 |
|
|
|
|
|
 |
||||||||
|
 |
|
 |
|
||||||
|
About This Page
Quickly find information on directNIC services as well as general information on domain names and the Internet. Click on the links to drill down in depth on topics, or enter keywords into the Guide search engine to find sections on a particular topic. |
|
Table of Contents
IntroductionWhy SSL?A Web Server Certificate, or Server ID, is a digital document containing unique codes that identify the holder of the certificate to the person accessing the site. On the Internet, website visitors usually have no reliable way to identify who owns the online store that they are doing business with. When customers visit a virtual store to make the purchase, their biggest concern is whom they will be paying and if the payment is conducted in a secure way. This is why you need SSL certificates to secure your server. The Secure Sockets Layer (SSL) is a protocol originally developed by Netscape. It has become the universal standard on the Web for authenticating websites to Web browser users, and for encrypting communications between browser users and web servers. SSL is built into all major browsers and web servers, which means no matter where the protocol is implemented, the same implementation is operated. After a digital certificate, or Server ID, is installed, SSL capabilities are then enabled. A Web Server Certificate is issued by a trusted third party called a Certification Authority (CA). CAs must audit the identity of the people or organizations to whom they issue certificates. Once the CA establishes an organization's identity, it issues a certificate that contains the organization's public key and signs it with the CA's private Key. SSL certificates hold information about web servers. They contain information about the owners of the certificates, the server to which the certificate was sold, when it was sold and when it expires. By checking the details of the certificate, your customers can assure themselves that the website they are dealing with is in fact the website they want to be dealing with. They also know that their credit card or personal details cannot be intercepted by a third party on the Internet. Who needs SSL?If your website has online ordering facilities and you want to assure customers that they are not exposed to any of the risks associated with sending data over the Internet, you should apply for an SSL certificate. We now offer SSL certificates for domains using directNIC premium hosting. To apply for an SSL certificate, you need to tell us what domain or subdomain name you want to secure. Then we will send you a CSR based on the domain name or subdomain name, with which you use to purchase the certificate. Once we receive the certificate, we will install it for you and you will be able to use your secure site. What type of Web Server Certificate does directNIC offer?Currently, we offer three kinds of SSL certificates: 1. InstantSSL Pro: This certificate can be purchased up to 3 years at a low cost of $45/year with a warranty of $100,000. 2. PremiumSSL: This is the type of cert we have been offering but the price now is only $60/year. It can be also purchased up to 3 years with a warranty of $250,000. 3. PremiumSSL Wildcard (i.e.: *.dndchosting.com): This certificate can only be purchased for 1 year for now, but it can be purchased for 1, 2 or 5-server license. Wildcard cert can be used to support multiple virtual hosts at a low cost of $425.00/year with a warranty of $250,000. All certificates incude:
Features of a secure siteA page is secure if: 1) The URL changes from http:// to https://. 2) A lock symbol appears in the lower left-hand status bar in Netscape Navigator 3) A lock symbol appears in the lower right-hand status bar in Internet Explorer 4) Providing your customers with real-time identity assurance through convenient "point to verify" technology, TrustLogo enhances trust and confidence in your online identity and gives customers the confidence to buy from your site. BillingFee1. InstantSSL Pro: $45 per year per virtual host. 2. PremiumSSL: $60 per year per virtual host. The new price applies to renewals of certificates purchased last year. 3. PremiumSSL Wildcard (i.e.: *.dndchosting.com): $425.00 per year per certificate. Payment optionsUsers can use directNIC dollars to purchase certificates at a discount rate. The directNIC dollars rates charged by directNIC may vary from time to time. The current discount rates charged by directNIC with other payment options will always be located at https://secure.directnic.com/myaccount/bulk/payment.php. The current discount rates charged by credit card are located at: https://secure.directnic.com/myaccount/bulk/ CompatibilityBrowser compatibilitydirectNIC powered SSL certificates support the following browsers: AOL Browser 5.x and higher Microsoft Internet Explorer 5.01 and higher Netscape Navigator 4.77 and higher Opera 8 and higher Galeon Konqueror Mozilla 0.6 and higher Root Certificate comes pre-installed with: Windows 98SE, ME, 2000, and XP Mac OS 8.5, OS 9.x, OS X CA certificates required for installation are located at: https://secure.directnic.com/help/guides/ca-certs.zip *** NOTE *** You must load the certificates above into your web server, otherwise an error such as "certificate was issued by a company you have not chosen to trust" will be displayed by visitors' browsers. Server compatibilitydirectNIC certificate supports all current releases of commercial and freeware web servers that support SSL v.3. Supported servers include: Apache 2.x Apache + MOD SSL Apache + Raven Apache + ApacheSSL C2Net Stronghold Cobalt RaQ3/RaQ4/XTR Ensim IBM HTTP Jakarta Tomcat IBM-Lotus Domino Go 4.6.2.6+ Lotus Domino 5.0x Microsoft Internet Information Server 4.0 Microsoft Internet Information Server 5.0 Netscape Enterprise/Fast Track Plesk WebLogic 5.1 WebLogic 6.x WebSTAR 4.0 and higher Zeus Web Server v3 ApplicationApplication processHere are the steps to apply for a certificate at directNIC:
When your certificate is approved, we will email it to the address you supplied during the ordering process. To install your certificate, follow the instructions provided below for your web server. Certificate Signing RequestA CSR is a text file, generated through a web server that is submitted to the Certification Authority during the digital certificate application process and used to generate a signed digital certificate. It contains the following: 1. Identifying information about the company applying for the digital certificate 2. The company's public key 3. The type of web server on which the certificate will be installed It is usually transferred via email, but formatted so that is unreadable (although it is not encrypted). A CSR should look similar to the following example: -----BEGIN CERTIFICATE REQUEST----- When entering the CSR in the appropriate field to copy and paste the entire CSR, the user should include the beginning and ending dash marks. Reminder: Please do not set a password for the CSR. If you encrypt the Certificate Signing Request, we will email you to re-create the CSR since we will be unable to process