Installation Instructions for Intermediate CA Certificate

SSL certificates issued via the TC ID Store require the installation of an intermediate CA certificate.

The SSL certificates are signed by an Intermediate CA using a two-tier hierarchy (also known as trust chain) which enhances the security of your SSL certificates. Before you install your issued SSL certificate you must install the intermediate certificate on your Web server.


 

Installation Instructions for TC TrustCenter Intermediate Certificate Authority (CA) Certificate (TC TrustCenter Class 2 L1 XI)

All TC Trust SSL certificates are issued below the 2048 Bit TC TrustCenter Root CA certificate (TC TrustCenter Class 2 CA II) and the TC TrustCenter Intermediate CA certificate (TC TrustCenter Class 2 L1 CA XI).

The TC TrustCenter CA should be preinstalled but the TC TrustCenter Intermediate CA certificate has to be imported manually.

You can obtain the TC Intermediate Certificate Authority (CA) Certificate at this URL: http://www.trustcenter.de/infocenter/root_certificates.htm (German)
http://www.trustcenter.de/en/infocenter/root_certificates.htm (English)

Click on the server type you are using for instructions to install the TC TrustCenter Intermediate CA certificate

Microsoft IIS 5.0 and 6.0
Apache
Tomcat (keytool)
BEA Weblogic 8.1
Netscape iPlanet 6.x
IBM HTTP Server or Websphere running iKeyman
 
Microsoft IIS 5.0 and 6.0

This document provides instructions for installing TC TrustCenter Server certificates with the TC TrustCenter Intermediate CA certificate . If you are unable to use these instructions for your server, we recommend that you contact Microsoft.

Installing an SSL Certificate

TC TrustCenter will send you the SSL certificate via email. The certificate will be in the body of the email, and you need to create a .cer file (example: NewCertificate.cer) by copying and pasting the certificate text into a plain text editor such as Notepad or Vi. Please be sure to include the header and footer as well as the surrounding dashes. Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file. Open the Internet Services Manager (IIS)
Click Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manger

  • Click Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manger
  • Under Web Sites, right-click your web site and select Properties
  • Click the Directory Security tab
  • Under Secure Communications, click Server Certificate
  • The Web Site Certificate Wizard will open, click Next
  • Choose Process the Pending Request and Install the Certificate, then click Next


Important: The pending request must match the response file. If you deleted the pending request in error you must generate a new CSR and replace this certificate.

  • Select the location of the certificate response file, and then click Next
  • Read the summary screen to be sure that you are processing the correct certificate and then click Next
  • At the confirmation screen, verify the information and click Next
  • Stop and start your Web server prior to any testing. Be sure to assign your site an SSL port (443 by default). If you do not specify an IP address when installing your SSL Certificate, the same ID will be used for all virtual servers created on the system. If you are hosting multiple sites on a single server, you can specify that the ID only be used for a particular server IP address.

 

Import an Intermediate CA Certificate

  1. Open the Microsoft Management Console (MMC) > Go to Start >  Run > enter MMC > select OK
  2. Select File or Console > select Add/Remove Snap-In
  3. From the list, select Certificates > select Add > select Computer Account and Local Computer > select OK
  4. From the left window, select Certificates
  5. From the right window, double-click Intermediate Certification Authorities
  6. Right-click Certificates > select All Tasks > Import.  This will open the Certificate Import Wizard.
  7. Click Next
  8. Browse to the location of the intermediate certificate > select Next
  9. Select Place the certificate in the following store:  Intermediate Certification Authorities
  10. Click Finish.  Restart the service for the corresponding site

 

Apache

This document provides instructions for installing TC TrustCenter Server certificates with the TC TrustCenter Intermediate CA certificate. If you are unable to use these instructions for your server, we recommend that you contact either the vendor of your software or an organization that supports Apache-SSL.

Step 1: Install the TC TrustCenter Root CA certificate and the TC TrustCenter Intermediate CA certificate

Before installing your certificate, you must first obtain the TC TrustCenter Root CA certificate (TC TrustCenter Class 2 CA II) as well as the TC TrustCenter Intermediate CA certificate (TC TrustCenter Class 2 L1 CA XI) and save it into the directory that you will be using to hold your certificates. For example: /usr/local/ssl/crt
Note: Be sure to use Vi or Notepad as word processing programs like Microsoft Word may add additional characters that may render the certificate unusable.

