Certificate Updates

Here we describe the procedures for updating SSL certificates for web servers (https), IMAP servers (imaps), and other similar services (Dawn/Adrian - feel free to elaborate!)

Updating Hosts Certificates

Perhaps Try IST Documentation

Start at IST's documentation for SSL certificate management: http://ist.uwaterloo.ca/security/IST-CA (=> https://ist.uwaterloo.ca/security/IST-CA/self-service/ ) (later became, ahem, https://uwaterloo.ca/information-systems-technology/services/tlsssl-certificate-management/certificate-authority-details/globalsign-signed-x5093-certificates/self-service-globalsign-ssl-certificates )

For Apache (1.3?) web servers the directive SSLCACertificateFile /software/sslCerts-1/config/certs/cacert.pem needs to be present in the web server configuration, with that file containing the intermediate GlobalSign certificate.

See ST 67484 for an example that should be reworked into this wiki page.

-- DawnKeenan - 14 Apr 2010

Alternative "View" of this Page

An alternative version of this same information, with include files as links.

Useful command for examining and manipulating SSL certificates

Obtaining New or Renewed Certificates

Generate a New Private Key

IncludeCertGeneratePrivateKey
Note that private keys must be kept as secret as possible. Files containing private keys should preferably be readable only by superuser (or perhaps an equivalent service userid e.g. www or smmsp. Generating a new key should be done in a private subdirectory; the one containing the old key is an appropriate choice. (But don't clobber the old key).

To generate a new private key, you can use the openssl command. Here we generate a 2048-bit key, placing it in file new2048.key.

   cscf.cs% openssl genrsa -out new2048.key   2048
   Generating RSA private key, 2048 bit long modulus
   ........+++
   .................................................................+++
   e is 65537 (0x10001)
   cscf.cs% 
The openssl command tends to be on a normal user path, and has subcommands useful for examining and working with SSL certificates and their components.

As of 2011, GlobalSign Incorporated, the certificate authority chosen by the University of Waterloo, requires a key (pair) of at least 2048 bits. Note the last argument on the command-line "2048".

You should use an appropriate umask to ensure the privacy of the private key, but it's probably sufficient to chmod afterwards. If it is necessary to transfer a private key to another machine or user, be careful how you do it.

Note

In the past we would frequently re-use the old private key and use it to generate a new CSR when renewing a certificate. In fact, we began to assume that process, essentially generating a new expiry date for an existing public key, was what "renewing" meant. When GlobalSign required a change from 1024 to 2048 bit keys, that clearly could not be done. But furthermore, today (Wed May 11, 2011), http://www.globalsign.com/support/csrgen.php includes the statement
For higher server security GlobalSign does not allow reusing private keys. You must create a new key pair.
That is, this process should almost certainly not be considered optional anymore.

In even more recent years, the above URL stopped returning such a definitive statement, and the requirement appears to have been removed. That might be because some products using SSL make it difficult to use a different private key. So whether this process is optional seems to depend on the software involved. It seems good practice to change the private key at each renewal, if possible.

Generate a Certificate Signing Request (CSR)

IncludeCertGenerateCSR
In the following I used cscf.cs.uwaterloo.ca as my sample hostname. This perhaps caused some confusion since the hostname was included in the email address we formerly used.
The key part of renewing a certificate is generating a Certificate Signing Request (CSR) to send to the Certificate Authority. Generation of a Certificate Signing Request requires the ability to read the private key, and so generally needs to be done as superuser. (Though it's not technically necessary, as in my example here). The openssl command can be used. Here we generate a request for a certificate for host cscf.cs.uwaterloo.ca.