the order. Distinguished NameA user will be asked to enter the server's distinguished name when generating the CSR. Distinguished names uniquely identify individual servers, and contain the following information: 1) Common Name: The Common Name is the fully qualified domain name used for DNS lookups of a server (such as www.directNIC.com). This information is used by browsers to identify the website. Client browsers connecting to your host will check for a match between the certificate's common name and the URL. Do not include the "http://" or "https://" in the Common Name. 2) Organization or Company: This should be the organization that owns the domain name. The organization name (corporation, limited partnership, university, or government agency) must be registered with some authority at the national, state, or city level. Use the legal name under which your organization is registered. Do not abbreviate or use any of these symbols: ! @ # $ % ^ * ( ) ~ ? > < / 3) Organizational Unit: This is an optional field used to differentiate between divisions within an organization, for example, "Marketing" or "Research and Development." If the organization is doing business as ("dba") a trade name, you may specify the trade or dba name in this field. 4) City/Locality: This is an optional field in most situations. Do not use abbreviations. For example, spell "New Orleans," instead of "N.O." If the organization is registered locally only, for example by virtue of having a business license registered with the City Clerk, the Locality/City field must contain the name of the city where registered. In this case, the State/Province field is required. 5) State/Province: U.S. and Canadian customers must enter a State or Province name. In the United States, if your organization is incorporated in the state of Washington, but is operating within Louisiana, use Louisiana. Do not abbreviate. International customers must enter either a State/Province or a City/Locality. Do not abbreviate. 6) Country: This is the 2-character ISO format country code. For example, AU is the code for Australia, and BR is the valid code for Brazil. More on the Common NameWhen generating a Certificate Signing Request (CSR) from the web server, a user will be required to enter Common Name. The Common Name is typically composed of Host + Domain Name and will look like "www.mycompany.com" or "secure.mycompany.com." Our Server IDs are specific to the Common Name that they have been issued to at the Host level. The Common Name must be the same as the Web address you will be accessing when connecting to a secure site. So please be careful when you decide the Common Name. This information cannot be changed after the certificate is issued. When the Server ID will be used on an Intranet (or internal network), the Common Name may be one word, and it can also be the name of the server. We also offer Wild Card Certificates such as: *.yourdomain.com yourdomain.com and www.yourdomain.com are considered the same name. You do not need to purchase a certificate for both domains. One certificate will automatically cover both sites since they actually resolves to the same site. You can use either of the name (i.e., with or without www) as common name Troubleshooting FAQsCan I use symbols when generating CSR? The following characters can not be accepted: < > ~ ! @ # $ % ^ * / ( ) ?. My CSR has been rejected during the application process. How can I proceed? To apply for your Web Server Certificate, you must have a CSR that is valid and properly formatted. If your CSR has been rejected, please be sure that you have cut and pasted the entire CSR into the appropriate field, including the dash marks at the beginning and ending of the text area. If your CSR is still rejected, you will need to regenerate it using the web server on which you plan to host your secure website. What should I do if the WHOIS information doesn't match the information generated by the CSR? If the WHOIS information for your domain name doesn't match the information generated by the CSR, you can either change the WHOIS information or regenerate your CSR with the correct information. What can I do if my application has been rejected? The most common reason for a certificate application to be rejected is inconsistency with the WHOIS information, CSR information and contact information that you provided during the application process. If your application has been rejected, you can contact our Customer Support Department and we will assist you to find out what caused the application failure. When you resubmit your certificate request, please ensure that all of the information provided is correct and consistent. I can't install my certificate. What do I do? First of all, please check the webserver software-specific installation FAQs listed on our website. If you've lost your key or password, and don't have a backup, then you will have to purchase a new certificate. I am receiving an error “Certificate was issued by a company you have not been choosen to trust.” What does this mean? This error is usually generated due to an incomplete installation. You must load the Certificate Authority certificates listed below into your web server, otherwise an error will occur. Please install the CA certificates required: https://secure.directnic.com/help/guides/ca-certs.zip The security padlock is not displayed in my browser when accessing my secure page. What’s wrong? If your site is set up in a frame, then this can be the problem. Frames are usually located in a non-secure http directory on your server. When you access an SSL page, with non-secure frames, you will not see a padlock, even though the page is encrypted and secure. You can check the page information for details about that page. If you want the padlock displayed on your secure page, you can decide not to use frames. How can I specify the frames I use on my website to be secure? Please make sure that you have sourced the frames from https in your HTML. How can I renew my Microsoft IIS server certificate? The renewal feature on the IIS servers are inconsistent and we do not suggest using this tool to create your replacement CSR. The suggested renewal for an IIS server is to first verify your server has all the recent updates and patches installed. Next create a test site for your new CSR generation so you do not have to remove your current certificate from the server. Managing CertificateCheck the size of the certificateAfter you have installed your certificate, connect to a secure page on your server using a Web browser. 1) If you are using Internet Explorer, click on File > Properties. 2) If you have OpenSSL, you can use the following command to check:
