected.

Ensure that the correct Key Ring file is listed.

Apply the changes

Restarting your Web Server

You will need to stop and start your web server with the following commands:

stopsrc -s httpd

startsrc -s httpd

Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP.

Note: The padlock icon on your web browser will be displayed in the locked position if you have set up your site properly.

Lotus Domino 4.6x and higher

Enter the Server Certificate Administration application.

Open Server Certificate Administration, the database you set up for your web server.

Select Install Certificate Into Key Ring.

Install your new server certificate.

Configuring your SSL

Enter the Server Certificate Admin application and double-click on your server name.

Select the Ports tab

select the Internet Ports tab

select the Edit Server at the upper left corner

Enter the SSL parameters for your server.

Verify the path to your keyfile in the SSL key file name field.

Click Save and Close at the upper left corner.

Close the Lotus Notes client window.

This process above must be completed for all certificates provided for this order.
Please repeat the above steps to install the CA certificate before restarting your server.

Stop and restart your server. The message HTTP web server started will appear.

Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP.

Note: The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly.

Microsoft Internet Information Server 4.0

Note: For Windows N4.0, you must have at least Service Pack 4.0 or higher or Microsoft Internet Explorer 5.0.

Installing your Web server Certificate

Start the MS IIS Management Console and select your server.

Click on the Key Manager icon. Select your original key.

Select Install Key Certificate from the Key menu.

Choose Your Web Server Certificate.crt file sent to you via email. This file should be the name of your domain/or company with a .crt extension. For example: Your Web Server.crt .

Type in your original key's password.

Click OK in the Server Bindings box.

Select Commit from the Computers menu. Click Yes to commit all changes.

Stop then Start Your Web Server

Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP.

Note: The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly.

Backing up your key pair file

Unlike other files, key pair files cannot just be copied. To make the backup, you must do an "export." To restore your system, you must do an "import."

This process assumes identical web server configurations are used for exporting the key as well as for importing the key. So both servers must be IIS. You can't go from one type of server to another.

Exporting your key

Open your Microsoft Management Console via the IIS Internet Service Manager.

Click to open the Key Manager.

Select the key to be exported.

Select the Key menu and choose Export Key Backup File. Click OK in the Key Manager Warning box.

Specify the destination for saving your key, press OK.

Close your Key Manager and Management Console windows.

Please remember your password that was used to install your certificate. You will need this password if you ever need to recover your certificate through the import process.

Microsoft Internet Information Server 5.x / 6.x

1. Installing the Root & Intermediate Certificates:

2. Installing your IIS SSL Certificate:

If you used the 'dummy site' method:
***

Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://yourserver.com/) to indicate you wish to use secure HTTP.

Backup in Microsoft IIS 5.x ,6.x

Optional Stage

To backup the Certificate with the Private Key attached in Microsoft IIS 5.x ,6.x, follow these instructions:

1. Start > run > MMC
2. Go into the Console Tab > 'File' > 'Add/Remove Snap-in'
3. Click on 'Add' > Click on 'Certificates' and click on 'Add'
4. Choose 'Computer Account'
5. Choose 'Local Computer'
6. Close the 'Add Standalone Snap-in' window.
7. Click on 'OK' at the 'Add/Remove Snap-in' window.
8. Open up the 'Certificates' Console Tree
9. Look for a folder called 'Personal' > 'Certificates'
10. Select the Certificate that you wish to back up.
11. Right-click on the file and choose > ALL TASKS > Export
12. The "Certificate Export Wizard" will start up. Click on 'Ok'
13. Choose "Yes, export the private key". Click on 'Next'.
14. Leave the default settings and click on 'Next'

15. Set a password to protect the export of the Certificate with the Private Key file attached. Click on 'Next'

16. Choose to save the file to a set location.
Type the file name in the 'File Name' box, and click 'Save'.'
Click on 'Next'

The file is given a *.pfx file-name extension and should be saved to a 3 1/2" disk on the a: drive or your hard disk drive.

It is important to make a copy of the Private Key that does not reside on the actual server; in the event that the server crashes.

17. Click 'Finish'

18. You will receive a message that states "The export was successful" when the export has been completed. Click 'Ok'

Microsoft: Outlook Web Access 2000

Securing Your Outlook Web Access 2000 Implementation Using SSL

Certificate Installation

When users enter http://ahost.adomain.com/exchange, they will receive an "HTTP 403.4 - Forbidden: SSL required Internet Information Services" error message, because OWA is configured to require SSL. SSL uses the HTTPS protocol, so users would need to enter the url as https://ahost.adomain.com/exchange. Please see the Microsoft article regarding forcing the use of SSL with OWA:
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q279681

One final step that you may need to take is to ensure that your Firewall is configured to allow HTTPS (port 443 by default) to pass through.