  • BLUE is text you type literally
  • RED is text you must modify before typing

    cscf.cs% openssl req -new -key ./new2048.key -out cscf.cs.uwaterloo.ca.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CA
    State or Province Name (full name) [Some-State]:Ontario
    Locality Name (eg, city) []:Waterloo
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Waterloo
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:cscf.cs.uwaterloo.ca
    Email Address []:username@domainname
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    cscf.cs% cat cscf.cs.uwaterloo.ca.csr
    -----BEGIN CERTIFICATE REQUEST-----
    MIIC6DCCAdACAQAwgaIxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMREw
    DwYDVQQHDAhXYXRlcmxvbzEfMB0GA1UECgwWVW5pdmVyc2l0eSBvZiBXYXRlcmxv
    bzEdMBsGA1UEAwwUY3NjZi5jcy51d2F0ZXJsb28uY2ExLjAsBgkqhkiG9w0BCQEW
    H2NzY2YtY2VydHNAY3NjZi5jcy51d2F0ZXJsb28uY2EwggEiMA0GCSqGSIb3DQEB
    AQUAA4IBDwAwggEKAoIBAQC23vuprMTnHgMvwEDVbEVhEvjgFKkg4QqBxMhazy4f
    b6x2xGmnxO/ef4LZPyF/RT0RUjTcQKAgLyafWGqYDopSr8Xunqy0G2EheqML2Eav
    +Z8yGQ4vBjxXRaSj+1eiNX3VSYQOrM8d1A+mmbZYhyOVOmMkTrtQIhPriTv9j0Md
    lBt0XVNn5bpt29cnSP4hz51Zh1xQmV32TTxyDE/pai1cSzmIXuv1oyzfiYhYeEJc
    GaoSLNZKkv0oqdJkPbq7tlzGcWXdbHDJWPfY438lRF2bJWL3oojdRjZPQAMKanhy
    Jpn04lvNjTCS1kofES1IDzHBHCzYH8d3GGLKU/XwqN87AgMBAAGgADANBgkqhkiG
    9w0BAQUFAAOCAQEAAtkwipWtkH3ehVna3tWDseTknNg/MB8RZWp+mfrwvd3P30SS
    uMNL15+z/Tso5+euxXFB/AUwuqgB4LnHPW9EPWjoxdaU4dWNKSNgJmIERMTgWFpw
    COz8Byl39360nb7pdBWBgvyreizk8l4DsjJov+zi92SvyKHqjpf0p3zpYT6Ifp+A
    ruzw9wX83v/DKfJPiNxXcV+aXEzBksCUEl3RGIGrxfvHf+5hPT2sdSb1KSh3kONl
    UQ0KYyNAIvJO4O6Ia0OXaftXPit/VoS1j7mlpd4WdTXvqerq9wRn6ft/UAiiarkh
    T1WLwniIE8TP/NJb351XsDgnCAvS93W6WXnx9Q==
    -----END CERTIFICATE REQUEST-----
    cscf.cs% 
The openssl command tends to be on a normal user path, and has subcommands useful for examining and working with SSL certificates and their components.

For example, you can use the openssl command to give you a more readable (well, detailed) version of the CSR.

