skip to primary navigationskip to content
 

Janet: Installation and deployment

Once your certificate is ready, it will be emailed to the address you supplied on the on-line request form. A copy of the certificate itself will appear in the email, and a zip file will be attached containing some of the following:

  • Your Janet SSL Certificate - either <host name>.crt or <7 digits>.crt
  • AddTrust Root CA Certificate - AddTrustExternalCARoot.crt

Janet certificates need one or more 'intermediate' certificates to link them to the to the relevant trusted 'root' certificates that come pre-installed in major browsers. You must arrange for your server to supply these additional certificates - if you don't then visitors to your site may be told that your certificate can't be trusted. The necessary intermediate certificates are included in the ZIP file supplied with your certificate, either as individual certificates or inside the ca-bundle files. Alternativly copies of the relevant ones are available from the links above.

A link to Comodo's instructions about what to do is included in the email, and different combinations of intermediate certificates are needed depending on which type of certificate is being installed:

  • For DV and Widlcard SHA-1 certificates (issued up to 9th October 2014):
    • Users of Apache before version 2.4.8 should either use the supplied <host name><7 digits>.ca-bundle file, or copy TERENASSLCA.crt and UTNAddTrustServer_CA.crt (in that order) into a single file, and then refer to this from a SSLCertificateChainFile directive in the Apache configuration.
    • Users of Apache from version 2.4.8 onward should copy their website certificate and TERENASSLCA.crt and UTNAddTrustServer_CA.crt (in that order) into a single file, and then refer to this from a SSLCertificateFile directive in the Apache configuration.
    • For Microsoft IIS, install the two intermediate CA certificates (extracted from <host name><7 digits>.ca-bundle, or from TERENASSLCA.crt and UTNAddTrustServer_CA.crt) in the Local Computer certificate store - see for example the section "Configuring IIS to use SSL with an Intermediate Certificate" in 'Configuring IIS to use SSL' in the Windows Support pages or 'HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003' in the Microsoft Knowledge Base.
  • For DV and Widlcard SHA-2 certificates (issued from 10th October 2014):
    • Users of Apache before version 2.4.8 should either use the supplied <host name><7 digits>.ca-bundle file, or copy TERENASSLCA2.crt and USERTrustRSAAddTrustCA.crt (in that order) into a single file, and then refer to this from a SSLCertificateChainFile directive in the Apache configuration.
    • Users of Apache from version 2.4.8 onward should copy their website certificate and TERENASSLCA2.crt and USERTrustRSAAddTrustCA.crt (in that order) into a single file, and then refer to this from a SSLCertificateFile directive in the Apache configuration.
    • For Microsoft IIS, install the two intermediate CA certificates (extracted from <host name><7 digits>.ca-bundle, or from TERENASSLCA2.crt and USERTrustRSAAddTrustCA.crt) in the Local Computer certificate store - see for example the section "Configuring IIS to use SSL with an Intermediate Certificate" in 'Configuring IIS to use SSL' in the Windows Support pages or 'HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003' in the Microsoft Knowledge Base.
  • For EV certificates:
    • Users of Apache should either use the supplied <host name><7 digits>.ca-bundle file, or copy COMODO_EV_CA.crt and COMODO_CA.crt (in that order) into a single file, and then refer to this from a SSLCertificateChainFile directive in the Apache configuration.
    • For Microsoft IIS, install the two intermediate CA certificates (extracted from <host name><7 digits>.ca-bundle, or from COMODO_EV_CA.crt and COMODO_CA.crt) in the Local Computer certificate store - see for example the section "Configuring IIS to use SSL with an Intermediate Certificate" in 'Configuring IIS to use SSL' in the Windows Support pages or 'HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003' in the Microsoft Knowledge Base.

When testing, beware that most modern browsers will automatically download intermediate certificates if your server fails to supply them so it can be difficult to tell if you have got things right for any that won't. One way to double-check is to use the 'openssl s_client' command to inspect the certificates being returned by a web server:

openssl s_client -connect <server>:<port> -showcerts

Replacing <server> and <port> appropriately (<port> probably needs to be 443). This actually establishes a connection to the server - you can terminate it by typing ctrl-d or similar. The message "unable to get local issuer certificate" just means that your local OpenSSL doesn't have, or hasn't been configured to find, an appropriate root certificate for the chain presented. This isn't necessarily a problem with the server - if you care, research s_client's -CApath and -CAfile options. What is important is that your certificate and the appropriate two chaining certificates appear in the output.

Alternativly, the SSL test service run by SSL Labs will identify certificate chain problems (amongst a range of other issues) - see under 'Certification Paths' in the report it produces. Note that this test service is very picky and as a result it is difficult to get a high overall ranking on many servers.

Last updated: October 2014