Netscape Enterprise/Fast Track

Identifying the Server Name

Note: The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly.

Novell ConsoleOne

Domain Contender will email you the details for the following in your completed order:

The file must be in PKCS #7 format in order to be imported into a Server Certificate object. The file must contain all of the certificates to be imported into the object (the root-level CA certificate, the intermediate CA certificates, and the server certificate).

Steps to successfully install the Certificates:

1. Import both the "ComodoSecurityServicesCA.crt" and "GTECyberTrustRoot.crt" into Internet Explorer. Do this by double clicking on each of the certificates and choosing import. Make sure they are imported into the correct stores, "ComodoSecurityServicesCA.crt" goes into the intermediate store and "GTECyberTrustRoot.crt" goes into the root store.

2. Double click the certificate that was signed by Comodo "server/domain.crt" and go to the details tab, then click on Copy to File. Next, Select "Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)" and select the "Include all certificates in the certification path if possible" check box. Give it a file name for example "c:mycert". This step will put the Trusted Root, Intermediate Root, and End Server Certificate certificates into one certificate.

3. Go to Console One and to the certificate that created the Certificate Signing Request (CSR). Go to the Public Key Certificate Tab. Select Import, select "No Trusted Root Certificate available", and then next. Import the Server Certificate that you created above.

4. After the import you should be able to validate the certificate and use the certificate.

5. The certificate is now ready to use.

Novell I-Chain

The first process is to create a combined file containing the intermediate and root certificates.
Open the intermediate certificate in Notepad.
Use 'Edit-Select All' then 'Edit-Copy'.
Open a new text file with Notepad and paste the contents of the intermediate certificate.
Open the root certificate in Notepad and Copy the entire contents.
Paste the contents of the root certificate into the new text document AFTER the intermediate certificate.
Save the new combined certificate

Plesk Server Administrator

Important:Installation is a two step process - ensure you follow both steps listed below.

Step 1: Upload your SSL certificate

Step 2: Uploading the Rootchain Certificate

Using your SSL Certificate to secure logging into your Plesk Administrator

If you are applying your certificate to the Plesk control panel (in order to secure your login) you will need to login to Plesk Administrator and select Server.
Select Certificate and complete the above instructions as per applying your SSL certificate to a domain.

Plesk Server Administrator 6

Uploading certificate parts

If you have already obtained a certificate containing private key and certificate part (and may be CA certificate), follow these steps to upload it:

You can upload an existing certificate in two ways:

1. Choose a file from the local network and click on the SEND FILE button (.TXT files only).
2. Type in or paste the certificate text and private key into the text fields and click on the SEND TEXT button.

Uploading a CA certificate

For the ComodoSecurityServicesCA.crt is the CA Certificate, or rootchain certificate. The CA Certificate is used to appropriately identify and authenticate the certificate authority, which has issued your SSL certificate. To upload your CA Certificate, follow these steps:

You can upload an existing certificate in two ways:

1. Choose a file from the local network and click on the SEND FILE button (.TXT files only).
2. Type in or paste the CA certificate text into the text field and click on the SEND TEXT button.

NOTE: When you add a certificate, it is not installed automatically onto the domain or assigned to an IP address, but only added to the Certificate repository. You can assign a certificate to an IP address at the Client's IP pool, at the IP aliasing management page, and during hosting creation on an exclusively granted IP.

Plesk Server Administrator 7

1. Login to the Plesk 7 Control Panel.

2. From the left hand menu, select 'Domains'.

3. Click on the domain name that the certificate is for.

4. Click on the 'Certificates' menu item.

5. There is a button in the middle of the page labeled 'Browse'. Click 'Browse' and navigate to the location of the saved site certificate you received from domaincontender.com. Selecting it, then select 'Send File', this will upload and install the certificate against the corresponding Private Key.
6. The certificate name will now appear in the list of certificates at the bottom of the page.
7. Click on the name of the Certificate from the list.
8. The box on the page labelled 'CA Certificate'. You will need to paste both the intermediate CA certificate and GTE root certificates from the .zip file you have received into this box.