    cscf.cs% openssl req -text < cscf.cs.uwaterloo.ca.csr
    Certificate Request:
        Data:
            Version: 0 (0x0)
            Subject: C=CA, ST=Ontario, L=Waterloo, O=University of Waterloo, CN=cscf.cs.uwaterloo.ca/emailAddress=username@domainname
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (2048 bit)
                    Modulus (2048 bit):
                        00:b6:de:fb:a9:ac:c4:e7:1e:03:2f:c0:40:d5:6c:
                        45:61:12:f8:e0:14:a9:20:e1:0a:81:c4:c8:5a:cf:
                        2e:1f:6f:ac:76:c4:69:a7:c4:ef:de:7f:82:d9:3f:
                        21:7f:45:3d:11:52:34:dc:40:a0:20:2f:26:9f:58:
                        6a:98:0e:8a:52:af:c5:ee:9e:ac:b4:1b:61:21:7a:
                        a3:0b:d8:46:af:f9:9f:32:19:0e:2f:06:3c:57:45:
                        a4:a3:fb:57:a2:35:7d:d5:49:84:0e:ac:cf:1d:d4:
                        0f:a6:99:b6:58:87:23:95:3a:63:24:4e:bb:50:22:
                        13:eb:89:3b:fd:8f:43:1d:94:1b:74:5d:53:67:e5:
                        ba:6d:db:d7:27:48:fe:21:cf:9d:59:87:5c:50:99:
                        5d:f6:4d:3c:72:0c:4f:e9:6a:2d:5c:4b:39:88:5e:
                        eb:f5:a3:2c:df:89:88:58:78:42:5c:19:aa:12:2c:
                        d6:4a:92:fd:28:a9:d2:64:3d:ba:bb:b6:5c:c6:71:
                        65:dd:6c:70:c9:58:f7:d8:e3:7f:25:44:5d:9b:25:
                        62:f7:a2:88:dd:46:36:4f:40:03:0a:6a:78:72:26:
                        99:f4:e2:5b:cd:8d:30:92:d6:4a:1f:11:2d:48:0f:
                        31:c1:1c:2c:d8:1f:c7:77:18:62:ca:53:f5:f0:a8:
                        df:3b
                    Exponent: 65537 (0x10001)
            Attributes:
                a0:00
        Signature Algorithm: sha1WithRSAEncryption
            02:d9:30:8a:95:ad:90:7d:de:85:59:da:de:d5:83:b1:e4:e4:
            9c:d8:3f:30:1f:11:65:6a:7e:99:fa:f0:bd:dd:cf:df:44:92:
            b8:c3:4b:d7:9f:b3:fd:3b:28:e7:e7:ae:c5:71:41:fc:05:30:
            ba:a8:01:e0:b9:c7:3d:6f:44:3d:68:e8:c5:d6:94:e1:d5:8d:
            29:23:60:26:62:04:44:c4:e0:58:5a:70:08:ec:fc:07:29:77:
            f7:7e:b4:9d:be:e9:74:15:81:82:fc:ab:7a:2c:e4:f2:5e:03:
            b2:32:68:bf:ec:e2:f7:64:af:c8:a1:ea:8e:97:f4:a7:7c:e9:
            61:3e:88:7e:9f:80:ae:ec:f0:f7:05:fc:de:ff:c3:29:f2:4f:
            88:dc:57:71:5f:9a:5c:4c:c1:92:c0:94:12:5d:d1:18:81:ab:
            c5:fb:c7:7f:ee:61:3d:3d:ac:75:26:f5:29:28:77:90:e3:65:
            51:0d:0a:63:23:40:22:f2:4e:e0:ee:88:6b:43:97:69:fb:57:
            3e:2b:7f:56:84:b5:8f:b9:a5:a5:de:16:75:35:ef:a9:ea:ea:
            f7:04:67:e9:fb:7f:50:08:a2:6a:b9:21:4f:55:8b:c2:78:88:
            13:c4:cf:fc:d2:5b:df:9d:57:b0:38:27:08:0b:d2:f7:75:ba:
            59:79:f1:f5
    -----BEGIN CERTIFICATE REQUEST-----
    MIIC6DCCAdACAQAwgaIxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMREw
    DwYDVQQHDAhXYXRlcmxvbzEfMB0GA1UECgwWVW5pdmVyc2l0eSBvZiBXYXRlcmxv
    bzEdMBsGA1UEAwwUY3NjZi5jcy51d2F0ZXJsb28uY2ExLjAsBgkqhkiG9w0BCQEW
    H2NzY2YtY2VydHNAY3NjZi5jcy51d2F0ZXJsb28uY2EwggEiMA0GCSqGSIb3DQEB
    AQUAA4IBDwAwggEKAoIBAQC23vuprMTnHgMvwEDVbEVhEvjgFKkg4QqBxMhazy4f
    b6x2xGmnxO/ef4LZPyF/RT0RUjTcQKAgLyafWGqYDopSr8Xunqy0G2EheqML2Eav
    +Z8yGQ4vBjxXRaSj+1eiNX3VSYQOrM8d1A+mmbZYhyOVOmMkTrtQIhPriTv9j0Md
    lBt0XVNn5bpt29cnSP4hz51Zh1xQmV32TTxyDE/pai1cSzmIXuv1oyzfiYhYeEJc
    GaoSLNZKkv0oqdJkPbq7tlzGcWXdbHDJWPfY438lRF2bJWL3oojdRjZPQAMKanhy
    Jpn04lvNjTCS1kofES1IDzHBHCzYH8d3GGLKU/XwqN87AgMBAAGgADANBgkqhkiG
    9w0BAQUFAAOCAQEAAtkwipWtkH3ehVna3tWDseTknNg/MB8RZWp+mfrwvd3P30SS
    uMNL15+z/Tso5+euxXFB/AUwuqgB4LnHPW9EPWjoxdaU4dWNKSNgJmIERMTgWFpw
    COz8Byl39360nb7pdBWBgvyreizk8l4DsjJov+zi92SvyKHqjpf0p3zpYT6Ifp+A
    ruzw9wX83v/DKfJPiNxXcV+aXEzBksCUEl3RGIGrxfvHf+5hPT2sdSb1KSh3kONl
    UQ0KYyNAIvJO4O6Ia0OXaftXPit/VoS1j7mlpd4WdTXvqerq9wRn6ft/UAiiarkh
    T1WLwniIE8TP/NJb351XsDgnCAvS93W6WXnx9Q==
    -----END CERTIFICATE REQUEST-----

I did the above just as an example. I generated a new key, and will throw it and the CSR away without using them for anything in production.

