SSL certificates support

SSL certificates support

1. Generate a Certificate Signing Request (CSR)

2. SSL Certificates Support – Enrollment

3. Installation Instructions for SSL Certificates

4. Export (or Backup) a Certificate

1. Generate a Certificate Signing Request (CSR)


Before you purchase an SSL Certificate, you need to generate a Certificate Signing Request (CSR) for the server where the certificate will be installed. Select CSR generation instructions for your server software. If your server is not listed or you need additional information, refer to your server documentation or contact your server vendor. If you do not know what software your server uses, contact your technical support.


Instructions for Financial Certificates

If you plan to purchase a Financial or OFX Certificate, follow instructions from these supported vendors: Generate a CSR for OFX Certificates.


Instructions for All Other SSL Certificates


Vendor Application
4D, Inc. Webstar 4.x
Apache ApacheSSL mod_ssl
BEA Systems WebLogic 6.0  WebLogic 8.1 WebLogic 10.0
Cisco ACS 3.2
Covalent Apache ERS 2.4  Apache ERS 3.0
IBM Websphere MQ   HTTP Server
Lotus Domino 5.0 Domino 6.0 Domino 7.0 Domino 8.0
Microsoft Windows NT – IIS 4.0   Windows 2000 – IIS 5.0   Windows 2003 – IIS 6.0 Windows 2008 – IIS 7.0 Exchange 2007
Netscape iPlanet 4.x  iPlanet 6.x
Netscreen ScreenOS
Nortel SSL Accelerator
Oracle Oracle Wallet Manager
Red Hat Secure Web Server
SonicWALL SSL Offloaders
Stronghold Stronghold
Sun Java Web Server 6.x  Sun ONE
Sybase AS Server w/IIS 4  AS Server w/IIS 5  EA Server
Tomcat Tomcat
Zeus Zeus


































2. SSL Certificates Support – Enrollment


VeriSign is the most trusted mark on the Internet

  • VeriSign secures more than one million Web servers worldwide, more than any other Certificate Authority.
  • The world’s 40 largest banks and over 93% of Fortune 500 companies choose VeriSign SSL Certificates.
  • Over 75% of Web sites using Extended Validation SSL choose VeriSign, including biggest names in e-commerce and banking.


Step-by-Step OverviewTo enroll for any of VeriSign’s SSL Certificate services, you will need the following information:

  1. The length of time for the certificate
  2. The number of servers hosting a single domain (up to 5 servers)
  3. The server platform
  4. The Organization, Organizational Unit, Locality/City, State and Country
  5. Payment information and a contact for invoicing
  6. The common name. This is the host + domain name such as “www.mydomain” or “”
  7. An email address where VeriSign can reach you to validate the information.
  8. A Certificate Signing Request (CSR) generated from the server you need to secure.


Authentication and Verification Upon completion of the enrollment process, VeriSign will then proceed with the authentication process.  This requires that VeriSign can establish that your organization is legitimate, and is registered with the proper government authorities. Verification is the process of confirming that:

  • The Organization is still in business
  • The Organization owns/has rights to use the domain name listed in the common name field of the Certificate Signing Request (CSR)
  • The Corporate Contact works for the organization listed in the distinguished name
  • The Corporate Contact is aware of the certificate request
  • The Technical Contact listed is authorized to receive the Digital ID

Correct Formatting Do not use any shift characters in any of the enrollment fields. If your company has an & or @ symbol in its name, you must spell out the symbol or omit it in the enrollment field.

The Certificate Signing Request (CSR) file should not contain any blank or trailing spaces.

  • Locality  -this field is the city or town the organization is located in. This field should be spelled out completely
  • State – this field needs to be spelled out completely. For example, “California” or “New York”.
  • Country – a two character country code needs to be used. For example, US for the United States, GB for the United Kingdom.

Common Name The Common Name is the Host + Domain Name. It looks like “” or “”.

VeriSign SSL certificates can only be used on Web servers using the Common Name specified during enrollment.

For example, an SSL certificate  issued for the domain “ ” will only function properly at “”. If “” or “’ is used to access the site, a mis-match error will appear as the SSL certificate is specifically assigned to
Begin Enrollment To start the enrollment for an SSL Certificate, go to the VeriSign Product pages.

