Installing certificates
Simply installing the certificate on the server is not always enough, the entire certificate chain must be installed correctly. If the chain is incomplete, the certificate does not work correctly and browsers/client ends do not trust it.
The previously commonly used encryption method SHA-1 in certificates came to an end and was replaced by the SHA-2 method. This led to the fact that several certifiers had to create a new intermediate certificate in order to obtain a SHA-2 chain from the entire certificate chain.
An exception to this SHA-2 chain is ROOT certificates, which are typically still of SHA-1 type, but this is acceptable due to the different handling and storage of ROOT certificates.
On this page you will find instructions/instruction links for installing the certificate in the most common server environments.
Entrust has compiled instructions for installing certificates in most server environments. From the table found behind the link, you can choose the instructions for the right server type.
Certificate chain
The certificate chain consists of issuing certificates and the actual server certificate.
The trust of the certificate chain is based on the ROOT certificate. At its simplest, the server's certificate can be issued directly with the ROOT certificate. However, this is not the case, the server certificate has been issued from an intermediate certificate. The intermediate certificate can also be the terminating certificate of the chain. When moving from SHA1 certificates to SHA2 certificates, several certificate providers created a new Intermediate certificate for the transition period. At that time, Entrust's SHA2 certificate chain was four-step: ServerCertificate > Intermediate1 > Intermediate2 (G2) > Entrust ROOT. Among these "intermediate certificates", Entrust Intermediate G2 already works as a terminating ROOT certificate on several devices. Today, the certificate chain from Entrust's portal is three-step by default: ServerCertificate > Intermediate > Entrust Root Certification Authority - G2 .
How-to videos & tips
Installing the certificate using the MMC console
One of the ways to install a certificate on a Windows server is to use the MMC console. The video shows how the server certificate is exported to the container intended for it on a Windows server.
IIS7
F5 Big IP
Cisco ASA
Tips when installing the certificate
Certificate file format
Entrust has configured its service so that when downloading the certificate, a certain type of server can be selected if necessary, and thus influences the format in which the certificate is downloaded. For example, if you want the certificate files to be downloaded in a format suitable for Apache, when you select the server type in question, the certificates are downloaded in a zip file, where the Root and Intermediate certificates are bundled and the server certificate as its own file as follows:- ChainBundle1.crt
- ServerCertificate.crt
Problems with the installation?
Problems related to the operation of the certificate that arise during or after the installation are often due to either the absence of a Private Key or an incomplete certificate chain. If you run into problems, check at least the following:- If you are installing several different certificates at the same time, make sure that the certificate file you are processing is correct. The certificate must be installed on the server that has the corresponding Private Key.
-
Check the chaining of the certificate, you can see this for example under Certificate > Certification Chain. Below is an example of a properly chained certificate on Wesentra Oy's website:
Are you getting the following error?: "NET:ERR_CERTIFICATE_TRANSPARENCY_REQUIRED"
The error message indicates that when the certificate was created, its information was not configured to be exported to the CT (Certificate Transparency) register, and thus some browsers interpret that the certificate was not trusted. This error can be corrected by recreating the certificate, in connection with which CT logging should be set to active. In Entrust's portal, the function in question can be found in the menu under the name "Reissue".Links for installation instructions
Server-specific instructions for selected environments
Below you will find links to server-specific certificate installation instructions on Entrust's website.
The instructions behind the links are in English.