Notes

I have shown the inclusion of an email address. In fact, GlobalSign does not include the email address in the certificates they generate (that actually helps at renewal time) and so really including that email address in the CSR is sort of redundant. (When you submit the CSR in the next step, you are required to enter an email address; that is presumably the one GlobalSign will actually use).

Furthermore, I have obfuscated the email address by representing it symbolically. The address you should use now is

No permission to view CFPrivate.EMailAddressCscfCerts


If you want a certificate which can be used for several different names, such as virtual hosts on a web server, you will want to see Generate a CSR with Alternative Names.

Need note or new Include page here about OrganizationSSL versus IntranetSSL,

Submit the CSR to the Certificate Authority

IncludeCertSubmitCSR
To obtain an actual certificate, you must submit the CSR to the Certificate Authority ( GlobalSign, http://www.globalsign.com/ ).

To get to the right web page, you need a particular URL which encodes a login session. I will not reproduce that here. Obtain it directly from e.g. someone in IST.

(Hint: the URL looks like https://system.globalsign.com/direct_en/directpv.do?domain=MAGIC

where "MAGIC" is the special part which identifies you as University of Waterloo).

As of about July, 2018, because of a GlobalSign server https certificate change, it seemed that the old
https://systemeu.globalsign.com/direct_en/directpv.do?domain=MAGIC
stopped working, and
https://system.globalsign.com/direct_en/directpv.do?domain=MAGIC
must be used in its place. That is, "systemeu" was replaced by "system".

Note that the included screenshots predate that change, however.

Here is a screenshot showing such a successful session, thereby indicating the top options and settings for a Certificate Request; note OrganizationSSL versus IntranetSSL choice:
Screenshot-2016-11-22-15-37-52.png

There is an option you must select to choose new certificate or renewal. If GlobalSign had never signed a certificate for the particular host before, then you must choose the option for a new certificate. Otherwise, you can possibly choose "renewal". Note that, in the case of a renewal, the private key used for the CSR does not need to match the public key in the old certificate. That is, often when doing renewals you will keep the old private key (this has later implications which ease installation), but in fact the private key can be changed at renewal time. (As was actually necessary when GlobalSign began in 2011 requiring a minimum key size of 2048 bits.

The following is a sample of a CSR which looks like what you need to cut-and-paste into the web page form. (but don't actually use this sample!)

    -----BEGIN CERTIFICATE REQUEST-----
    MIIC6DCCAdACAQAwgaIxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMREw
    DwYDVQQHDAhXYXRlcmxvbzEfMB0GA1UECgwWVW5pdmVyc2l0eSBvZiBXYXRlcmxv
    bzEdMBsGA1UEAwwUY3NjZi5jcy51d2F0ZXJsb28uY2ExLjAsBgkqhkiG9w0BCQEW
    H2NzY2YtY2VydHNAY3NjZi5jcy51d2F0ZXJsb28uY2EwggEiMA0GCSqGSIb3DQEB
    AQUAA4IBDwAwggEKAoIBAQC23vuprMTnHgMvwEDVbEVhEvjgFKkg4QqBxMhazy4f
    b6x2xGmnxO/ef4LZPyF/RT0RUjTcQKAgLyafWGqYDopSr8Xunqy0G2EheqML2Eav
    +Z8yGQ4vBjxXRaSj+1eiNX3VSYQOrM8d1A+mmbZYhyOVOmMkTrtQIhPriTv9j0Md
    lBt0XVNn5bpt29cnSP4hz51Zh1xQmV32TTxyDE/pai1cSzmIXuv1oyzfiYhYeEJc
    GaoSLNZKkv0oqdJkPbq7tlzGcWXdbHDJWPfY438lRF2bJWL3oojdRjZPQAMKanhy
    Jpn04lvNjTCS1kofES1IDzHBHCzYH8d3GGLKU/XwqN87AgMBAAGgADANBgkqhkiG
    9w0BAQUFAAOCAQEAAtkwipWtkH3ehVna3tWDseTknNg/MB8RZWp+mfrwvd3P30SS
    uMNL15+z/Tso5+euxXFB/AUwuqgB4LnHPW9EPWjoxdaU4dWNKSNgJmIERMTgWFpw
    COz8Byl39360nb7pdBWBgvyreizk8l4DsjJov+zi92SvyKHqjpf0p3zpYT6Ifp+A
    ruzw9wX83v/DKfJPiNxXcV+aXEzBksCUEl3RGIGrxfvHf+5hPT2sdSb1KSh3kONl
    UQ0KYyNAIvJO4O6Ia0OXaftXPit/VoS1j7mlpd4WdTXvqerq9wRn6ft/UAiiarkh
    T1WLwniIE8TP/NJb351XsDgnCAvS93W6WXnx9Q==
    -----END CERTIFICATE REQUEST-----

