Installing SSL Certificates

Article Number: 000070659

Jump to How-to Install Guides

Contents:
Introduction
SSL Installation Guides
Where can I find and download the intermediate certificates I need?
Which web servers are compatible with AffirmTrust certificates?
How do I export or backup a certificate?
Do I need to install the AffirmTrust root certificate in my server?
Do I require the AffirmTrust chain certificate?
How many AffirmTrust certificates are required in a load-balancing environment?
How many servers can I secure with one SSL certificate?
Can I secure my top-level domain with and without the "www." sub-domain?
How do I renew my SSL certificate?

Introduction

After you submit the CSR and receive your SSL server and intermediate certificates, you need to install them on your server.

Your AffirmTrust end-entity certificate must be installed with other intermediate certificates in the trust chain in order to be trusted (display the padlock or green bar) in the major browsers and applications. AffirmTrust certificates are issued off the AffirmTrust Commercial root. The root and intermediate CA certificates you need to install on your servers may include the following certificates, depending on which type of certificate you use:

  • AffirmTrust Extended Validation CA – EV1
  • AffirmTrust Certificate Authority – OV1

?Installation Guides

For Microsoft servers, please see our article: Installing certificates for Microsoft.

For Apache servers, please see our article: Installing certificates for Apache.

For other servers, see instructions here for servers listed below.

C2Net Stronghold
Cisco Adaptive Security Appliance (ASA) 5500
Cobalt RaQ4/XTR
F5 BIG IP (Version 9)
F5 BIG IP (pre-version 9)
F5 FirePass VPS
HSphere Web Server
IBM HTTP Server
Java-based web server (generic)
Lotus Domino 8.5
Mirapoint
Nginx
Oracle Wallet Manager
Oracle WebLogic Server 8 or 9
Plesk 10
Plesk 9
Plesk 8
SAP Web Application Server 6.10 or higher
Zeus Web ServerPremium

Where can I find and download the intermediate certificates I need?

The intermediate certificates you need are available at two places. You can find and download the intermediate certificates on the same page in the Customer Portal where you downloaded your server certificate:

User-added image

At the bottom of the screen are download links for the intermediate certificates you need, including two bundles:

ALL-CERTIFICATES.ZIP and
CERTIFICATE AUTHORITY BUNDLE.
The ALL-CERTIFICATES.ZIP file includes the following certificates (your server certificate and two CA certificates):

  • Affirmtrust_Commercial.crt

  • One of AffirmTrust Certificate Authority – OV1.crt
    or
    AffirmTrust Extended Validation CA – EV1.crt

  • your.server.name.crt

The CERTIFICATE AUTHORITY BUNDLE contains two CA certificates in a single .crt file. It is designed to be used for Apache openssl servers. You can download this file and use it directly in the Apache openssl server configuration line SSLCertificateChainFile:

  • Affirmtrust_Commercial.crt

  • One of AffirmTrust Certificate Authority – OV1.crt
    or
    AffirmTrust Extended Validation CA – EV1.crt

Note: Make a backup copy of your SSL certificates and keep them in another location.
 

Which web servers are compatible with AffirmTrust certificates?

AffirmTrust certificates can be issued for any server that is compatible with the x.509 v3 standard and is able to make a certificate request in PKCS#10 format. This includes most recent servers, including:

  • Microsoft Internet Information Server (IIS) v3 or higher

  • Microsoft Communications Server

  • Apache

  • Nginx

  • Netscape Enterprise Server v3 or higher

  • Netscape Commerce Server v1 or higher

  • Netscape FastTrack Server

  • Stronghold Server

  • Internet Application Server 1.0

  • Netscape iPlanet Web Server 4.1

For Apache and Nginx Servers, Open SSL is needed.
 

How do I export or back up a certificate?

For the procedure, refer to the KB article here.
 

Do I need to install the AffirmTrust root certificate in my server?

