How to Install TC Extended Trust SSL

Before you begin the installation, make a back-up of your certificate that you can keep in a safe place. This makes re-securing your server much easier if your server crashes.

TC Extended Trust SSL certificates require the installation of separate Intermediate CA Certificates: the TC TrustCenter Class 4 Extended Validation CA III, the GeoTrust Primary CA and the Equifax Secure CA Root certificate.

Installation is straightforward, but varies for different web server applications. Please select your server from our list below:


 

SSL Server Types:


You can't find your SSL Server Type? Please visit our FAQ for more Informations about different SSL Server Types. If you can't find your SSL Server Types in our FAQ either please contact our Support.

After following one of the instruction above you need to test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your/server/) to indicate you wish to use secure HTTP. The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly.

 

Microsoft IIS 5.0 to 7.0

This document provides instructions for installing TC Extended Trust SSL certificate.  If you are unable to use these instructions for your server, we recommend that you contact either the vendor of your server software or an organisation that supports Microsoft IIS 5.0 to 7.0.


1 Install the TC Extended Trust SSL certificate

Your TC Extended Trust SSL certificate will be sent via email. Look for the TC Extended Trust SSL certificate text in the body of the email and copy and paste it into a .cer file (such as tc_server.cer) using Vi or Notepad. Please be sure to include the header and footer as well as the surrounding dashes including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.  
NOTE: Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file otherwise additional characters may render the certificate unusable.

Open the Internet Information Services (IIS) Manager:

  1. Click Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager
  2. Under Web Sites, right-click your web site and select Properties
  3. Click the Directory Security tab
  4. Under Secure Communications, click Server Certificate
  5. The Web Site Certificate Wizard will open, click Next
  6. Choose Process the Pending Request and Install the TC Extended Trust SSL certificate, then click Next

Important: The pending request must match the response file. If you deleted the pending request in error you must generate a new CSR and replace this certificate.

     7.   Select the location of the TC Extended Trust SSL certificate response file, and then click Next 
     8.   Read the summary screen to be sure that you are processing the correct certificate and then click Next
     9.   At the confirmation screen, verify the information and click Next 
   10.   Stop and restart your web server prior to any testing. Be sure to assign your site an SSL port (443 by default). If you do not specify an IP address when installing your TC Extended Trust SSL certificate, the same ID will be used for all virtual servers created on the system. If you are hosting multiple sites on a single server, you can specify that the ID only be used for a particular server IP address.


2 Install the Intermediate CA certificate

  1. Download the TC TrustCenter Class 4 Extended Validation CA III (Intermediate CA certificate) 
  2. Install the TC Intermediate certificate in the Intermediate Certification Authorities:
  3. Open the Microsoft Management Console (MMC) > Go to StartRun... > enter MMC > select OK
  4. Select File or Console > select Add/Remove Snap-In
  5. From the list, select Certificates > select Add > select Computer Account and Local Computer > select OK
  6. From the left window, select Certificates
  7. From the right window, double-click Intermediate Certification Authorities
  8. Right-click Certificates > select All Tasks > Import.  This will open the TC Intermediate CA certificate Import Wizard.
  9. Click Next
  10. Browse to the location of the TC Intermediate CA certificate > select Next
  11. Select Place and save the TC Intermediate CA certificate in the following store: Intermediate Certification Authorities
  12. Click Finish. Restart the service for the corresponding site


3 Install the Root CA certificate and the Cross CA certificate

  1. Download the Equifax Secure CA Root certificate (Root CA certificate) and install it by double clicking on the corresponding file wizard and install the Root CA certificate manually in the Trusted Root Certification Authorities store:  "Show physical stores/Trusted Root Certification Authorities/Local Computer"
  2. Download the GeoTrust Primary CA (Cross CA certificate) and install it by double clicking on the corresponding file wizard and install the Cross CA certificate in the Intermediate Certification Authorities store: "Show physical stores/Intermediate Certification Authorities/Local Computer"

 

4 Backing up your key pair file — IMPORTANT!!!

  1. Select the Internet Information Service Manager within the Administrative Tools menu.
  2. Select the web site (host) for which the certificate was made.
  3. Right mouse-click and select Properties.
  4. Select the Directory Security tab.
  5. Select the Server Certificate option.
  6. The Welcome to the Web Server Certificate Wizard windows opens. Click OK.
  7. Select Export the current certificate to a .pfx file. Click Next.
  8. Select the path and file name. Click Next.
  9. Select a password. Click Next.
  10. View the certificate contents.
  11. Click on Finish.
  12. Keep this .pfx file in a safe place. You will need it if your system crashes!