And here follows an example of an old certificate which looks like what you need to cut-and-paste into the web page form. (but don't actually use this sample!)

    -----BEGIN CERTIFICATE-----
    MIIE+jCCA+KgAwIBAgILAQAAAAABKRmXjogwDQYJKoZIhvcNAQEFBQAwajEjMCEG
    A1UECxMaT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gQ0ExEzARBgNVBAoTCkdsb2Jh
    bFNpZ24xLjAsBgNVBAMTJUdsb2JhbFNpZ24gT3JnYW5pemF0aW9uIFZhbGlkYXRp
    b24gQ0EwHhcNMTAwNjA4MjEwNjA5WhcNMTEwODE2MTM0ODA5WjByMQswCQYDVQQG
    EwJDQTEQMA4GA1UECBMHT250YXJpbzERMA8GA1UEBxMIV2F0ZXJsb28xHzAdBgNV
    BAoTFlVuaXZlcnNpdHkgb2YgV2F0ZXJsb28xHTAbBgNVBAMMFGNzY2YuY3MudXdh
    dGVybG9vLmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu9DAZcrz
    KtWx7GNsbKig6LqFtU1PDmL1S5JfhMz23J2ISLfMXHIrW+8H5rrT5UzC59u8eZO5
    YdO5dSllRtoOXYWfLaCz2+axONOQrN08av7S6+0uyYD8ioF6ZgoW2J4Xn0T/ruVQ
    we9fHavje6TkYE00qat1e+72YGX95FmiX3juzTrJ0HUKTCsMDS2JuvOU3z4xcyyH
    yO1vLZfmtRtkS13aOBWsb/Tf6WTjfxPR3FdMBauLSVEYEXUKBpuDMbOagN4CoBTq
    AbEfZo4rLcufaPFL2Sxcr+yVKOXpoTwG83YSpwM/NWf4+Y9CQ+2qfYQtWP8Xm3vg
    fZhGEUu6UCWWFwIDAQABo4IBlzCCAZMwHwYDVR0jBBgwFoAUfW0q7Garp1E2qwJp
    8XCPxFkLmh8wSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzAChi1odHRwOi8vc2Vj
    dXJlLmdsb2JhbHNpZ24ubmV0L2NhY2VydC9vcmd2MS5jcnQwPwYDVR0fBDgwNjA0
    oDKgMIYuaHR0cDovL2NybC5nbG9iYWxzaWduLm5ldC9Pcmdhbml6YXRpb25WYWwx
    LmNybDAdBgNVHQ4EFgQUfHNlksoZYTqu2nJYNBJK2APW+F4wCQYDVR0TBAIwADAO
    BgNVHQ8BAf8EBAMCBaAwKQYDVR0lBCIwIAYIKwYBBQUHAwEGCCsGAQUFBwMCBgor
    BgEEAYI3CgMDMEsGA1UdIAREMEIwQAYJKwYBBAGgMgEUMDMwMQYIKwYBBQUHAgEW
    JWh0dHA6Ly93d3cuZ2xvYmFsc2lnbi5uZXQvcmVwb3NpdG9yeS8wEQYJYIZIAYb4
    QgEBBAQDAgbAMB8GA1UdEQQYMBaCFGNzY2YuY3MudXdhdGVybG9vLmNhMA0GCSqG
    SIb3DQEBBQUAA4IBAQBkFzKLz37xdXPbbspX4ST3NVd4a4ThH+qoDu2l1/7TsZ8J
    RDeDxQf4ckmPSYya9nJRNDAfF47o1P6hmfiw20CbPefKwHc5Tf+xdy1QTa0ivJtJ
    grmC2Cc74b6pe51MawEDD0N8qFjJjQENXlQ5MXoqbPsKER6I9H7pbZHvfqJG0UXE
    iQmieXQu0p+FxsKNOn+dyO9j6NKSL8l3Rr4H+tqLQK+fHvSeQKo1q11Q8soUM7Ql
    /3tVT/qLTzEy8QRkYRF9p+3ihQEIhyYFDD9JnSiLeOsQvxhAj+jEqdS+w15p3ORR
    /xbBgIXEOKKniB9CLXLKQuOTXMl2HxTWMSCubBAu
    -----END CERTIFICATE-----

