skip to primary navigationskip to content
 

Janet: Installation and deployment

Once your certificate is ready, it will be emailed to the address you supplied on the on-line request form. A copy of the certificate itself will appear in the email, and a zip file will be attached containing some of the following:

  • Your Janet SSL Certificate - either <host name>.crt or <7 digits>.crt
  • AddTrust Root CA Certificate - AddTrustExternalCARoot.crt

Janet certificates need one or more 'intermediate' certificates to link them to the to the relevant trusted 'root' certificates that come pre-installed in major browsers. You must arrange for your server to supply these additional certificates - if you don't then visitors to your site may be told that your certificate can't be trusted. The necessary intermediate certificates are included in the ZIP file supplied with your certificate, either as individual certificates or inside the ca-bundle files. Alternativly copies of the relevant ones are available from the links above.

A link to Comodo's instructions about what to do is included in the email, and different combinations of intermediate certificates are needed depending on which type of certificate is being installed. A summary also appears below.

To copying multiple certificates into a single file you can either use a tool that concatenates files (such as the Unix 'cat' command or Windows 'copy'), or a text editor. Be sure to preserve the complete 'BEGIN CERTIFICATE' and 'END CERTIFICATE'  lines that appear at the start and end of each certificate. It doesn't normally matter what you call the resulting file, but <host name>.ca-bundle (replacing <host name> with the primary name of the server) would be a possibility.

  • For DV and Widlcard SHA-2 certificates (issued from 10th October 2014):
    • Users of Apache before version 2.4.8 should either use the supplied <host name>.ca-bundle or <7 digits>.ca-bundle file, or copy TERENASSLCA2.crt and USERTrustRSAAddTrustCA.crt (in that order) into a single file, and then refer to this file from a SSLCertificateChainFile directive in the Apache configuration.
    • Users of Apache from version 2.4.8 onward should copy their website certificate and TERENASSLCA2.crt and USERTrustRSAAddTrustCA.crt (in that order) into a single file, and then refer to this new file from a SSLCertificateFile directive in the Apache configuration.
    • For Microsoft IIS, install the two intermediate CA certificates (extracted from <host name>.ca-bundle or <7 digits>.ca-bundle, or from TERENASSLCA2.crt and USERTrustRSAAddTrustCA.crt) in the Local Computer certificate store - see for example the section "Configuring IIS to use SSL with an Intermediate Certificate" in 'Configuring IIS to use SSL' in the Windows Support pages or 'HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003' in the Microsoft Knowledge Base.
  • For DV and Widlcard SHA-1 certificates (issued up to 9th October 2014):
    • Users of Apache before version 2.4.8 should either use the supplied <host name>.ca-bundle or <7 digits>.ca-bundle file, or copy TERENASSLCA.crt and UTNAddTrustServer_CA.crt (in that order) into a single file, and then refer to this file from a SSLCertificateChainFile directive in the Apache configuration.
    • Users of Apache from version 2.4.8 onward should copy their website certificate and TERENASSLCA.crt and UTNAddTrustServer_CA.crt (in that order) into a single file, and then refer to this new file from a SSLCertificateFile directive in the Apache configuration.
    • For Microsoft IIS, install the two intermediate CA certificates (extracted from <host name>.ca-bundle or <7 digits>.ca-bundle, or from TERENASSLCA.crt and UTNAddTrustServer_CA.crt) in the Local Computer certificate store - see for example the section "Configuring IIS to use SSL with an Intermediate Certificate" in 'Configuring IIS to use SSL' in the Windows Support pages or 'HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003' in the Microsoft Knowledge Base.
  • For EV certificates:
    • Users of Apache should either use the supplied <host name>.ca-bundle or <7 digits>.ca-bundle file, or copy COMODO_EV_CA.crt and COMODO_CA.crt (in that order) into a single file, and then refer to this file from a SSLCertificateChainFile directive in the Apache configuration.
    • For Microsoft IIS, install the two intermediate CA certificates (extracted from <host name>.ca-bundle or <7 digits>.ca-bundle, or from COMODO_EV_CA.crt and COMODO_CA.crt) in the Local Computer certificate store - see for example the section "Configuring IIS to use SSL with an Intermediate Certificate" in 'Configuring IIS to use SSL' in the Windows Support pages or 'HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003' in the Microsoft Knowledge Base.

When testing, beware that most modern browsers will automatically download intermediate certificates if your server fails to supply them so it can be difficult to tell if you have got things right for any that won't. One way to double-check is to use the 'openssl s_client' command from the OpenSSL package to inspect the certificates being returned by a web server:

openssl s_client -connect <server>:<port> -showcerts

Replacing <server> and <port> appropriately (<port> probably needs to be 443). This actually establishes a connection to the server - you can terminate it by typing ctrl-d or similar. The message "unable to get local issuer certificate" just means that your local OpenSSL doesn't have, or hasn't been configured to find, an appropriate root certificate for the chain presented. This isn't necessarily a problem with the server - if you care, research s_client's -CApath and -CAfile options. What is important is that your certificate and the appropriate two chaining certificates appear in the output.

Alternativly, the SSL test service run by SSL Labs will identify certificate chain problems (amongst a range of other issues) - see under 'Certification Paths' in the report it produces. Note that this test service is very picky and as a result it is difficult to get a high overall ranking on many servers.

Last updated: October 2014