 

Apache  

This document provides instructions for installing TC Extended Trust SSL certificate.  If you are unable to use these instructions for your server, we recommend that you contact either the vendor of your server software or an organisation that supports Apache-SSL.


1 Install the Root CA certificate, the Cross CA certificate and the Intermediate CA certificate

Before installing your TC Extended Trust SSL certificate, you need first to obtain the EV Premium Root Package for Apache. Save this file as intermediate.crt. into the directory that you will be using to hold your certificates. For example: /usr/local/ssl/crt.


2 Install the TC Extended Trust SSL certificate

Your TC Extended Trust SSL certificate will be sent via email. Look for the TC Extended Trust SSL certificate text in the body of the email and copy and paste it into a .txt file (such as server.crt) using Vi or Notepad. Please be sure to include the header and footer as well as the surrounding dashes including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
NOTE: Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file otherwise additional characters may render the certificate unusable.

If you have not already set up a secure virtual host or would like to learn more about SSL, refer to the following link for more information:
http://www.faqs.org/docs/Linux-HOWTO/SSL-RedHat-HOWTO.html

  1. To follow the naming convention for Apache, rename the TC Extended Trust SSL certificate filename with the .crt extension. For example: server.crt
  2. Copy your TC Extended Trust SSL certificate and the Intermediate CA certificates into the directory that you will be using to hold your certificates. For example: /usr/local/ssl/crt/


3 Configure the Server

  1. In order to use the key pair, the httpd.conf file will need to be updated.
  2. In the Virtual Host settings for your site locate the httpd.conf file. Verify that you have the following 3 directives within this Virtual Host. Please add them if they are not present:
  • SSLCertificateFile: /usr/local/ssl/crt/server.crt
  • SSLCertificateKeyFile: /usr/local/ssl/private/private.key (name of private key file)
  • SSLCertificateChainFile: /usr/local/ssl/crt/intermediate.crt

    • The first directive tells Apache how to find the TC Extended Trust SSL certificate file, the second one where the private key is located, and the third line the location of the TC Intermediate CA certificates.

    If you are using a different location and certificate file names than the example above (which most likely you are) you will need to change the path and filename to reflect your server.

    Note: Some instances of Apache contain both a httpd.conf and ssl.conf file. Please enter or change the httpd.conf or the ssl.conf file with the above directives. Do not enter both as there will be a conflict and Apache may not start.

    1. Save your httpd.conf file and restart Apache. You can most likely do so by using the apachectl script: 
      apachectl stop 
      apachectl startssl
    2. You should now be set to start using your TC Extended Trust SSL certificate with your Apache-SSL Server

     

    4 Backing up your key pair file — IMPORTANT!!!

    For instructions how to backup your certificate incl. Private Key we recommend to contact either the vendor of your server software or an organisation that supports Apache

     

    Tomcat (keytool)  

    This document provides instructions for installing TC Extended  Trust SSL certificate.  If you are unable to use these instructions for your server, we recommend that you contact either the vendor of your server software or an organisation that supports Tomcat.


    1 Install the Root CA certificate

    You must first download the Equifax Secure CA Root certificate  (Root CA certificate), create a .cer file in Notepad and save the Root CA certificate as root.cer on your local or network file system. In the following example please replace the example keystore name 'keystore.key' with your keystore name.

    Use the following command to import this certificate in the keystore:
    keytool -import -alias root -keystore keystore.key -trustcacerts -file root.cer


    2 Install the Intermediate CA certificate

    Download the TC TrustCenter Class 4 Extended Valiation CA III (Intermediate CA certificate), create a .cer file in Notepad and save the Intermediate CA certificate as intermediate.cer on your local or network file system. In the following example please replace the example keystore name 'keystore.key' with your keystore name.  

