gettin g your extended validati on certificate from the
TRANSCRIPT
Gettin
“DigiC
As anno
all certif
Validatio
Saturda
the nam
If, by no
(because
backup p
But if yo
‘re‐issua
also afte
InstrucIn a very
ng your E
Cert” re‐i
unced by Dig
https://know
ficates issued
on certificate
y. Extended
me of your or
ow, have read
e an EV anch
plan – also g
ou want EV a
ance’. As des
er Saturday.
Must be “re
Will get a ne
must be rep
for Nginx, th
for Apache h
for IIS and o
You must ha
(and possibl
You can re‐u
You can do t
You must re
ctions fromy concise wa
Extended
ssued
giCert on Jul
wledge.digic
d by our “TER
es of the 3rd
Validation is
ganisation im
dy access to
hor is already
get OV “GEAN
nd can comp
scribed by Di
These certifi
‐issued”
ew intermed
placed
his is thus als
httpd, this is
ther product
ave up to 30m
y longer if th
use the same
this all also o
start or relo
DigiCert y, DigiCert sa
d Validati
y 7th in
ert.com/aler
RENA SSL Hig
d generation
s the certifica
mmediately s
the TCS Gen
y in place), th
NT OV Multi‐
plete this pro
giCert, they
icates
diate CA “Dig
so the second
content of t
ts, please se
min of patien
he EV validat
e key pair (by
on behalf of a
ad services a
aid it all:
on certif
rts/DigiCert‐
gh Assurance
TCS, will be
ate profuct t
shown when
n4 “Sectigo”
hat is the pre
‐domain” ce
ocess, partia
offer (obvio
giCert EV RSA
d PEM blob i
the SSLCertif
e your docu
nce
tion for your
y using the s
any users an
afterwards
ficate fro
ICA‐Replace
e CA 3” CA, t
revoked on
that gets you
n the padlock
service and c
eferred rout
rtificate repl
lly by hand,
usly free) rep
A CA G2”, so
in the certific
ficateChainFi
mentation
organisation
ame CSR)
nd certificate
m the Ge
ment
the one used
July 11th, i.e
u either a ‘gr
k is clicked in
can issue EV
e. And anyw
lacements do
today or tom
placements,
also the cert
cate file
ile
n or your do
owners in y
en3 TCS
d for all Exten
e. this week
reen address
n the browse
V certificates
way, you shou
one.
morrow, you
that will be
tificate chain
mains, has la
your organisa
nded
‐end
bar’ or
er.
there
uld – as a
can try
valid
n file
apsed)
ation
Step by
1.
2.
3.
4.
y step guid
Login, with a
before May
https://www
Go to “Certi
You can sea
DigiCert (in t
You can re‐u
order numb
and click on
Copy that in
all (that’s th
e
an Administr
1st, at
w.digicert.co
ficates” ‐> “O
rch for your
the mail from
use the same
er (not the Q
“View” to se
nto your clipb
e default an
rator accoun
om/account
Orders”
certificate b
m Ruud‐Maa
e CSR. That C
Quick View),
ee the CSR b
board buffer
yway).
nt from your
t/login.php
by order ID, a
arten). Or loo
CSR is helpfu
and find the
blob.
r, by clicking
organization
and order IDs
ok the hosts
lly given on t
e CSR viewer
once inside t
n – the same
s affected we
up by name.
the order pa
:
the text. Ma
e one you use
ere sent to y
.
age, so klik on
ake sure you
ed
you by
n the
select
5.
6.
7.
8.
9.
From the “C
In the CSR te
but do not c
lost, and you
Scroll to the
want. Anyw
You get a dia
names are a
and the “Co
(potentially,
organisation
org and dom
user, as show
Certificate Ac
ext box, past
change the o
u have an op
bottom of t
ay, press “Re
alog box to c
added, and n
nfirm Reque
, only in exce
n/domain ow
main. It migh
wn below, a
ctions” butto
te the CSR yo
ther fields. O
perational pr
the page. You
equest Reiss
confirm the s
o names are
est”
eptional case
wner. Wheth
t be automa
nd approve i
on, select “Re
ou copied in
Otherwise, im
roblem later.
u can even ty
ue”
subjectAltNa
e lost:
es) At this po
er this happ
atic as well. O
it. It should n
eissue Certifi
step #4:
mportant su
.
ype a reason
ame. Make s
oint, a mail m
ens depends
Otherwise, ca
not happen,
icate”
bject alterna
n for re‐issua
ure that all n
may be trigge
s on the valid
atch the mai
but may.
ame names m
ance in case y
names are th
ered to the
dation status
il to the EV v
might be
you
here, no
s of the
validation
10.
11.
12.
13.