Step 2: Install the SSL Certificate

Your TC certificate will be sent via email and the certificate text is included in the body. Copy and paste it into a text file (such as OriginalCert.txt) using Vi or Notepad. Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file.

  1. To follow the naming convention for Apache, rename the certificate filename with the .crt extension. For example: cert.crt
  2. Copy your Certificate into the directory that you will be using to hold your certificates. In For example: /usr/local/ssl/crt/.

Step 3: Configure the Server

  1. In order to use the key pair, the httpd.conf file will need to be updated.
  2. In the Virtual Host settings for your site locate the httpd.conf file. Verify that you have the following 3 directives within this Virtual Host. Please add them if they are not present:
  • SSLCertificateFile /usr/local/ssl/crt/public.crt
  • SSLCertificateKeyFile /usr/local/ssl/private/private.key
  • SSLCACertificateFile /usr/local/ssl/crt/intermediate.crt

The first directive tells Apache how to find the Certificate File, the second one where the private key is located, and the third line the location of the intermediate certificate.

If you are using a different location and certificate file names than the example above (which most likely you are) you will need to change the path and filename to reflect your server.

Note: Some instances of Apache contain both a httpd.conf and ssl.conf file. Please enter or amend the httpd.conf or the ssl.conf with the above directives. Do not enter both as there will be a conflict and Apache may not start.

  1. Save your httpd.conf file and restart Apache. You can most likely do so by using the apachectl script:
    apachectl stop
    apachectl startssl
  2. You should now be set to start using your TC certificate with your Apache-SSL Server

 

Tomcat (keytool)

This document provides instructions for installing TC TrustCenter Server certificates with the TC TrustCenter Intermediate CA certificate (TC TrustCenter Class 2 L1 CA XI). If you are unable to use these instructions for your server, we recommend that you contact either the vendor of your software or an organization that supports Tomcat.

Step 1: Install the TC TrustCenter Root CA certificate

You must first obtain the TC TrustCenter Root CA certificate (TC TrustCenter Class 2 CA II) . In the following example please replace the example keystore name 'domain.key' with your keystore name.

Use the following command to import this certificate in the keystore:

keytool -import -trustcacerts -alias root –file (insert root certificate file name) -keystore domain key

Step 2: Install the TC TrustCenter Intermediate CA certificate

Create a file in Notepad and save the TC TrustCenter Intermediate CA certificate (TC TrustCenter Class 2 L1 CA XI) as intermediate.cer

Use the following command to import this certificate in the keystore:

keytool -import -trustcacerts -alias inter -file (insert intermediate CA file name) -keystore domain key

Step 3: Install the SSL Certificate

TC will send you the SSL certificate via email. The certificate is in the body of the email. Copy and paste it into a text file using Vi or Notepad. Do not use Microsoft Word or other word processing programs that may add characters.

Enter the following command to import your SSL Certificate

keytool -import -trustcacerts -alias yyy (where yyy is the alias specified during CSR creation) -file domain.crt -keystore domain.key

 

BEA Weblogic 8.1

This document provides instructions for installing TC TrustCenter Server certificates with the TC TrustCenter Intermediate CA certificate (TC TrustCenter Class 2 L1 CA XI). If you are unable to use these instructions for your server, we recommend that you contact either BEA or an organization that supports Weblogic 8.1.

Step 1: Install the TC TrustCenter Root CA certificate

You must first obtain the TC TrustCenter Root CA certificate (TC TrustCenter Class 2 CA II). Download and save it as tc_root.cer on your local or network file system. . In the following example please replace the example keystore name 'domain.key' with your keystore name. Use the following command to import this certificate in the keystore:

keytool -import -trustcacerts -alias root -keystore domain key  -file tc_root.cer

Step 2: Install the TC TrustCenter Intermediate CA certificate

Then obtain the TC TrustCenter Intermediate CA certificate (TC TrustCenter Class 2 L1 CA XI) and save it as intermediate.cer.