    Use the following command to import this certificate in the keystore:
    keytool -import -alias intermediate -keystore keystore.key -trustcacerts -file intermediate.cer


    3 Install the Cross CA certificate

    Now you need to create an additional file in Notepad and save the GeoTrust Primary CA (Cross CA certificate) as cross.cer

    Use the following command to import this certificate in the keystore:
    keytool -import -alias cross -keystore keystore.key -trustcacerts -file cross.cer


    4 Install the TC Extended Trust SSL certificate

    Your TC Extended Trust SSL certificate will be sent via email. Look for the TC Extended Trust SSL certificate text in the body of the email and copy and paste it into a .crt file (such as server.crt) using Vi or Notepad. Please be sure to include the header and footer as well as the surrounding dashes including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
    NOTE: Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file otherwise additional characters may render the certificate unusable.

    Enter the following command to import your TC Extended Trust SSL certificate (certreq.csr is the alias specified during CSR creation):
    keytool -import -alias server.crt -file server.crt -keystore keystore.key

    Weblink:
     http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
     http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html

     

    5 Backing up your key pair file — IMPORTANT!!!

    For instructions how to backup your certificate incl. Private Key we recommend to contact either the vendor of your server software or an organisation that supports Tomcat (keytool)

     

    BEA Oracle Weblogic  

    This document provides instructions for installing TC Extended Trust SSL certificate.  If you are unable to use these instructions for your server, we recommend that you contact either the vendor of your server software or an organisation that supports Weblogic 8.1.


    1 Install the Root CA certificate

    You must first download the Equifax Secure CA Root certificate (Root CA certificate), create a .cer file in Notepad and save the Root CA certificate as root.cer on your local or network file system. In the following example please replace the example keystore name 'keystore.key' with your keystore name.

    Use the following command to import this certificate in the keystore:
    keytool -import -alias root -keystore keystore.key -trustcacerts -file root.cer


    2 Install the Intermediate CA certificate

    Download the TC TrustCenter Class 4 Extended Validation CA III (Intermediate CA certificate), create a .cer file in Notepad and save the Intermediate CA certificate as intermediate.cer on your local or network file system. In the following example please replace the example keystore name 'keystore.key' with your keystore name.  

    Use the following command to import this certificate in the keystore:
    keytool -import -alias intermediate -keystore keystore.key -trustcacerts -file intermediate.cer


    3 Install the Cross CA certificate

    Now you need to create an additional file in Notepad and save the GeoTrust Primary CA (Cross CA certificate) as cross.cer

    Use the following command to import this certificate in the keystore:
    keytool -import -alias cross -keystore keystore.key -trustcacerts -file cross.cer


    4 Install the TC Extended Trust SSL certificate

    Your TC Extended Trust SSL certificate will be sent via email. Look for the TC Extended Trust SSL certificate text in the body of the email and copy and paste it into a .txt file (such as server.crt) using Vi or Notepad. Please be sure to include the header and footer as well as the surrounding dashes including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
    NOTE: Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file otherwise additional characters may render the certificate unusable.

    Enter the following command to import your TC Extended Trust SSL certificate (certreq.csr is the alias specified during CSR creation):
    keytool -import -alias server.crt -file server.crt -keystore keystore.key

    Weblinks: http://download.oracle.com/docs/cd/E13222_01/wls/docs45/classdocs/API_secure.html

     

    5 Backing up your key pair file — IMPORTANT!!!

    For instructions how to backup your certificate incl. Private Key we recommend to contact either the vendor of your server software or an organisation that supports BEA Oracle Weblogic

     

    Netscape iPlanet 6.x  

    This document provides instructions for installing TC Extended Trust SSL certificate.  If you are unable to use these instructions for your server, we recommend that you contact either the vendor of your server software or an organisation that supports Netscape iPlanet.


    1 Install the Root CA certificate

    1. Download the Equifax Secure CA Root certificate (Root CA certificate)
    2. Create a file in Notepad and save it as root.txt
    3. Select the server instance to manage and click Manage
    4. Click Security
    5. Click Install Certificate
    6. Select Server Certificate Chain
    7. Enter the key pair file password
    8. Enter a Certificate Name. For example, type Root_CA_certificate
    9. Select Message text (with headers)
    10. Paste the contents within the root.txt file (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) into the box and click OK
    11. Click Add Server Certificate
    12. Do not shutdown and restart the server, proceed with next step.


