Skip to end of metadata
Go to start of metadata

This page is available to list information and links to support pages with information useful for system administrators responsible for utilizing the InCommon Certificate Service.

Requesting a certificate (Generating a CSR - Certificate Signing Request)

IIS (Windows)

Requesting a new certificate

Follow these directions to generate a certificate signing request (CSR):

Windows 2003 Server: CSR Generation: Microsoft IIS 5.x & 6.x

Windows 2008 Server: CSR Generation: Microsoft IIS 7.x

Apache httpd (Linux/Unix)

Requesting a new certificate

Follow these directions to generate a certificate signing request (CSR): CSR Generation: Using OpenSSL (Apache & mod_ssl, NGINX)

Tomcat (Linux/Unix)

Requesting a new certificate

Follow these directions to generate a certificate signing request (CSR): http://www.digicert.com/csr-creation-tomcat.htm

Submitting the CSR

Follow these directions to submit the certificate signing request (CSR): InCommon Certificate Service - SSL Certificate Request

Installing a Certificate

IIS (Windows)

Installing a new certificate

Once you have been notified by InCommon that your certificate has been generated, follow these directions to install the certificate:

Windows 2003 Server: Certificate Installation: Microsoft IIS 5.x & 6.x 

Windows 2008 Server: Certificate Installation: Microsoft IIS 7.x

Note that you should use the "PKCS#7 Base64 encoded" link to download the certificate for use with IIS.

NOTE: To ensure users do not receive errors visiting your site if they've never used a site with an InCommon Intermediate certificate, be sure to install the InCommon Intermediate certificate (and if necessary the AddTrust Root certificate) using the Root and Intermediate Certificate installation via MMC directions.

Replacing an existing certificate

By default, when using the IIS Certificate wizard in Windows to create a certificate signing request (CSR) for a new InCommon certificate, the wizard assumes that you are replacing the existing certificate. As a result, IIS also assumes you no longer want to use the existing certificate, leaving your site unavailable via https, an undesirable situation. However, you don't need to have your site unavailable while waiting for the certificate signing request to be processed by the certificate authority. You can use this information to get around this restriction in Windows: How to create a CSR without removing your current certificate in IIS

Migrate an existing certificate

If you are replacing a server that currently has an InCommon certificate in use, you can migrate the certificate to the new server, avoiding the need to issue a new CSR and wait for a new certificate to be generated. This can be done even if the new server is using a different version of Windows and IIS than the existing server. Here are the directions for Exporting and Restoring a PFX file to IIS 

Apache httpd (Linux/Unix)

Installing a new certificate
Once you have been notified by InCommon that your certificate has been generated, follow these directions to install the certificate: Certificate Installation: Apache & mod_ssl Note that you should use the "X509 Certificate only, Base64 encoded" link to download the client certificate, and the "X509 Intermediates/root only Reverse, Base64 encoded" link to download the intermediate and rootcertificates, for use with httpd.

Tomcat (Windows)

http://www.digicert.com/ssl-certificate-installation-tomcat.htm to install directly to Tomcat.

Or another method of getting SSL protection in Tomcat on Windows is to first request and install a certificate in IIS (even if no website is hosted by IIS), and the export the certificate from IIS, to import into Tomcat. To export an SSL certificate from IIS for use with Tomcat on Windows, follow these directions: Export SSL Certificate from IIS and Import into Tomcat

Tomcat (Linux/Unix)

To import an existing SSL key and certificate in Linux/Unix to Tomcat, follow these instructions: Importing existing SSL key and certificate for tomcat

Testing Certificate Installation

Verifying proper certificate chaining

A common issue when installing a certificate is that the chain of certificates is not installed properly:
For SHA-1:
  • AddTrust Root Certificate
  • InCommon Intermediate Certificate, and
  • Client Certificate

For SHA-2:

  • AddTrust Root Certificate
  • USERTrust Root Certificate
  • InCommon Intermediate Certificate, and
  • Client Certificate

Pieces of the overall certificate can be missing, or installed in an improper order. To test that the certificate is working as expected, use one of the sets of directions below. (Testing should need to be done with only a single browser.)

Verifying certificate chaining with Firefox
  • No labels