They must be pasted this in order, the intermediate CA certificate first, followed by the GTE root certificate, the result will look similar to the example below (Please note: no blank line between then end of one certificate and the start of the next):

-----BEGIN CERTIFICATE-----
MIIEyDCCBDGgAwIBAgIEAgACmzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMRwwGgYDVQQDExNHVEUgQ3liZXJU
.....
zs1x+3QCB9xfFScIUwd21LkG6cJ3UB7KybDCRoGAAK1EqlzWINlVMr5WlvHqvaDj
vA2AOurM+5pX7XilNj1W6tHndMo0w8+xUengDA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB+jCCAWMCAgGjMA0GCSqGSIb3DQEBBAUAMEUxCzAJBgNVBAYTAlVTMRgwFgYD
VQQKEw9HVEUgQ29ycG9yYXRpb24xHDAaBgNVBAMTE0dURSBDeWJlclRydXN0IFJv
.....
IjeaY8JIILTbcuPI9tl8vrGvU9oUtCG41tWW4/5ODFlitppK+ULdjG+BqXH/9Apy
bW1EDp3zdHSo1TRJ6V6e6bR64eVaH4QwnNOfpSXY
-----END CERTIFICATE-----

9. Click the 'Send Text' button.
10. Now click 'Up Level' from the top right of the screen and choose 'Setup'.
11. At the top of the page, change the 'SSL Certificate' drop-down menu to the certificate you have just installed.
12. Click the 'Server' item from the left hand menu.
13. Click on the 'Service Management' menu item.
14. You now need to Stop and Start the Apache process.

NOTE: Restarting Apache will NOT work. You must stop the service, then start it again to complete the installation

Stronghold 3

You will receive your certificate via email, pasted in the body of the email and also attached as a text file. You can either rename the attached text file and ftp it to your web server or copy the certificate from the body of the email and create a text file.

stronghold/bin/strongholdctl restart
Or
stronghold/bin/strongholdctl start

Note: The padlock icon on your web browser will be displayed in the locked position if you have set up your site properly.

WebSTAR 4.0 and higher

Go to the WebSTAR ADMIN utility.

Open Server Settings under Edit.

Select SSL Security.

Select your server IP address on the upper panel.

Select SSL2&SSL3 on the lower panel in the Security Drop Down Menu.

Click the Choose button to select your new certificate file location under SSL Certificate File.

Click the Choose button to select its matching private key file location under Private Key File.

Type your private key password.

Select all encryption options, except MAC (No Encryption).

Save and then exit the utility.

Stop and then Start your WebSTAR server.

Test your certificate by connecting to your server.

Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP.

Zeus Web Server v3

Warning: If you lose the key ring password, you must purchase a new certificate.

Select the Web icon from the Admin Server control panel.

Select the Nut & Bolt icon for this server. Select SSL Configuration.

Define the file paths for this chained certificate and your Private Key at the Edit Server panel. Click Update.

Return to the Admin Server's Home Page which displays the status of your virtual web servers.

Click on the red traffic light to make it green.

Stop the server by issuing the command: /usr/local/zeus/stop-zeus Restart server by issuing the command: /usr/local/zeus/start-zeus

For additional instructions, please refer to the ZEUS web site.

SSL Accelerator: SSL Offloader

Chained Certificates

All SonicWALL SSL Offloaders support chained certificates. Once the certificates are unzipped into multiple certificates prior to importing into the SonicWALL SSL Offloader, the certificate will need to be imported using the chained certificate commands. The certificates will have a root certificate, and an intermediate certificate in addition to the CA server certificate.

EXAMPLE - Instructions for using OpenSSL

Now that you have received the certificate, you will need to unzip the certificates up into the root, intermediate and the server certificates so that you can enter them into the SonicWALL SSL Offloader.

Start by unzipping the 3 certificates, you will only need the ComodoSecurityServicesCA.crt and domain.crt certificates

Launch openssl.exe. This application was installed at the same time and in the same location as the SonicWALL configuration manager. You can also run the install and just install OpenSSL by choosing the 'Custom Installation' option.

Once launched, open the ComodoSecurityServicesCA.crt and domain.crt certificates in a text editor

You will need to copy and paste the entire text including
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----

The domain.crt certificate is the server certificate.
The ComodoSecurityServicesCA.crt is the intermediary certificate.

Save these files (e.g. C:server.pem and C:inter.pem)

Verify the certificate information with openssl:
x509 -in C:server.pem -text
(and)
x509 -in :Cinter.pem -text

EXAMPLE - Setting Up the Chained Certificates

Now that you have the proper certificates, you start by loading the certificates into certificate objects. These separate certificate objects are then loaded into a certificate group. This example demonstrates how to load two certificates into individual certificate objects, create a certificate group, and enable the use of the group as a certificate chain. The name of the Transaction Security device is myDevice. The name of the secure logical server is server1. The name of the PEM-encoded, CA generated certificate is server.pem; the name of the PEM-encoded certificate is inter.pem. The names of the recognized and local certificate objects are trustedCert and myCert, respectively. The name of the certificate group is CACertGroup.