opens x509 -noout -text -in 3) Some webservers will display key size information in the properties of your key/cert. Keep the private key secretYour digital private key is the critical portion of your online identity. Once you receive your own digital signing certificates, keep your private key as secure as possible. If another person got a hold of your private key, they would have the potential to distribute information on the Internet or intranet in your name. Specifically, do not place your private key on removable media, on shared drives, or send it in e-mail. If your key was compromised, you could be held legally responsible for the actions of someone else. If the private key of your digital certificate has been compromised you should notify us and revoke the certificate at once. directNIC provides certificates, but you are the person who is responsible for key management. Lost keyIf you lose your private key, no one can help you. We cannot generate a private key for you. Only you have the access to your private key, which makes the whole system secure. If you cannot find your private key, you may first check your backups and see if you can re-install the private key. If you don't know how to re-install the key from your backups, please read the manuals. If you still cannot reinstall your private key, you can contact your server software vendor for technical support. So if you use MS IIS, then please contact Microsoft support or take a look at their Website knowledge base. Once you've gone through these steps but still not been able to re-install the certificate, you will have to get a new certificate and generate your CSR again. We can replace any order during the life of the certificate purchased as long as you are requesting the same Common Name. Lost passwordThe password protects your system security and integrity. Losing the password effectively means you have lost your key. You will have to request a new certificate. So please make backups for any important information. Our current certificates do allow you to request replacement of the certificate during the life of the order as long as it is the same common name originally purchased. Certificate replacement policyWe will revoke and refund directNIC.com powered certificates that have been requested as long as they are within twenty five (25) days of the certificate issue date. We will replace directNIC.com powered certificates at anytime during the life of the certificate as long as you are requesting the same common name as the original order. If you need a new certificate with a new Common name after twenty five days, you will be responsible for purchasing a new server certificate. Certificate revoke policyYou may request revocation of your certificate any time for any reason. We can only offer refunds during the first 25 days after the order is purchased. To revoke a certificate, send a Trouble ticket from your account or a fax request to us at 504-566-0484. Please include the following information in your correspondence: . The subject line should read "SSL Revocation Request" . The domain name of the certificate or the certificate reference number . Organization contact . Reason for revocation . The telephone number and email address of the contact who should be notified of the revocation . Signature and date Upon receipt of this request we will begin your revocation process. We will notify you of your refund eligibility within 72 hours of your request. Check expiration dateAfter you install your certificate, you can visit your secure website and check the expiration date of your certificate by performing the following steps depending on which type of Internet browser you are using: Internet Explorer:
Netscape Navigator:
Security information often appears in the lower right hand corner of an open browser as a key or padlock. On a non-secure page, the padlock will appear to be open or the key will appear broken. The key will be whole or the padlock locked on a secure site. Click on the key or the padlock to view security information for the page you are viewing. Technical SupportFor the most up-to-date and accurate assistance with your problems you might have with SSL certificates, refer to directNIC Help file at our website: http://www.directnic.com If you cannot find the answers to your questions, please contact us using our Trouble Ticket System at: http://www.directnic.com/tts/ Appendix A -- Web Server Certificates Installation InstructionsCertificate installation instructions are available for the Web servers listed below. Please note if your Web server is operated by an ISP or hosting service, they will install your Web server certificate for you. ApacheStep one: Copy your certificate to a file You will receive an email with the certificate. When viewed in a text editor, your certificate will look something like: -----BEGIN CERTIFICATE----- Copy your Certificate into the directory that you will be using to hold your certificates. It is recommended that you make the directory that contains the private key file only readable by root. Step two: Install CA Certificates You will need to install the chain certificates (intermediates) in order for browsers to trust your certificate. Apache users can install the intermediate certificates using a 'bundle' method. In the Virtual Host settings for the appropriate site, in the httpd.conf file, you will need to complete the following: 1. Copy the ca-bundle.crt (this file was included in the ca-certs.zip file emailed to you) file to the directory where you store your certificate files. 2. Add the following line to the SSL section of the httpd.conf (assuming /usr/local/etc/apache/ssl.crt/ is the directory to where you have copied the ca-bundle.crt file). If the line already exists make sure you replace it. SSLCACertificateFile /usr/local/etc/apache/ssl.crt/ca-bundle.crt If you are using a different location you will need to change the path and filename to reflect your server. The SSL section of the updated httpd config file should now read similar to this example (depending on your naming and directories used): SSLCertificateFile /usr/local/etc/apache/ssl.crt/yourhostname.crt Save your httpd.conf file and restart Apache. Apache + RavenYou will receive your new certificate via email. It is pasted in the body of the email and also attached as a text file. You can either rename the attached text file and ftp it to your web server, or copy the certificate from the body of the email and create a text file. ****Note: The examples below use the following naming convention: "Your Web Server Certificate" = "mydomain.com.cert" Start the Raven PKI Certificate Manager, using the command: /usr/local/raven/bin/ravenctl Choose Install CA Signed Certificate. You will be prompted for the location of your web server certificate (mydomain.com.cert). Identify the temporary location (/tmp) and the name of your web server certificate. The certificate will be installed in the following directory: /usr/local/raven/module/pki/certs Edit Apache's HTTPDS.CONF file to point the Raven SSL module to the new certificate and key. SSLCertificateFile /usr/local/raven/module/pki/certs/servername.cert SSLCertificateKeyFile /usr/local/raven/module/pki/keys/servername.key Save the HTTPDS.CONF file Restart the Server: /usr/local/apache/bin/httpsdctl restart Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP. Note: The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly. Apache + Raven 1.5xStart RavenCTL cd /usr/local/raven/bin, ./ravenctl Enter the path to the server certificate that you received via email to install the CA Signed Certificate. Start RavenCTL Change directories to the /apacheserverroot/conf directory; cd /usr/local/apache/conf Edit Apache's HTTPDS.CONF file to point the Raven SSL module to the new certificate. SSLCertificateFile /usr/local/raven/module/pki/certs/servername.cert SSLCertificateKeyFile /usr/local/raven/module/pki/keys/servername.key Start your web server Apache + SSLeayYou will receive your certificate via email, pasted in the body of the email and also attached as a text file. You can either rename the attached text file and ftp it to your web server or copy the certificate from the body of the email and create a text file. ***Note: The examples below use the following naming conventions: "Your Web Server Certificate" = "mydomain.com.cert" Change directories to apacheserverroot/conf directory. ****Note: Copy the entire certificate contents from the If you have not already set up a secure virtual host, refer to the following link for more information: Open the httpd.conf file in a text editor. Locate the secure virtual host that you have purchased the certificate for. You should have the following directives within this virtual host. Please add them if you do not. SSLCertificateFile /apacheserverroot/certs/mydomain.com.crt SSLCertificateKeyFile /apacheserverroot/mydomain.com.key (or server.key) Save the changes and exit the text editor. Start or restart your apache web server. apacheserverroot/bin/httpd restart Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP. Note: The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly. BEA WeblogicWhen you receive your certificates you need to store them in the mydomain directory. Note: If you obtain a private key file from a source other than the Certificate Request Generator servlet, verify that the private key file is in PKCS#5/PKCS#8 PEM format. To use a certificate chain, append the additional PEM-encoded digital certificates that was issued for the WebLogic Server (the intermediate CA certificate). The last digital certificate in the file chain will be the Root certificate that is self-signed. (that is, the rootCA certificate). Configure WebLogic Server to use the SSL protocol, you need to enter the following information on the SSL tab in the Server Configuration window: In the Server Certificate File Name field, enter the full directory location and name of the digital certificate for WebLogic Server. In the Trusted CA File Name field, enter the full directory location and name of the digital certificate for Comodo who signed the digital certificate of WebLogic Server. In the Server Key File Name field, enter the full directory location and name of the private key file for WebLogic Server. Use the following command-line option to start WebLogic Server. -Dweblogic.management.pkpassword=password where password is the password defined when requesting the digital certificate. Storing Private Keys and Digital Certificates Once you have a private key and digital certificate, copy the private key file generated by the Certificate Request Generator servlet and the digital certificate you received into the mydomain directory. Private Key files and digital certificates are generated in either PEM or Definite Encoding Rules (DER) format. The filename extension identifies the format of the digital certificate file. A PEM (.pem) format private key file begins and ends with the following lines, respectively: -----BEGIN ENCRYPTED PRIVATE KEY----- Note: Typically, the digital certificate file for a WebLogic Server is in one file, with either a .pem or .der extension, and the WebLogic Server certificate chain is in another file. Two files are used because different WebLogic Servers may share the same certificate chain. The first digital certificate in the certificate authority file is the first digital certificate in the WebLogic Server's certificate chain. The next certificates in the file are the next digital certificates in the certificate chain. The last certificate in the file is a self-signed digital certificate that ends the certificate chain. A DER (.der) format file contains binary data. WebLogic Server requires that the file extension match the contents of the certificate file. Note: If you are creating a file with the digital certificates of multiple certificate authorities or a file that contains a certificate chain, you must use PEM format. WebLogic Server provides a tool for converting DER format files to PEM format, and visa versa. C2Net StrongholdNote: There are TWO certificates that need to be installed during this process. The first is the "Site" certificate, contained in the email from directNIC.com. The second is the "Bundled intermediate certificate" you can use the zip file for this or it can be obtained from our web site: https://secure.directnic.com/help/guides/ca-certs.zip If you already have a temporary certificate in your /ServerRoot/ssl/certs directory, move, rename or delete it. Run the command "getca servername" where "servername" is the same name created during generation of the key or certificate request "genkey servername" or "genreq servername"). Open the site certificate in the e-mail from directNIC with a text editor and copy the content (including the lines below), as shown below to your clipboard: Include the headers and footers of the certificate; beginning with -----BEGIN CERTIFICATE----- Paste the contents into the terminal window where you ran "getca". Enter Control-D or the appropriate EOF character for your terminal. Before restarting the server please install the intermediate certificate as below. Next retreive the Certificate Authority information from the ca-certs.zip certificate from the email and copy the certificate content (including the lines below), as shown below to your clipboard: Include the headers and footers of the certificate; beginning with -----BEGIN CERTIFICATE----- Paste the content into the file "ssl/certs/ca_new.txt" located in your ServerRoot directory. Change the SSLCACertificateFile directive in your httpd.conf file to point to the bundle file (ca_new): Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP. Note: The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly. CPanelOnce you have received the SSL certificates you can install the certificate using Webhost Manager. You need both the certificate and key files to install the certificate. Click on the 'Install an SSL Certificate and Setup the Domain' link in the SSL/TLS menu. Enter the domain, user name, and IP address for the certificate in the 'Domain', 'User', and 'IP Address' fields. Click on the 'Fetch' button to pull the .key and .crt files for the domain into the available display spaces, if they are currently on your server. Otherwise, copy and paste the .key and .crt files into the available display areas. Note: If you generated the certificate using Webhost Manager, the certificate files will be available. Open the AddTrustUTNServerCA.crt in a text editor. Paste the text from the AddTrustUTNServerCA.crt into the 'Install an SSL Cert' display area. Cobalt RaQ4/XRTInstalling the site certificate
Go to the Server Management screen.
-----BEGIN CERTIFICATE-----
Paste the new certificate information that you copied into the "Certificate" window. Install the Intermediate Certificate You will need to install the intermediate CA certificate in order for browsers to trust your certificate. The intermediate CA certificate was included in the email we sent you with the certificate and it is in the link below. https://secure.directnic.com/help/guides/ca-certs.zip The following will require that you access the httpd config file. In the GlobalSSL Setting in the httpd.conf file, you will need to complete the following:
Copy the intermediate CA to the same directory as httpd.conf and name it ca.txt Note: If you are using a different location and certificate file names you will need to change the path and filename to reflect the path and file name that you are using. Cobalt Raq Guides:
RAQ 4 http://directnic.com/help/guides/raq4.pdf Ensim Web appliance 3.1.xStep One: Loading the Site Certificate You will receive an email from Comodo with the certificate in the email (yourdomainname.crt). When viewed in a text editor, your certificate will look something like: -----BEGIN CERTIFICATE----- Copy your Certificate into the directory that you will be using to hold your certificates. In this example we will use /etc/ssl/crt/. Both the public and private key files will already be in this directory. The private key used in the example will be labelled private.key and the public key will be yourdomainname.crt. It is recommended that you make the directory that contains the private key file only readable by root. Login to the Administrator console and select the site that the certificate was requested for. Select Services, then Actions next to Apache Web Server and then SSL Settings. There should already be a 'Self Signed' certificate saved. Select 'Import' and copy the text from the yourdomainname.crt file into the box. Select 'Save', the status should now change to successful. Logout, do not select delete as this will delete the installed certificate. Step two: Install the Intermediate/Root Certificates You will need to install the Intermediate and Root certificates in order for browsers to trust your certificate. As well as your SSL certificate ( yourdomainname.crt) two other certificates, named UTN-USERFirst-Hardware.crt and AddTrustUTNServerCA.crt, are also attached to the email from Comodo. Apache users will not require these certificates. Instead you can install the intermediate certificates using a 'bundle' method. CA certificates required for installation: In the Virtual Host settings for your site, in the virtual site file, you will need to add the following SSL directives. This may be achieved by: 1. Copy this ca-bundle file to the same directory as the certificate (this contains all of the ca certificates in the Comodo chain, exept the yourdomainname.crt). 2. Add the following line to the virtual host file under the virtual host domain for your site (assuming /etc/httpd/conf is the directory mentioned in 1.), if the line already exists amend it to read the following: SSLCACertificateFile /etc/httpd/conf/ca-bundle/ca_new.txt If you are using a different location and certificate file names you will need to change the path and filename to reflect this. The SSL section of the updated virtual host file should now read similar to this example (depending on your naming and directories used): SSLCertificateFile /etc/ssl/crt/yourdomainname.crt Save your virtual host file and restart Apache. You are now all set to start using your Comodo certificate with your Apache Ensim configuration. Hsphere Web Server1. After you receive your SSL certificate, firstly visit our web site download site file and the bundle file (rootchain) certificates to a secure location. 2. Click SSL on your control panel home page. 3. Go to the Web Service page and click the Edit icon in the SSL field. 4. In the form that opens, enter the SSL certificate into the box Install Certificate based on previously generated Certificate request and click Upload: 5. Enter the rootchain certificate into the box Certificate Chain File and click Install: 6. Now you can use the SSL certificate. IBM HTTPdirectNIC sends more than one certificate. In addition to the secure SSL certificate for your server you will also receive an Intermediate CA Certificate and a Root CA Certificate. Before installing the server certificate, install both of these certificates. Follow the instructions for 'Storing a CA certificate'. Note: If the authority who issues the certificate is not a trusted CA in the key database, you must first store the CA certificate and designate the CA as a trusted CA. Then you can receive your CA-signed certificate into the database. You cannot receive a CA-signed certificate from a CA who is not a trusted CA. For instructions see 'Storing a CA certificate'. Storing a CA Certificate:
To receive the CA-signed certificate into a key database:
Note: The configuration file httpd.conf contains default settings. If you have installed a previous version of the Web server, your existing configuration file is preserved as httpd.conf and the default configuration file is renamed httpd.conf.default. Restart your web server. Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP. Note: The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly. IBM WebSphere Advanced Single Server Edition 4.0Before being able to enable SSL on WebSphere, you need to have your own certificate. This certificate can be a self-certificate for testing purpose but in any production case, you should have a certificate issued by a Trusted CA. The following steps describe how to get your own certificate and later how to configure WebSphere to use it. Installing a certificate chain Before you can add your certificate into the keystore, you must first include the certificates chain. You must install the following public certificates:
Root (UTN-USERFirst-Hardware) Root You can add the certificates chain from the Signer Certificates screen. Click on the Add button. A dialog box will appear where you have to enter the data, the Certificate file name (the certificate file you received) and its location. Once all of this information is entered click on OK. Installing your site certificate You can import it into your keystore. In the IBM Key Management console, select in the dropdown the option Personal Certificates. Then click on the button Receive. A dialog box will appear where you have to enter the data, the Certificate file name (the certificate file you received) and its location. Once all of this information is entered click on OK. Enabling SSL Once your keystore has been successfully configured with your certificate, you can now enable SSL in WebSphere Application Server. In IBM WebSphere, SSL can be configured for each component. For more information on how to enable/configure it for each of them, please go to the IBM Web site at http://www-4.ibm.com/software/webservers/appserv/support.html iPlanet Enterprise Server 4.1Start Netscape Suitespot Server Administration page. Log in as the web server administrator. Select Security tab at the Server Administration page. Click Install Certificate on the left side menu frame. *Open the UTN-USERFirst-Hardware.crt in a text editor. Select Server Certificate Chain, enter the password. Select Message Text with headers. Cut and paste the contents of Your Web Server Certificate. Include the headers and footers of the certificate; beginning with Click OK. Accept the certificate. NOTE: Do not shutdown or restart the server until all steps have been completed. Repeat the steps from * above using the text from the Open the UTN-USERFirst-Hardware.crt in a text editor. For the site certificate again repeat the steps from * above, but this time choosing This Server instead of Server Certificate Chain. At this stage all the certificates are installed and SSL now needs to be activated. Go to Preferences and select View Server Settings to check your security settings. Click on Security. The Encryption On/Off page is displayed. The Encryption should be On. The port number is 443. Click OK in the warning box. Type the password you used when you generated the key pair in the popup window. Save and apply the changes. Click OK to return to the previous page. Now add Server for Port 80 Click on Servers. Select Add Server. Click OK to return to the previous page. Click View Server Settings to verify the settings for port 80 and port 443. Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP. Note: The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly. Java Based Web ServersThe certificates you receive will be: These must be imported in the correct order: Note: Please replace the example keystore name 'domain.key' with your keystore name.
All the certificate are now loaded and the correct root certificate will be presented. Lotus Domino Go 4.6.2.6 and higherStart the MKKF utility by typing mkkf in a DOS window. Select "O" to Open an existing key ring file. Type the name of the file (usually keyfile.kyr). You will be prompted for the password. *Note: If you start the "mkkf" utility from the directory that contains your certificate you will not need to include the path. Select "R" to receive a certificate into the Key Ring File. Enter the server certificate file name (eg. "server.txt"). Select "W" to Work with keys and certificates.. Select "L" to List/Select the key to work with. Select "N" until you find the servername.key file. Select "S" to Select this certificate. Select "F" to mark this key as the selected deFault key. Select "X" to exit this menu.. Select "C" to Create a "stash file" for the key ring. Note: This is an important step, which is often overlooked! Select "X" to exit the menu. Select "Y" - Yes - to save all changes to the key file and confirm the update. Repeat the steps above to install the CA certificate before enabling SSL and restarting your server. Enabling SSL on your Domino Go Web Server Access the web server via your browser. Select "Configuration and Administration Forms" . Scroll down to security. Select Security Configuration. Ensure that "Allow SSL connections using port 443" is selected. Ensure that the correct Key Ring file is listed. Apply the changes Restarting your Web Server You will need to stop and start your web server with the following commands: stopsrc -s httpd startsrc -s httpd Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP. Note: The padlock icon on your web browser will be displayed in the locked position if you have set up your site properly. Lotus Domino 4.6x and higherEnter the Server Certificate Administration application. Open Server Certificate Administration, the database you set up for your web server. Select Install Certificate Into Key Ring. Install your new server certificate. Configuring your SSL Enter the Server Certificate Admin application and double-click on your server name. Select the Ports tab select the Internet Ports tab select the Edit Server at the upper left corner Enter the SSL parameters for your server. Verify the path to your keyfile in the SSL key file name field. Click Save and Close at the upper left corner. Close the Lotus Notes client window. This process above must be completed for all certificates provided for this order. Stop and restart your server. The message HTTP web server started will appear. Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP. Note: The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly. Mac OS X1. Log into your server as root. 2. If it doesn't already exist on your server, create a folder with this name: /etc/httpd/ssl.crt/ 3. Copy the cert.crt into the folder. b. Install your certificate Important: Back up the certificate to a removable disk. It will save time if there is a server failure you can restore your certificate. To enable SSL on the site follow the instructions below:
Note: Web Performance Cache is not compatible with SSL. You should not enable both Web Performance Cache and SSL for a specific site. Doing so keeps Apache from starting. For more information please view Mac OS X Server 10.2 and Later at http://support.apple.com/kb/TA21432?viewlocale=en_US Microsoft Internet Information Server 4.0Note: For Windows N4.0, you must have at least Service Pack 4.0 or higher or Microsoft Internet Explorer 5.0. Installing your Web server Certificate Start the MS IIS Management Console and select your server. Click on the Key Manager icon. Select your original key. Select Install Key Certificate from the Key menu. Choose Your Web Server Certificate.crt file sent to you via email. This file should be the name of your domain/or company with a .crt extension. For example: Your Web Server.crt . Type in your original key's password. Click OK in the Server Bindings box. Select Commit from the Computers menu. Click Yes to commit all changes. Stop then Start Your Web Server Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP. Note: The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly. Backing up your key pair file Unlike other files, key pair files cannot just be copied. To make the backup, you must do an "export." To restore your system, you must do an "import." This process assumes identical web server configurations are used for exporting the key as well as for importing the key. So both servers must be IIS. You can't go from one type of server to another. Exporting your key Open your Microsoft Management Console via the IIS Internet Service Manager. Click to open the Key Manager. Select the key to be exported. Select the Key menu and choose Export Key Backup File. Click OK in the Key Manager Warning box. Specify the destination for saving your key, press OK. Close your Key Manager and Management Console windows. Please remember your password that was used to install your certificate. You will need this password if you ever need to recover your certificate through the import process. Microsoft Internet Information Server 5.x / 6.x1. Installing the Root & Intermediate Certificates:
2. Installing your IIS SSL Certificate:
If you used the 'dummy site' method: Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://yourserver.com/) to indicate you wish to use secure HTTP. Backup in Microsoft IIS 5.x ,6.xOptional Stage To backup the Certificate with the Private Key attached in Microsoft IIS 5.x ,6.x, follow these instructions: 1. Start > run > MMC How do I export the key in IIS 5.x or 6.x?Please refer to the following URL on Microsoft's Knowledgebase: http://support.microsoft.com/default.aspx?scid=kb;en-us;232136 How do I import the server certificate in IIS 5.x or 6.x?Please refer to the following URL on Microsoft's Knowledgebase: http://support.microsoft.com/default.aspx?scid=kb;EN-US;232137 Microsoft IIS and RenewalsAll IIS requires you run a new CSR every year for your replacement orders. Right-click on your IIS control panel, and using the 'New' menu option to create this new site. Please send this CSR to directNIC.com after you have renewed your certificate so we might be able to generate a new Certificate file for you that will work correctly for this server type. Once you receive your new SSL certificate, you can then follow the normal IIS instructions for this new 'backup' website, which will not interfere with the current site. Once you have completed the installation of the certificate on the 'backup' site, Windows will store the certificate in a pool of certificates on the machine. You will then be able to go to the current website, 'Directory Security' tab and choose the 'Server Certificate' button. There will be an option in the wizard to 'Replace' the current certificate. This will show a list of all the certs on the machine, one of which will be the recently created one. Select this, and the certificate changeover will happen instantaneously. Microsoft: Outlook Web Access 2000Securing Your Outlook Web Access 2000 Implementation Using SSL Certificate Installation
You have now installed the SSL certificate into our web site, the next step is to enable SSL for OWA - this is a pretty simple task. When users enter http://ahost.adomain.com/exchange, they will receive an "HTTP 403.4 - Forbidden: SSL required Internet Information Services" error message, because OWA is configured to require SSL. SSL uses the HTTPS protocol, so users would need to enter the url as https://ahost.adomain.com/exchange. Please see the Microsoft article regarding forcing the use of SSL with OWA: One final step that you may need to take is to ensure that your Firewall is configured to allow HTTPS (port 443 by default) to pass through. Netscape Enterprise/Fast Track Identifying the Server Name
Note: The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly. Novell ConsoleOnedirectNIC will email you the details for the following in your completed order: The file must be in PKCS #7 format in order to be imported into a Server Certificate object. The file must contain all of the certificates to be imported into the object (the root-level CA certificate, the intermediate CA certificates, and the server certificate). Steps to successfully install the Certificates: 1. Import both the "AddTrustUTNServerCA.crt" and "UTN-USERFirst-Hardware.crt" into Internet Explorer. Do this by double clicking on each of the certificates and choosing import. Make sure they are imported into the correct stores, "AddTrustUTNServerCACA.crt" goes into the intermediate store and "UTN-USERFirst-Hardware.crt" goes into the root store. 2. Double click the certificate that was signed by Comodo "server/domain.crt" and go to the details tab, then click on Copy to File. Next, Select "Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)" and select the "Include all certificates in the certification path if possible" check box. Give it a file name for example "c:mycert". This step will put the Trusted Root, Intermediate Root, and End Server Certificate certificates into one certificate. 3. Go to Console One and to the certificate that created the Certificate Signing Request (CSR). Go to the Public Key Certificate Tab. Select Import, select "No Trusted Root Certificate available", and then next. Import the Server Certificate that you created above. 4. After the import you should be able to validate the certificate and use the certificate. 5. The certificate is now ready to use. Novell I-ChainThe first process is to create a combined file containing the intermediate and root certificates. Open ConsoleOne and open the ICS container for the iChain server. Select the 'Certificates' tab and press the "Import" button. You may get an error stating that the subject in the certificate does not match the subject in the object (CSR). This will be due to additional OUs in the certificate. Accept the certificate anyway. If a validation is attempted on the certificate in ConsoleOne it will produce an error stating 'Unable to validate the certificate chain to a root certificate'. On the iChain server click 'Apply'. Open the accelerator for the web site. The 'Certificate' drop down item in the Secure Exchange portion will now have the certificate available. Select the new certificate, click OK and then press 'Apply'. When the Management display is refreshed the website will be secured with the new certificate. Plesk Server AdministratorImportant: Installation is a two step process - ensure you follow both steps listed below. Step 1: Upload your SSL certificate
Step 2: Uploading the Rootchain Certificate
Using your SSL Certificate to secure logging into your Plesk Administrator If you are applying your certificate to the Plesk control panel (in order to secure your login) you will need to login to Plesk Administrator and select Server. Plesk Server Administrator 6Uploading certificate parts If you have already obtained a certificate containing private key and certificate part (and may be CA certificate), follow these steps to upload it:
You can upload an existing certificate in two ways:
1. Choose a file from the local network and click on the SEND FILE button (.TXT files only). Uploading a CA certificate For the AddTrustUTNServerCA.crt is the CA Certificate, or rootchain certificate. The CA Certificate is used to appropriately identify and authenticate the certificate authority, which has issued your SSL certificate. To upload your CA Certificate, follow these steps:
You can upload an existing certificate in two ways:
1. Choose a file from the local network and click on the SEND FILE button (.TXT files only). NOTE: When you add a certificate, it is not installed automatically onto the domain or assigned to an IP address, but only added to the Certificate repository. You can assign a certificate to an IP address at the Client's IP pool, at the IP aliasing management page, and during hosting creation on an exclusively granted IP. Plesk Server Administrator 71. Login to the Plesk 7 Control Panel. They must be pasted this in order, the intermediate CA certificate (AddTrustUTNServerCA) first, followed by the USERFirst root certificate (UTN-USERFirst-Hardware), the result will look similar to the example below (Please note: no blank line between then end of one certificate and the start of the next): NOTE: Restarting Apache will NOT work. You must stop the service, then start it again to complete the installation SSL AcceleratorSonicWALL SSL OffloaderImporting a Server Certificate and Chain into the SonicWALL SSL Offloader Chained CertificatesAll SonicWALL SSL Offloaders support chained certificates. Once the certificates are unzipped into multiple certificates prior to importing into the SonicWALL SSL Offloader, the certificate will need to be imported using the chained certificate commands. The certificates will have a root certificate, and an intermediate CA certificate in addition to the server/domain certificate. EXAMPLE - Instructions for using OpenSSLNow that you have received the certificate, you will need to unzip the certificates up into the root, intermediate and the server certificates so that you can enter them into the SonicWALL SSL Offloader. Start by unzipping the 3 certificates, you will only need the Intermediate CA file and your Site/Domain certificates. Launch openssl.exe. This application was installed at the same time and in the same location as the SonicWALL configuration