Use the following command to import this certificate in the keystore:

keytool -import -trustcacerts -alias intermediate -keystore domain key  -file intermediate.cer

Step 3: Install the SSL Certificate

TC  will send you the SSL certificate via email. The certificate is in the body of the email. Copy and paste it into a text file using Vi or Notepad. Do not use Microsoft Word or other word processing programs that may add characters.

Enter the following command to import your SSL Certificate:

keytool -import -trustcacerts -alias yyy (where yyy is the alias specified during CSR creation) -file domain.crt -keystore domain.key

 

Netscape iPlanet 6.x

This document provides instructions for installing TC TrustCenter Server certificates with the TC TrustCenter Intermediate CA certificate (TC TrustCenter Class 2 L1 CA XI) an Intermediate CA certificate. If you are unable to use these instructions for your server, we recommend that you contact either the server software vendor or an organization that supports iPlanet.

 

Step 1: Install the TC TrustCenter Root CA certificate

To properly install your certificate, you must first obtain the TC TrustCenter Root CA certificate (TC TrustCenter Class 2 CA II) and create a file in Notepad called root.txt. To install the TC TrustCenter Root CA certificate (TC TrustCenter Class 2 CA II):

  1. Select the server instance to manage and click Manage
  2. Click Security
  3. Click Install Certificate
  4. Select Server Certificate Chain
  5. Enter the key pair file password
  6. Enter a Certificate Name. Example: Root_CA
  7. Select Message text (with headers)
  8. Paste the contents within the root.txt file (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) into the box and click OK
  9. Click Add Server Certificate
  10. Do not shutdown and restart the server, proceed to Step 2

 

Step 2: Install the TC Intermediate CA Certificate

Create a file in Notepad and save it as intermediate.txt.

To install the TC TrustCenter Intermediate CA certificate (TC TrustCenter Class 2 L1 CA XI):

  1. Select the server instance to manage and click Manage
  2. Click Security
  3. Click Install Certificate
  4. Select Server Certificate Chain
  5. Enter the key pair file password
  6. Enter a Certificate Name. Example: Intermediate_CA
  7. Select Message text (with headers)
  8. Paste the contents within the intermediate.txt file (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) into the box and click OK
  9. Click Add Server Certificate
  10. Do not shutdown and restart the server, proceed to Step 3.

 

Step 3: Install the TC SSL Certificate

Your TC certificate will be sent via email. Look for the certificate text in the body of the email and copy and paste it into a text file (such as OriginalCert.txt) using Vi or Notepad. Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file.

  1. Select the This Server option
  2. Enter the key pair file password
  3. Enter a Certificate Name. Example: http://www.mysecurewebsite.com/
  4. Select Message text (with headers)
  5. Paste the Certificate text into the box and click OK
  6. Click Add Server Certificate
  7. Click Apply
  8. Select the apply changes that allows the server to restart

 

IBM HTTP Server or Websphere running iKeyman

This document provides instructions for installing TC TrustCenter Server certificates with the TC TrustCenter Intermediate CA certificate. If you are unable to use these instructions for your server, we recommend that you contact either the server software vendor or an organization that supports IBM server software.

 

Step 1: Install TC TrustCenter Root CA certificate

To properly install your certificate, you must first obtain the TC TrustCenter Root CA certificate (TC TrustCenter Class 2 CA II) and create a file in Notepad called Root.txt. To install the TC TrustCenter Root CA certificate (TC TrustCenter Class 2 CA II):

  1. Start the key management utility (iKeyman)
  2. Open the key database file that was used to create the certificate request
  3. Enter the password, and then click OK
  4. Select Signer Certificates and then click Add
  5. Click Data type, and select a data type, such as Base64-encoded ASCII data. This data type must match the data type of the importing certificate
  6. Enter a file name and location for the TC TrustCenter Root CA certificate or click Browse to select a file name and location
  7. Click OK
  8. Enter a label for the importing certificate
  9. Click OK

The Signer Certificates field displays the label of the signer certificate you added.