Normally, when you install an SSL certificate, you also need to install the intermediate CA certificates but not the root certificate. Unless your server vendor specifically requires you to install the root certificate, you should not install it on your web server.
You can download all of the required certificates from the AffirmTrust console. Click the Common Name of the certificate. On the Details page, click Download.
 

Do I require the AffirmTrust chain certificate?

Yes.
 

How many AffirmTrust certificates are required in a load-balancing environment?

You need one AffirmTrust certificate for each of your secure web servers (including any virtual web servers). With a certificate account, there are no additional costs to support this.
 

How many servers can I secure with one SSL certificate?

AffirmTrust certificates are provided with licensing for an unlimited number of servers included in the standard price. This allows you to easily secure your primary server, a secondary or backup server, and a load balancer.
To move your certificate between servers, you need to install the certificate on the web server where you generated the CSR and then export the SSL certificate and its private key to a PFX or PKCS12 file. You can then import that file on another web server.
 

Can I secure my top-level domain with and without the "www." sub-domain?

Yes. With AffirmTrust certificates, if you purchase an SSL certificate to secure www.example.com, it will also secure example.com.

How to Renew a Certificate

To ensure continuous security, do not let your SSL certificates expire. When you renew a certificate, all of its information remains the same, except that the validity period is updated. You can only renew a certificate when it is within 90 days of its expiry date or after is expires. You can renew a certificate only once.

If the original certificate was an OV certificate, you will be re-issued an OV certificate. If the original certificate was an EV certificate, you will be re-issued an OV certificate, unless your account or one of the domains in the certificate request is no longer EV-validated. In that case, you will be re-issued an OV certificate.

Notifications about the renewal appear in the notifications list as expiration notifications. They are also emailed to the Notification Recipients for the expiring certificate. Once a certificate has been renewed, expiration notifications are no longer sent. The renewed certificate appears in the Certificates list and has the status of “Pending”.
 

1. On the Certificates tab, click the Common Name of the certificate that you want to renew.

2. Check the certificate details to make sure you have selected the correct certificate.

3. Click Renew.

4. On the Renew Certificate page, you can edit this information:

  • The Organization Profile for which the certificate is being requested. Note that if you change the organization profile, the domains from the original certificate will need to be re-confirmed for the new organization, if they have not been already.
  • The Certificate Type, either EV or OV.
  • The HASH algorithm used for the certificate signature, either SHA-256 or SHA-1. All certificate requests will default to SHA-256, independent of the algorithm used in the certificate being renewed. For additional information, see About hash algorithms.
  • The Validity period of the certificate, either 1 or 2 years. SHA-1 certificates are restricted to a validity period of either 31-Dec-2015 or 31-Dec-2016.
  • Optional Comments about the certificate
  • You can also paste a new CSR in the Paste in CSR box.

Click Continue.

5. On the Confirm Certificate Details page, In the Check/Modify Notifications area, specify who will receive notifications regarding this certificates (such as when it is issued, expiry warnings, and revocation notifications.) Click Continue.

6. If the Common Name or SANs list contains a new domain that has not been previously validated to the appropriate level (OV or EV), the Confirm Domain Control page appears, listing the new domains. Click Continue.

  • If the new domain must be confirmed at the OV level, the "Confirmation of Control for domain # of #" page appears. Select the email address where the domain ownership confirmation request will be sent. If none of the pre-populated email addresses is yours, select Manually Validate and the AffirmTrust Verification Team will confirm the domain control manually. Click Continue. Repeat this step for each domain that you added.
  • If the new domain must be confirmed at the EV level, you are not prompted to choose an email address because the domain must be manually validated by the AffirmTrust Verification Team. Continue to the next step.

7. The Certificate Request Summary page appears, where you can review the request details before submitting the final certificate request. If the request is correct, click Approve.

8. A message appears, stating that the certificate request has been submitted and that a link to the new certificate will be sent to you shortly. Click OK to proceed.

9. When you receive the renewed certificate, install it on your server. (See Install your SSL certificate for instructions.)

If you have any

Support Hours of Operation: 
Sunday 8PM ET to Friday 8PM ET
[email protected]