manager. You can also run the install and just install OpenSSL by choosing the 'Custom Installation' option. Once launched, open the Intermediate CA file and Site/Domain certificates in a text editor You will need to copy and paste the entire text including The Site/Domain certificate is the server certificate. The intermediate CA file is the intermediary certificate. Save these files (e.g. C:server.pem and C:inter.pem) Verify the certificate information with openssl: x509 -in C:server.pem -text EXAMPLE - Setting Up the Chained Certificates Now that you have the proper certificates, you start by loading the certificates into certificate objects. These separate certificate objects are then loaded into a certificate group. This example demonstrates how to load two certificates into individual certificate objects, create a certificate group, and enable the use of the group as a certificate chain. The name of the Transaction Security device is myDevice. The name of the secure logical server is server1. The name of the PEM-encoded, CA generated certificate is server.pem; the name of the PEM-encoded certificate is inter.pem. The names of the recognized and local certificate objects are trustedCert and myCert, respectively. The name of the certificate group is CACertGroup. Start the configuration manager as described in the manual. Attach the configuration manager and enter Configuration mode. (If an attach or configurationlevel password is assigned to the device, you are prompted to enter any passwords.) inxcfg> attach myDevice Enter SSL Configuration mode and create an intermediary certificate named CACert, entering into Certificate Configuration mode. Load the PEM-encoded file into the certificate object, and return to SSL Configuration mode. (config[myDevice])> ssl Enter Key Association Configuration mode, load the PEM-encoded CA certificate and private key files, and return to SSL Configuration mode. (config-ssl[myDevice])> keyassoc localKeyAssoc create Enter Certificate Group Configuration mode, create the certificate group CACertGroup, load the certificate object CACert, and return to SSL Configuration mode. (config-ssl[myDevice])> certgroup CACertGroup create Enter Server Configuration mode, create the logical secure server server1,assign an IP address, SSL and clear text ports, a security policy myPol, the certificate group CACertGroup, key association localKeyAssoc, and exit to Top Level mode. (config-ssl[myDevice])> server server1 create (config-ssl-server[server1])> ip address 10.1.2.4 netmask 255.255.0.0 Save the configuration to flash memory. If it is not saved, the configuration is lost during a power cycle or if the reload command is used. Additional documents and technical notes on SonicWALL SSL can be found online at Intel NetStructure 7110When you receive the certificate, unzip it and import it into the 7110. Use the import cert command, with the KeyID. As with the import key, choose an import protocol for importing the key. Use p for paste. After the paste is finished, add three periods to display the command line. You must import both the site certificate and the intermediate CA certificate. Both certificates must be chained together in a single file. Use the import cert command to import the chained certificates. Paste the server's site certificate first, followed by the Comodo intermediate certificate. Follow the intermediate CA certificate by typing three periods on a new line. Example: Type or paste in date, end with ... alone on line -----BEGIN CERTIFICATE----- <Enter> NOTE: There must be no white space before, between, or after certificates, and the "Begin..." headers and "End..." trailers must all be included. Create mapping for Server 1. Use the create map command to specify the server IP address, ports, and keyID. Intel 7110> create map Save the configuration when the server has been mapped. Intel 7110> config save Stronghold 3You will receive your certificate via email, pasted in the body of the email and also attached as a text file. You can either rename the attached text file and ftp it to your web server or copy the certificate from the body of the email and create a text file.
stronghold/bin/strongholdctl restart Note: The padlock icon on your web browser will be displayed in the locked position if you have set up your site properly. WebSTAR 4.0 and higherGo to the WebSTAR ADMIN utility. Open Server Settings under Edit. Select SSL Security. Select your server IP address on the upper panel. Select SSL2&SSL3 on the lower panel in the Security Drop Down Menu. Click the Choose button to select your new certificate file location under SSL Certificate File. Click the Choose button to select its matching private key file location under Private Key File. Type your private key password. Select all encryption options, except MAC (No Encryption). Save and then exit the utility. Stop and then Start your WebSTAR server. Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP. Zeus Web Server v3Warning: If you lose the key ring password, you must purchase a new certificate. Select the Web icon from the Admin Server control panel. Select the Nut & Bolt icon for this server. Select SSL Configuration. Define the file paths for this chained certificate and your Private Key at the Edit Server panel. Click Update. Return to the Admin Server's Home Page which displays the status of your virtual web servers. Click on the red traffic light to make it green. Stop the server by issuing the command: /usr/local/zeus/stop-zeus Restart server by issuing the command: /usr/local/zeus/start-zeus For additional instructions, please refer to the ZEUS web site. Appendix B -- Site Seal Installation InstructionsStep 1: Copy the JavaScript below into your HTML page's <HEAD> tag. Use the following line if you are displaying your site seal over a STANDARD NON-SECURE page (e.g. http://): <script language="JavaScript" SRC="http://www.trustlogo.com/trustlogo/javascript/trustlogo.js" type="text/javascript"></script> Use the following line if you are displaying your site seal over a SECURE page (e.g. https://): <script language="JavaScript" SRC="https://secure.comodo.net/trustlogo/javascript/trustlogo.js" type="text/javascript"></script> Step 2: Save one of the seal logos below to a web-accessible place on your web server and note the complete URL (e.g. http://directnic.com/seal_logo.gif). Step 3: Copy and paste the line below into your web page's HTML. *Note* You must subsitute LOGO URL with the URL you saved the logo to. <script type="text/javascript">TrustLogo("LOGO URL", "SC", "");</script> Available Logos: 
|
|
 |
||||||
|
 |
|
 |
|
||||||
|
|
|
|
|
||||||
|
| About directNIC | Legal Information | Site Map |
| ©2009 DirectNIC, LTD. All rights reserved. |