    2 Install the Cross CA certificate

    1. Download the GeoTrust Primary CA
    2. Create a file in Notepad and save it as cross.txt
    3. Select the server instance to manage and click Manage
    4. Click Security
    5. Click Install Certificate
    6. Select Server Certificate Chain
    7. Enter the key pair file password
    8. Enter a certificate name. For example, type Cross_CA_certificate
    9. Select Message text (with headers)
    10. Paste the contents within cross.txt file (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) into the box and click OK
    11. Click Add Server Certificate
    12. Do not shutdown and restart the server, proceed with next step.


    3 Install the Intermediate CA certificate

    1. Download the TC TrustCenter Class 4 Extended Validation CA III (Intermediate CA certificate)
    2. Create a file in Notepad and save it as intermediate.txt
    3. Select the server instance to manage and click Manage
    4. Click Security
    5. Click Install Certificate
    6. Select Server Certificate Chain
    7. Enter the key pair file password
    8. Enter a certificate name. For example, type Intermediate_CA_certificate
    9. Select Message text (with headers)
    10. Paste the contents within the intermediate.txt file (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) into the box and click OK
    11. Click Add Server Certificate
    12. Do not shutdown and restart the server, proceed to with next step.


    4 Install the TC Extended Trust SSL certificate

    Your TC Extended Trust SSL certificate will be sent via email. Look for the TC Extended Trust SSL certificate text in the body of the email and copy and paste it into a .txt file (such as server.txt) using Vi or Notepad. Please be sure to include the header and footer as well as the surrounding dashes including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
    NOTE: Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file otherwise additional characters may render the certificate unusable.

    Select the option This Server

    1. Enter the key pair file password
    2. Enter a certificate name. Example: http://www.mysecurewebsite.com/
    3. Select Message text (with headers)
    4. Paste the certificate text into the box and click OK
    5. Click Add Server Certificate
    6. Click Apply
    7. Select the apply changes that allows the server to restart

     

    5 Backing up your key pair file — IMPORTANT!!!

    For instructions how to backup your certificate incl. Private Key we recommend to contact either the vendor of your server software or an organisation that supports Netscape iPlanet 6.x

     

    IBM HTTP Server or Websphere running iKeyman  

    This document provides instructions for installing TC Extended Trust SSL certificate.  If you are unable to use these instructions for your server, we recommend that you contact either the vendor of your server software or an organisation that supports IBM server software.


    1 Install the Root CA certificate

    1. Download the Equifax Secure CA Root certificate (Root CA certificate)
    2. Create a file in Notepad and save ist as root.txt
    3. Start the key management utility (iKeyman)
    4. Open the key database file that was used to create the certificate request
    5. Enter the password, and then click OK
    6. Select Signer Certificates and then click Add
    7. Click Data type, and select a data type, such as Base64-encoded ASCII data. This data type must match the data type of the importing certificate
    8. Enter a file name and location for the Root CA (root.txt) certificate or click Browse to select a file name and location
    9. Click OK
    10. Enter a label for the importing certificate
    11. Click OK

    The Signer Certificates field displays the label of the signer certificate you added.


    2 Install the Intermediate CA certificate

    1. Download the TC TrustCenter Class 4 Extended Validation CA III (Intermediate CA certificate)
    2. Create a file in Notepad and save ist as intermediate.txt
    3. Start the key management utility (iKeyman)
    4. Open the key database file that was used to create the certificate request
    5. Enter the password, and then click OK
    6. Select Signer Certificates and then click Add
    7. Click Data type, and select a data type, such as Base64-encoded ASCII data. This data type must match the data type of the importing certificate
    8. Enter a file name and location for the Root CA (root.txt) certificate or click Browse to select a file name and location
    9. Click OK
    10. Enter a label for the importing certificate
    11. Click OK

    The Signer Certificates field displays the label of the signer certificate you ad added.


    3 Install the Cross CA certificate

    Now you need to install the following three CA certificates on the web server:

    1. Download an install the Equifax Secure CA Root certificate (Root CA certificate) manually in the "Trusted Root Certification Authorities" store:
      "Show physical stores/Trusted Root Certification Authorities/Local Computer".
    2. Download and install the GeoTrust Primary CA (Cross CA certificate) in the "Intermediate Certification Authorities" store:
      "Show physical stores/Intermediate Certification Authorities/Local Computer".
    3. Download and install the TC TrustCenter Class 4 Extended Valiation CA III (Intermediate CA certificate) in the "Intermediate Certification Authorities" store:
      "Show physical stores/Intermediate Certification Authorities/Local Computer".