In addition to the CSR (and optionally old Certificate), the form requires 4 pieces of information,

  • First Name
  • Last Name
  • Telephone (inc. region code)
  • Email Address

For First and Last Name, enter your own (something IST will recognize).

For Email Address, CS should always use

No permission to view CFPrivate.EMailAddressCscfCerts

For the telephone number, I always use +1 519 888 4567 (in that format).

You must first click "Continue" to submit the page, then an "I Agree" to an Agreement (suffixed to confirmation of details).

After the CSR has been so submitted to the Certificate Authority ( http://www.globalsign.com/ ) they will contact University of Waterloo IST to verify the request (and arrange for payment).

Once the CSR has been submitted, it is of no further use and can be deleted.

Receive the Certificate from the Certificate Authority

IncludeCertReceiveCert
You should receive almost immediately an almost useless email message analogous to the following.
    From gasemails-us@globalsign.com Fri Jan 28 17:41:15 2011
    Message-ID: <2059314663.1296254454773.JavaMail.gsadmin@gsgas04.globalsign.com>
    Date: Sat, 29 Jan 2011 07:40:54 +0900 (JST)
    From: gasemails-us@globalsign.com
    To: redacted@redacted.uwaterloo.ca
    Subject: CE201102140123: Order Received for  cscf.cs.uwaterloo.ca
    
    == GlobalSign / Certificate application received ================
    ======================================================================
       Please note this e-mail is automatically generated.  If you need
       assistance please refer to the "Contact Us" information below.
    ======================================================================
    Thank you for your SSL Managed Service order. 
    
    Please make sure to review the following application details.
    For the further application details, please confirm them 
    on GlobalSign Certificate Center.
    
    ***Your Order Information
    --------------------------------------------------
    [Order Number]      CE201102140123
    [Common Name]       cscf.cs.uwaterloo.ca
    [Product]           OrganizationSSL(MSSL)
    [Period]            1 years
    [Number of Licenses]   1
    --------------------------------------------------
    ***Your Certificate Information               
    Common Name         cscf.cs.uwaterloo.ca               
    Organization                       
    City or Locality                   
    State or Province                  
    Country                
    --------------------------------------------------
    ***Your Billing Information
    [Billing Contact]   
    [Payment Method]    Bulk/deposit
    [Special Instruction]   
    [Total Amount]      usd 88.00(include tax)
    
    ***Prevetted Domains -
    --------------------------------------------------
    
    
    ***Ordering Process
    --------------------------------------------------
    When ordering SSL Managed Service it is possible that you will 
    need to submit corporate documents.
    Please see details on the below URL:
    
    http://www.globalsign.com/support/ssl-order/pv-organization-ssl.html
    
    The period for which prevetting remains valid is one year.
    
    ***GAS Login for Management of Certificate(s)
    --------------------------------------------------
    Login to the GlobalSign Certificate Center to manage the lifecycle
    of your certificate. The GlobalSign Certificate Center gives you easy
    access to renew certificates and how to revoke or cancel should it
    be necessary.
    
    https://systemeu.globalsign.com/loginpartner_en/loginpartner.do
    
    GlobalSign will refund your certificate in full if you cancel
     within 7 days of the issuance of the certificate.
    