 

Step 2: Install the TC TrustCenter Intermediate CA certificate 

Create a file in Notepad and save it as intermediate.txt.

To install the TC TrustCenter Intermediate CA certificate (TC TrustCenter Class 2 L1 CA XI):

  1. Start the key management utility (iKeyman)
  2. Open the key database file that was used to create the certificate request
  3. Enter the password, and then click OK
  4. Select Signer Certificates and then click Add
  5. Click Data type, and select a data type, such as Base64-encoded ASCII data. This data type must match the data type of the importing certificate
  6. Enter a file name and location for the TC TrustCenter Root CA certificate or click Browse to select a file name and location
  7. Click OK
  8. Enter a label for the importing certificate
  9. Click OK

The Signer Certificates field displays the label of the signer certificate you added.

 

Step 3: Install the TC SSL Certificate

TC will email you your certificate. The certificate is in the body of the email, copy and paste it into a text file (such as OriginalCert.txt) using vi or Notepad. Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file.

Step A: Installing the certificate

Using the iKeyman graphical user interface (GUI)

After TC sends you an SSL certificate, you add it to the key database file from which you generated the CSR. TC sends you the SSL certificate as part of an email; copy the certificate into a separate file. If necessary, move the file to the server machine.

  1. Start the iKeyman GUI using either the gsk7ikm command (UNIX) or the strmqikm command (Windows)
  2. Note: To use the iKeyman GUI, be sure that your machine can run the X Windows system
  3. Choose Open from the Key Database File menu. Click Key database type, and select CMS
  4. Click Browse to navigate to the directory containing the key database files
  5. Select the key database file to which you want to add the certificate. For example, key.kdb
  6. Click Open
  7. In the Password Prompt window, type the password you set when you created the key database and then click OK
  8. Select the Personal Certificates view
  9. Click Receive
  10. In the Receive certificate from a file window, select the data type of the new SSL certificate. For example, Base64-encoded ASCII for a file with the .arm extension
  11. Click Browse to select the name and location of the certificate file name
  12. Click OK

Using the iKeycmd (command line interface)
To install a certificate in iKeycmd (using UNIX command line), use these commands: + gsk7cmd -cert -receive -file filename -db filename -pw password -format ascii

To install a certificate in iKeycmd (using Windows command line), use these commands: + runmqckm -cert -receive -file filename -db filename -pw password -format ascii

where:

+ -file filename is the fully qualified file name of the file containing the personal certificate
+ -db filename is the fully qualified file name of a CMS key database
+ -pw password is the password for the CMS key database
+ -format ascii is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.

Step B: Transferring certificates

You can extract an SSL certificate from a key database file and store it in a CA key ring file by performing the following steps:

Using the iKeyman graphical user interface (GUI)

  1. Start the iKeyman graphical user interface (GUI) using either the gsk7ikm command (UNIX) or the strmqikm command (Windows)
  2. Choose Open from the Key Database File menu. Click Key database type, and select CMS
  3. Click Browse to navigate to the directory containing the key database files
  4. Select the key database file to which you want to add the certificate. For example, key.kdb
  5. Click Open
  6. In the Password Prompt window, type the password you set when you created the key database and then click OK
  7. Select Signer Certificates in the Key database content field, and then select the certificate you want to extract
  8. Click Extract
  9. Select the Data type of the certificate. For example, Base64-encoded ASCII data for a file with the .arm extension
  10. Click Browse to select the name and location of the certificate file name
  11. Click OK. The certificate is written to the file you specified

Using the iKeycmd (command line interface)
To extract a certificate in iKeycmd (using UNIX command line), use these commands: + gsk7cmd -cert -extract -db filename -pw password -label label -target filename -format ascii

To extract a certificate in iKeycmd (using Windows command line), use these commands: + runmqckm -cert -extract -db filename -pw i -label label -target filename -format ascii

where:

+ -db filename is the fully qualified pathname of a CMS key database
+ -pw password is the password for the CMS key database
+ -label label is the label attached to the certificate
+ -target filename is the name of the destination file
-format ascii is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER

Top of Page Top of Page