Start the configuration manager as described in the manual.

Attach the configuration manager and enter Configuration mode. (If an attach or configurationlevel password is assigned to the device, you are prompted to enter any passwords.

Enter SSL Configuration mode and create an intermediary certificate named CACert, entering into Certificate Configuration mode. Load the PEM-encoded file into the certificate object, and return to SSL Configuration mode.

Enter Key Association Configuration mode, load the PEM-encoded CA certificate and private key files, and return to SSL Configuration mode.

Enter Certificate Group Configuration mode, create the certificate group CACertGroup, load the certificate object CACert, and return to SSL Configuration mode.

Enter Server Configuration mode, create the logical secure server server1,assign an IP address, SSL and clear text ports, a security policy myPol, the certificate group CACertGroup, key association localKeyAssoc, and exit to Top Level mode.

Save the configuration to flash memory. If it is not saved, the configuration is lost during a power cycle or if the reload command is used.

Resources

Additional documents and technical notes on SonicWALL SSL can be found online at
http://www.sonicwall.com/support/ssl_documentation.html

SSL Accelerator: F5 Big IP

Installing certificates from the certificate authority

After you obtain an x509 certificate from a certificate authority for the SSL Accelerator, you must copy it onto each BIG-IP Controller in the redundant configuration. You can configure the accelerator with certificates using the Configuration utility or from the command line.

To install certificates using the Configuration utility

To install certificates from the certificate authority using the command line

Copy the certificate into the following directory on each BIG-IP Controller in a redundant system:

/config/bigconfig/ssl.crt/

Note: The certificate you receive should overwrite the temporary certificate generated by genkey or gencert.

If you used the genkey or gencert utilities to generate the request file, a copy of the corresponding key should already be in the following directory on the BIG-IP Controller:

/config/bigconfig/ssl.key/

To install the intermediate certificate using the command line

Copy the intermediate certificate (ComodoSecurityServicesCA.crt) into each BIG-IP Controller in a redundant system. Open the ComodoSecurityServicesCA.crt with a text editor.
Cut and paste the entire text of the certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines, into a file named intermediate-ca.crt. Be careful not to include any leading or trailing whitespace before the beginning and ending hyphens.
Place the intermediate-ca.crt file in the directory /config/bigconfig/ssl.crt/
Note: The ssl.crt directory is used to store certificates and certificate authorities.

WARNING: In a redundant system, the keys and certificates must be in place on both controllers before you configure the SSL Accelerator. You must do this manually; the configuration synchronization utilities do not perform this function.

SSL Accelerator: Intel NetStructure 7110

When you receive the certificate, unzip it and import it into the 7110. Use the import cert command, with the KeyID. As with the import key, choose an import protocol for importing the key. Use p for paste. After the paste is finished, add three periods to display the command line.

You must import both the site certificate and the intermediate CA certificate. Both certificates must be chained together in a single file.

Use the import cert command to import the chained certificates. Paste the server's site certificate first, followed by the Comodo intermediate certificate. Follow the intermediate CA certificate by typing three periods on a new line.

NOTE: There must be no white space before, between, or after certificates, and the "Begin..." headers and "End..." trailers must all be included.

Create mapping for Server 1. Use the create map command to specify the server IP address, ports, and keyID.

Save the configuration when the server has been mapped.

Appendix B -- Site Seal Installation Instructions

Step 1: Copy the JavaScript below into your HTML page's <HEAD> tag.

Use the following line if you are displaying your site seal over a STANDARD NON-SECURE page (e.g. http://):

<script language="JavaScript" SRC="http://www.trustlogo.com/trustlogo/javascript/trustlogo.js" type="text/javascript"></script>

Use the following line if you are displaying your site seal over a SECURE page (e.g. https://):

<script language="JavaScript" SRC="https://secure.comodo.net/trustlogo/javascript/trustlogo.js" type="text/javascript"></script>

Step 2: Save one of the seal logos below to a web-accessible place on your web server and note the complete URL (e.g. http://domaincontender.com/seal_logo.gif).

Step 3: Copy and paste the line below into your web page's HTML. *Note* You must subsitute LOGO URL with the URL you saved the logo to.

<script type="text/javascript">TrustLogo("LOGO URL", "SC", "");</script>

Available Logos: