Once your certificate is ready, it will be emailed to the address you supplied on the on-line request form. A copy of the certificate itself will appear in the email, and a zip file will be attached containing some of the following:
- Your Janet SSL Certificate - either <host name>.crt or <7 digits>.crt
- TERENA Intermediate CA Certificate - TERENASSLCA.crt
- UTNAddTrust Intermediate CA Certificate - UTNAddTrustServer_CA.crt
- Intermediate CA Bundle file - <7 digits>.ca-bundle
- AddTrust Root CA Certificate - AddTrustExternalCARoot.crt
Janet certificates need two 'intermediate' certificates to link them to the AddTrust master signing certificate, since only the latter comes pre-installed in clients. You must arrange for your server to supply these additional certificates - if you don't then visitors to your site may be told that your certificate can't be trusted. These intermediate certificates are included in the ZIP file supplied with your certificate (either as individual certificates or inside <7 digits>.ca-bundle) or from the links above.
- Users of Apache should either use the supplied <7 digits>.ca-bundle file, or copy TERENASSLCA.crt and UTNAddTrustServer_CA.crt (in that order) into a single file, and then refer to this from a SSLCertificateChainFile directive in the Apache configuration.
- For Microsoft IIS, install the two intermediate CA certificates (from <7 digits>.ca-bundle, or from TERENASSLCA.crt and UTNAddTrustServer_CA.crt) in the Local Computer certificate store - see for example the section "Configuring IIS to use SSL with an Intermediate Certificate" in 'Configuring IIS to use SSL' in the Windows Support pages or 'HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003' in the Microsoft Knowledge Base.
When testing, beware that some browsers will automatically download intermediate certificates if your server fails to supply them. One way to double-check is to use the 'openssl s_client' command to inspect the certificates being returned by a web server:
openssl s_client -connect <server>:<port> -showcerts
Replacing <server> and <port> appropriately (<port> probably needs to be 443). This actually establishes a connection to the server - you can terminate it by typing ctrl-c or similar. The message "unable to get local issuer certificate" just means that your local OpenSSL doesn't have, or hasn't been configured to find, an appropriate root certificate for the chain presented. This isn't necessarily a problem with the server - if you care, research s_client's -CApath and -CAfile options. What is important is that your certificate and the two chaining certificates appear in the output.