You get the
sidebar statu
It will be in “
Please proce
Click on the
Wait until it
Once re‐issu
canonical ZI
PLEASE wa
This may tak
If you contin
confirmation
us:
“Issue Certifi
eed to the fu
order numb
actually re‐i
ued, you and
P file.
ait until you a
ke up to ~30
nue before re
n dialog that
icate” pendin
ull order page
ber, not on th
issues, which
/or the origi
actually see “
minutes, bu
e‐issuance is
t issuance is
ng status:
e, by enterin
he “Quick Vie
h you can see
nal certificat
“DigiCert EV
ut could be a
done, you ge
pending. Clic
ng the order
ew”:
e by refreshi
te requester
RSA CA G2”
s quick as 5 s
et the old ce
ck on “View
ID in the sea
ng and looki
also get the
here.
seconds.
rt back. So, r
Order” to ge
arch box and
ing for
e email with t
really …
et the
“Go”ing
the
14. At this point, make sure you get both the new certificate as well as the new intermediary:
15. Install both of these in your favourite server software you can in this case leave the key file unchanged, since the re‐issued cert is based off the
same keypair.
And now go for the next certificate you need to replace.
You can do this also via the API – but no ready tool is available at this moment (if you build one,
please share it!)
What should go where? In the SSLCertificateChain file, you should have the following content for the DigiCert EV RSA CA G2
-----BEGIN CERTIFICATE----- MIIFPDCCBCSgAwIBAgIQAWePH++IIlXYsKcOa3uyIDANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH MjAeFw0yMDA3MDIxMjQyNTBaFw0zMDA3MDIxMjQyNTBaMEQxCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxHjAcBgNVBAMTFURpZ2lDZXJ0IEVWIFJT QSBDQSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0eZsx/neTr f4MXJz0R2fJTIDfN8AwUAu7hy4gI0vp7O8LAAHx2h3bbf8wl+pGMSxaJK9ffDDCD 63FqqFBqE9eTmo3RkgQhlu55a04LsXRLcK6crkBOO0djdonybmhrfGrtBqYvbRat xenkv0Sg4frhRl4wYh4dnW0LOVRGhbt1G5Q19zm9CqMlq7LlUdAE+6d3a5++ppfG cnWLmbEVEcLHPAnbl+/iKauQpQlU1Mi+wEBnjE5tK8Q778naXnF+DsedQJ7NEi+b QoonTHEz9ryeEcUHuQTv7nApa/zCqes5lXn1pMs4LZJ3SVgbkTLj+RbBov/uiwTX tkBEWawvZH8CAwEAAaOCAgswggIHMB0GA1UdDgQWBBRqTlC/mGidW3sgddRZAXlI ZpIyBjAfBgNVHSMEGDAWgBROIlQgGJXm427mD/r6uRLtBhePOTAOBgNVHQ8BAf8E BAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQI MAYBAf8CAQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz cC5kaWdpY2VydC5jb20wewYDVR0fBHQwcjA3oDWgM4YxaHR0cDovL2NybDMuZGln aWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdEcyLmNybDA3oDWgM4YxaHR0cDov L2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdEcyLmNybDCBzgYD VR0gBIHGMIHDMIHABgRVHSAAMIG3MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5k aWdpY2VydC5jb20vQ1BTMIGKBggrBgEFBQcCAjB+DHxBbnkgdXNlIG9mIHRoaXMg Q2VydGlmaWNhdGUgY29uc3RpdHV0ZXMgYWNjZXB0YW5jZSBvZiB0aGUgUmVseWlu ZyBQYXJ0eSBBZ3JlZW1lbnQgbG9jYXRlZCBhdCBodHRwczovL3d3dy5kaWdpY2Vy dC5jb20vcnBhLXVhMA0GCSqGSIb3DQEBCwUAA4IBAQBSMgrCdY2+O9spnYNvwHiG +9lCJbyELR0UsoLwpzGpSdkHD7pVDDFJm3//B8Es+17T1o5Hat+HRDsvRr7d3MEy o9iXkkxLhKEgApA2Ft2eZfPrTolc95PwSWnn3FZ8BhdGO4brTA4+zkPSKoMXi/X+ WLBNN29Z/nbCS7H/qLGt7gViEvTIdU8x+H4l/XigZMUDaVmJ+B5d7cwSK7yOoQdf oIBGmA5Mp4LhMzo52rf//kXPfE3wYIZVHqVuxxlnTkFYmffCX9/Lon7SWaGdg6Rc k4RHhHLWtmz2lTZ5CEo2ljDsGzCFGJP7oT4q6Q8oFC38irvdKIJ95cUxYzj4tnOI -----END CERTIFICATE-----
This is done:
for Apache httpd usually configured in ssl.conf, under
SSLCertificateFile /etc/pki/tls/tcsg3/cert-igtf.net.pem SSLCertificateKeyFile /etc/pki/tls/tcsg3/key-igtf.net.pem SSLCertificateChainFile /etc/pki/tls/tcsg3/chain-igtf.net.pem
with the re‐issued certificate (“hostname.crt” in the zip file) going under the
SSLCertificateFile
This same structure also holds for e.g. postfix, and for cyrus imapd (where the intermediate
is in “tls_ca_file”)
for nginx, concatenate the ‘hostname.crt’ and the new DigiCertCA.crt file in this order
together as your new certificate for nginx
The same concatenation holds for OpenVPN servers
In some cases, the intermediate is in another place – see your software documentation.