parallax background

Installing certificates

parallax background

Certificate chain

The certificate chain consists of issuing certificates and the actual server certificate.

The trust of the certificate chain is based on the ROOT certificate. At its simplest, the server's certificate can be issued directly with the ROOT certificate. However, this is not the case, the server certificate has been issued from an intermediate certificate. The intermediate certificate can also be the terminating certificate of the chain. When moving from SHA1 certificates to SHA2 certificates, several certificate providers created a new Intermediate certificate for the transition period. At that time, Entrust's SHA2 certificate chain was four-step: ServerCertificate > Intermediate1 > Intermediate2 (G2) > Entrust ROOT. Among these "intermediate certificates", Entrust Intermediate G2 already works as a terminating ROOT certificate on several devices. Today, the certificate chain from Entrust's portal is three-step by default: ServerCertificate > Intermediate > Entrust Root Certification Authority - G2 .

parallax background

How-to videos & tips

Installing the certificate using the MMC console

One of the ways to install a certificate on a Windows server is to use the MMC console. The video shows how the server certificate is exported to the container intended for it on a Windows server.


F5 Big IP

Cisco ASA

Tips when installing the certificate

Certificate file format
Entrust has configured its service so that when downloading the certificate, a certain type of server can be selected if necessary, and thus influences the format in which the certificate is downloaded. For example, if you want the certificate files to be downloaded in a format suitable for Apache, when you select the server type in question, the certificates are downloaded in a zip file, where the Root and Intermediate certificates are bundled and the server certificate as its own file as follows:
  • ChainBundle1.crt
  • ServerCertificate.crt
In addition to the correct file format, by choosing the server type, you get installation instructions directly during the download phase to be used if necessary.
Problems with the installation?
Problems related to the operation of the certificate that arise during or after the installation are often due to either the absence of a Private Key or an incomplete certificate chain. If you run into problems, check at least the following:
  • If you are installing several different certificates at the same time, make sure that the certificate file you are processing is correct. The certificate must be installed on the server that has the corresponding Private Key.
  • Check the chaining of the certificate, you can see this for example under Certificate > Certification Chain. Below is an example of a properly chained certificate on Wesentra Oy's website:
There are also ways/tools to locate the Private Key, but if necessary, the situation can also be corrected by creating a new CSR and re-creating the certificate with this, in which case the already redeemed certificate location/unit is not lost. This is also a secure method if there is reason to suspect that the Private Key may have ended up in the hands of outsiders.
Are you getting the following error?: "NET:ERR_CERTIFICATE_TRANSPARENCY_REQUIRED"
The error message indicates that when the certificate was created, its information was not configured to be exported to the CT (Certificate Transparency) register, and thus some browsers interpret that the certificate was not trusted. This error can be corrected by recreating the certificate, in connection with which CT logging should be set to active. In Entrust's portal, the function in question can be found in the menu under the name "Reissue".
parallax background

Links for installation instructions

Server-specific instructions for selected environments

Below you will find links to server-specific certificate installation instructions on Entrust's website.
The instructions behind the links are in English.