If you have a VeriSign Trust Center Account, please log in here

Once VeriSign has validated the information provided, you will receive an email with installation instructions.


3. Installation Instructions for SSL Certificates


VeriSign offers multiple types of SSL Certificates that may include Server Gated Cryptography (SGC) and Extended Validation (EV) SSL options for the strongest levels of encryption and authentication respectively.


The following information provides installation instructions for the SSL certificates listed below:


Secure Site

Secure Site Pro

Secure Site with Extended Validation

Secure Site Pro with Extended Validation

Financial SSL Certificate for OFX


Intermediate Certification Authority (CA) Certificates 


Note: Customers using Microsoft IIS 5.0 or Higher servers typically do not need to download the Intermediate CA as it is included with the SSL certificate upon issuance if they seleceted in the purchase as server vendor: Microsoft IIS 5.0 or higher.


As of April 2006, all SSL certificates purchased through the VeriSign Web site require the installation of an Intermediate Certificate Authority (CA) Certificate. The SSL certificates are signed by an Intermediate CA using a two-tier hierarchy (also known as trust chain) which enhances the security of your SSL certificates.


Easily find and download the Intermediate CA Certificate for your product here.



Free Trial SSL Certificate


Additional installation instructions are required for Free Trial SSL Certificates.  You need to:


1.  Install the Secure Site Trial Root CA Certificate on each browser that you will use to test your Trial SSL Certificate.


2.  Install the Secure Site Trial Intermediate CA Certificate on each Web server you are testing with.



To install your SSL Certificate, use the instructions listed for your server vendor below.

================================================================= NEW INSTALLATION CHECKING TOOL!

Ensure you have installed your certificate correctly        =================================================================


                   Vendor SSL Certificates SSL with Extended Validation
  4D, Inc    Webstar 4.x    Additional information
   Apache    ApacheSSL mod_ssl    Apache Secure Site  W/EV

Apache Secure Site Pro W/EV

   BEA Systems    WebLogic 6.0     WebLogic 8.1    WebLogic 8.1 Secure Site w/EV    WebLogic 8.1 Secure Site Pro w/EV
   Cisco    ACS 3.2    Additional Information
   Citrix Gateway    Citrix Access Gateway 4.5.x    Citrix Access Gateway 4.5.x Secure Site w/EV

Citrix Access Gateway 4.5.x Secure Site Pro w/EV

Additional Information

   Covalent    Apache ERS 2.4     Apache ERS 3.0    Additional Information
   F5    BIG-IP     BIG-IP 9    BIG IP Secure Site w/EV    BIG IP Secure Site Pro w/EV    BIG IP v 9.x Secure Site w/EV    BIG IP v 9.x Secure Site Pro w/EV
   IBM    Websphere MQ      HTTP Server    Websphere 5.1 SecureSite w/EV    Websphere 5.1 SecureSiteProw/EV
   Lotus    Domino 5    Domino 6 or 7    Domino 8    Additional Information
   Microsoft    Windows NT – IIS 4.0      Windows 2000 – IIS 5.0      Windows 2003 – IIS 6.0

Windows 2008 – IIS 7.0    Exchange 2007

   IIS 5.0 /6.0 SecureSite w/EV    IIS 5.0 /6.0 SecureSite Pro w/EV

IIS 7.0 Secure Site / Pro w/EV

   Netscape    iPlanet 4.x      iPlanet 6.x    iPlanet 6.x Secure Site w/EV    iPlanet 6.x Secure Site Pro w/EV
   Netscreen    ScreenOS    Additional Information
   Nortel    SSL Accelerator    Additional Information
   Oracle    Oracle Wallet Manager    Oracle Wallet Manager
   Redhat    Secure Web Server    Additional Information
   SonicWALL    SSL Offloaders    Additional Information
   Sun    Java Web Server 6.x     Sun One    Additional Information
   Sybase    AS Server w/IIS 4     AS Server w/IIS 5     EA Server    Additional Information
   Stronghold    Stronghold    Additional Information
   Tomcat    Tomcat    Tomcat Secure Site w/EV    Tomcat Secure Site Pro w/EV        (keytool instructions)
   Zeus    Zeus    Additional Information 


4. Export (or Backup) a Certificate


When you Export (backup) an SSL certificate, the system copies the private key into an encrypted file. The private key was created on the server when the Certificate Signing Request (CSR) was generated. Select the correct software vendor and version below for backup instructions.


