How to request a SWITCHpki DigiCert server certificate
Specific requirements may apply to the procedure at your own organization; please check with your registration authority (contact information) before submitting your first request.
1. Creating the key pair and the CSR (certificate signing request)
To create the key pair and the CSR, either use the respective option
in your server software, or generate it with a tool of your choice,
such as OpenSSL (available for many operating systems), certreq.exe
(on Windows), keytool
(for Java applications) etc. There are only
two mandatory requirements applying to the CSR:
- the CN (commonName) attribute must include a fully qualified domain name
- it must include an RSA key with a size of at least 2048 bits
2. Submitting the CSR
Submit the CSR through the channel provided by your Organization. This can be a Digicert Guest URL, or via a personal login to the Digicert CertCentral platform at https://www.digicert.com
An administrator of your Organization then needs to approve your certificate request.
The system then checks among other things, if the Organization and Domains included in the csr are validated and if the CAA records fit, if there are any. If any of the validations have not been done the certificate can't be issued and stays pending until that is fixed.
3. Installing the certificate
To install the certificate, please refer to the documentation of your server software. It's important that you also install the intermediate CA certificate so that your server sends both the server certificate and the intermediate CA certificate to a client.
We recommend to configure and enable OCSP Stapling.
(See this IAB Statement on OCSP Stapling
for more information. The presentation OCSP Stapling gives an introduction to OCSP Stapling.)
- If you use the Apache HTTP server, see Enabling OCSP Stapling in the Apache HTTP server.
- If you use IIS on Windows Server 2008 or later, OCSP Stapling is enabled by default, you don't need to do anything.
- For other products, please refer to the documentation of your server software.
4. Verifying the correct installation of the server certificate
To verify that your server is correctly configured (serving a proper chain, in particular), you can use the Digicert SSL Certificate Checker - as long as your server is reachable from the public Internet.
If your server is not reachable from the public Internet, you might wish to check with CheckSSL command line tool