    4 Install and transfer the TC Extended Trust SSL certificate

    Your TC Extended Trust SSL certificate will be sent via email. Look for the TC Extended Trust SSL certificate text in the body of the email and copy and paste it into a .txt file (such as server.txt) using Vi or Notepad. Please be sure to include the header and footer as well as the surrounding dashes including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
    NOTE: Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file otherwise additional characters may render the certificate unusable.


    Step A: Installing the TC Extended Trust SSL certificate

    Step Aa:  Using the iKeyman GUI
    After TC TrustCenter sends you the TC Extended Trust SSL certificate, you add it to the key database file from which you generated the CSR. TC TrustCenter sends you the TC Extended Trust SSL certificate as part of an email; copy the TC Extended Trust SSL certificate into a separate file. If necessary, move the file to the server machine.

    1. Start the iKeyman GUI using either the gsk7ikm command (UNIX) or the strmqikm command (Windows)
    2. Note: To use the iKeyman GUI, be sure that your machine can run the X Windows system
    3. Choose Open from the Key Database File menu. Click Key database type, and select CMS
    4. Click Browse to navigate to the directory containing the key database files
    5. Select the key database file to which you want to add the certificate. For example, key.kdb
    6. Click Open
    7. In the Password Prompt window, type the password you set when you created the key database and then click OK
    8. Select the view Personal Certificates
    9. Click Receive
    10. In the Receive certificate from a file window, select the data type of the new SSL certificate. For example, Base64-encoded ASCII for a file with the .arm extension
    11. Click Browse to select the name and location of the certificate file name
    12. Click OK

    Step Ab:  Using the iKeycmd (command line interface) 
    To install the TC Extended Trust SSL certificate in iKeycmd (using UNIX command line), use these commands:
    + gsk7cmd -cert -receive -file filename -db filename -pw password -format ascii

    To install the TC Extended Trust SSL certificate in iKeycmd (using Windows command line), use these commands:
    + runmqckm -cert -receive -file filename -db filename -pw password -format ascii

    where:

    + -file filename is the fully qualified file name of the file containing the personal certificate
    + -db filename is the fully qualified file name of a CMS key database
    + -pw password is the password for the CMS key database
    + -format ascii is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.

     

    Step B: Transferring the TC Extended Trust SSL certificate

    You can extract the TC Extended Trust SSL certificate from a key database file and store it in a CA key ring file by performing the following steps:

    Step Ba: Using the iKeyman GUI

    1. Start the iKeyman GUI using either the gsk7ikm command (UNIX) or the strmqikm command (Windows)
    2. Choose Open from the Key Database File menu. Click Key database type, and select CMS
    3. Click Browse to navigate to the directory containing the key database files
    4. Select the key database file to which you want to add the certificate. For example, key.kdb
    5. Click Open
    6. In the Password Prompt window, type the password you set when you created the key database and then click OK
    7. Select Signer Certificates in the Key database content field, and then select the certificate you want to extract
    8. Click Extract
    9. Select the Data type of the certificate. For example, Base64-encoded ASCII data for a file with the .arm extension
    10. Click Browse to select the name and location of the certificate file name
    11. Click OK. The certificate is written to the file you specified

    Step Bb: Using the iKeycmd (command line interface)

     To extract the TC Extended Trust SSL certificate in iKeycmd (using UNIX command line), use these commands:
    + gsk7cmd -cert -extract -db filename -pw password -label label -target filename -format ascii

    To extract the TC Extended Trust SSL certificate in iKeycmd (using Windows command line), use these commands:
    + runmqckm -cert -extract -db filename -pw i -label label -target filename -format ascii

    where:

    + -db filename is the fully qualified pathname of a CMS key database
    + -pw password is the password for the CMS key database
    + -label label is the label attached to the certificate
    + -target filename is the name of the destination file
    +   -format ascii is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER

     

    5 Backing up your key pair file — IMPORTANT!!!

    For instructions how to backup your certificate incl. Private Key we recommend to contact either the vendor of your server software or an organisation that supports IBM HTTP Server or Websphere running iKeyman

    zum Anfang zum Anfang