IMPORTANT!   VeriSign highly recommends that you save the file to a diskette or CD and store it in a safe place




Microsoft IIS Version 4.0


1.  Open the Microsoft Management Console: Start > Programs > Windows NT 4.0 Option Pack > Microsoft Internet Information Server > Internet Service Manager

2.  Right-click the Web site containing the certificate and select Properties

3.  Click the Directory Security tab

4.  In the Secure Communications section, click Edit

5.  Click Key Manager

6.  Select the key to export

7.  On the menu bar, select Key > Export Key > Backup File

8.  A message warns you about placing sensitive information in a file on your hard drive. Click OK

9.  Specify the name of the file that will hold the exported key. Click Save


Microsoft IIS Version 5.0,  6.0 or 7.0


Step 1: Create a Microsoft Management Console (MMC) Snap-in for managing certificates


Create a Microsoft Management Console (MMC) Snap-in for managing certificates, as described in solution SO6127.


Step 2: Export the certificate


1.  Open the Certificates (Local Computer) snap-in you added, and select Personal > Certificates

2.  The Subject field of the certificate lists the Common Name (CN). (Click Tools > Internet Options > Content to view the Common Name if you are not sure)

3.  Right-click on the desired certificate and select All Tasks > Export. The Certificate Export Wizard opens

4.  Select Yes, export the private key

5.  Click Next

6.  In the Export File Format window, ensure the option for Personal Information Exchange  – PKCS#12 (.pfx) is selected

7.  Select Include all certificates in the certificate path if possible and then click Next. (If you do not select the Include all certificates in the certificate path if possible option, your server may not recognize the issuer of the certificate, which may result in security warnings for your clients.

8.  De-select Require Strong Encryption. (This may cause a password prompt every time an application attempts to access the private key or it may cause IIS to fail).

9.  Click Next

10.  Enter and confirm a password to protect the PFX file and click Next

11.  Choose a file name and location for the export file (do not include an extension in your file name; the wizard automatically adds the PFX extension for you)

12.  Click Next

13.  Read the summary and verify that the information is correct. Pay special attention to where you saved the file. Ensure that the information is correct

14.  Click Finish




1.  Locate the private key and certificate files. The following directives in the httpd.conf point to the location of the key and certificate files:


SSLCertificateFile … /path/to/mycertfile.crt

SSLCACertificateFile … /path/to/intermediate.crt

SSLCertificateKeyFile … /path/to/mykeyfile.key


NOTE :  Depending on the version of Apache, the directive may be SSLCACertificateFile or  SSLCertificateChainFile and the configuration file may be httpd.conf or ssl.conf file.


2.  Copy the .key file, both .crt files (one is the server certificate and the other is the intermediate CA certificate), and the httpd.conf file onto a diskette or CD.


<filename>.key – private key

<filename>.crt – server certificate

<filename>.crt – intermediate CA certificate

httpd.conf – Web server configuration file


iPlanet Version 4.0 and 6.0


1.  Locate the alias directory within the iPlanet directory

2.  Locate the files: https < server_name > cert7.db and https <server_name> key3.db

3.  Copy them.


IBM Websphere Server


1.  Type ikeyman on a command line on UNIX or start the Key Management utility in the IBM Websphere Server folder

2.  Select Key Database File from the main menu, and then select Open

3.  In the Open dialog box, type your key database name or click the key.kdb file if you are using the default. Click OK

4.  In the Password Prompt dialog box, type your password, and click OK

5.  Select Personal Certificates in the Key Database content frame, and then click the Export/Import button on the label

6.  In the Export/Import Key window, select Export Key

7.  Select the key database file type

8.  Type the file name or browse and select the location and file name, and then click OK

9.  In the Password Prompt dialog box, type the password, and then click OK

10.  In the Select from Key Label list, select the correct label name and click OK




1.  Navigate to the SSL Directory where the SSL Keystore is kept. By default this can be a hidden directory. For example: /root/.keystore

2.  Make a copy of the keystore file in this directory. This contains your Private and Public keys