skip to primary navigationskip to content

Installation and deployment

Once your certificate is ready, it will be emailed to the address you supplied in your request. A copy of the certificate itself will appear in the email, and a zip file will be attached containing:

  • Your Certificate, in a file named after its primary hostname, e.g. www_example_cam_ac_uk.crt
  • A copy of the appropriate QuoVadis intermediate certificate:

You can also download certificates that you have requested, and check the status of your requests, on the TLS certificate administration site.

QuoVadis provide certificate installation instructions. A summary of the key points for Apache and Microsoft IIS appears below.

These certificates need the 'intermediate' certificate to link them to the to the trusted 'root' certificates that come pre-installed in browsers and other clients. You must arrange for your server to supply this additional certificate - if you don't then visitors to your site may be told that your certificate can't be trusted or connections may be refused. The appropriate intermediate certificate is included in the ZIP file supplied with your certificate, is available from the links above, or can be dowloaded directly from QuoVadis.

  • For standard OV and Widlcard certificates:
    • Users of Apache before version 2.4.8 should adjust their configuration to
      • refer to their certificate from a SSLCertificateFile directive
      • refer to their key from a SSLCertificateKeyFile directive
      • refer to QuoVadisGlobalSSLICAG2.crt from a SSLCertificateChainFile directive
    • Users of Apache from version 2.4.8 onward should 
      • copy their certificate and QuoVadisGlobalSSLICAG2.crt (in that order) into a single file, and then refer to this new file from a SSLCertificateFile directive
      • refer to their key from a SSLCertificateKeyFile directive
    • Users of Microsoft IIS should install QuoVadisGlobalSSLICAG2.crt in the Local Computer certificate store

For more information on using intermediate certificates with Apache see the documentation for Apache 2.2 or Apache 2.4. For IIS, see the section "Configuring IIS to use SSL with an Intermediate Certificate" in 'Configuring IIS to use SSL' in the Windows Support pages or 'HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003' in the Microsoft Knowledge Base.

To copying multiple certificates into a single file you can either use a tool that concatenates files (such as the Unix 'cat' command or Windows 'copy'), or a text editor. Be sure to preserve the complete 'BEGIN CERTIFICATE' and 'END CERTIFICATE'  lines that appear at the start and end of each certificate. It doesn't matter what you call the resulting file, but <host name>.bundle (replacing <host name> with the primary name of the server) would be a possibility.

When testing, beware that most modern browsers will automatically download intermediate certificates if your server fails to supply them so it can be difficult to tell if you have got things right for any that won't. One way to double-check is to use the SSL test service run by SSL Labs which will identify certificate chain problems (amongst a range of other issues) - see under 'Certification Paths' in the report it produces. Note that this test service is very picky and as a result it is difficult to get a high overall ranking on many servers.

Alternatively you can use the 'openssl s_client' command from the OpenSSL package to inspect the certificates being returned by a web server:

openssl s_client -connect <server>:<port> -showcerts

Replacing <server> and <port> appropriately (<port> probably needs to be 443). This establishes a connection to the server - you can terminate it by typing ctrl-d or similar. The message "unable to get local issuer certificate" just means that your local OpenSSL doesn't have, or hasn't been configured to find, an appropriate root certificate for the chain presented. This isn't necessarily a problem with the server - if you care, research s_client's -CApath and -CAfile options. What is important is that your certificate and the appropriate chaining certificate appear in the output.

See 'Renewal process' for what to do about renewing your certificate when it eventually expires.

Last updated: May 2015