    ***GlobalSign Certificate Center Login for Billing Management
    --------------------------------------------------
    Login to the GlobalSign Certificate Center to view billing details,
    request additional receipts and process any outstanding invoices.
    
    http://www.globalsign.com/support/gas/invoice.html
    
    ***Renewing your Certificate
    --------------------------------------------------
    To assist you in making sure that your certificate does not expire 
    GlobalSign will send you email reminders beginning 90 days before 
    expiration.  If you renew early you will receive discounted pricing 
    and other fantastic loyalty benefits.
    
    
    ***Agreements
    --------------------------------------------------
    Please confirm the GlobalSign CPS and Agreements below:
    http://www.globalsign.com/repository
    
    
    ***Contact Us
    --------------------------------------------------
    For Technical Support & Account Queries:
    http://www.globalsign.com/support
    http://www.globalsign.com/help.html
    Tel: Use below numbers
    
    GlobalSign Contact Details:
    Support: 877-467-7543 (toll free)
    Sales:   877-775-4562 (toll free)
    Fax:     603-570-7059
    
    Please fax documents for vetting directly to 617-830-0779.
    
    --------------------------------------------------------------------------------------
    GlobalSign - A Leader in Online Security & Authentication Solutions for over 10 years.
    --------------------------------------------------------------------------------------
    

And then, assuming University of Waterloo IST approves the request, you will receive, within a day or so, email similar to the following, which actually contains the certificate you need.

    From gasemails-us@globalsign.com Fri Jan 28 18:58:35 2011
    Message-ID: <4784274.1296259086559.JavaMail.gsadmin@gsbatch01.globalsign.com>
    Date: Sat, 29 Jan 2011 08:58:06 +0900 (JST)
    From: gasemails-us@globalsign.com
    To: redacted@redacted.uwaterloo.ca
    Subject: CE201101296349: Your SSL Certificate for  plg1.cs.uwaterloo.ca has been issued.
    
    Congratulations!  Your GlobalSign SSL Certificate has now been issued.
    
    [Order Number]    CE201101296349
    [Common Name]     plg1.cs.uwaterloo.ca
    
    ***YOUR OrganizationSSL CERTIFICATE
    ----------------------------------------------------
    Your SSL and Intermediate Certificates can be found at the bottom of this email. 
    
    Alternatively, you may log into your GlobalSign Certificate Center (GCC) account and Copy and Paste your SSL Certificate file from there. 
    
    
    GlobalSign Certificate Center:
     http://www.globalsign.com/support/gas/get-certificate.html
    
     
    ***INSTALLING YOUR CERTIFICATEs:
    ----------------------------------------------------
    You can also find your Intermediate Certificate, detailed tutorials, guides and manuals on installing your Certificates using the link below to access the Support Area:
    
    Support Area:
     http://www.globalsign.com/support/index.html
    
    
    ***QUICK INSTALLATION GUIDE:
    ----------------------------------------------------
    1) Using a text editor, copy the Intermediate Certificate text from the bottom of this email, (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines) and save it to a file such as gs_intermediate_domain_ca.txt
    
    2) Using a text editor, copy the SSL Certificate text, from the bottom of this email (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines) and save it to a file such as yourdomain.txt
    
    3) Copy these .txt files to your server, and then rename them with .crt extensions.
    
    4) Install the Intermediate and SSL Certificates
    
    5) Restart your server
    
    6)Test on any non-IE browser to ensure correct installation of both Certificates
    
    7) Install your Site Seal 
    
    8) We suggest you back-up your SSL Certificate and Private Key pair and keep it safe, all IIS users can use the Export Wizard
    
    
    ***INSTALLING YOUR FREE SITE SEAL:
    ----------------------------------------------------
    The GlobalSign Site seal is a sign of trust on the Internet. It shows your customers you have been authenticated and you use the strongest SSL possible to secure your transactions. Displaying the GlobalSign Site Seal will help visitors trust your web site, and then help convert general visitors to paying customers. Don't risk people abandoning shopping carts and web forms - display the GlobalSign site seal to give them the confidence to complete the transaction.
    
    Installing the GlobalSign Site Seal is easy - just follow the link below:
    http://www.globalsign.com/support/ssl-site-seal.html
    
    ----------------------------------------------------
    
    RETAIL CUSTOMERS  Upgrade to SSL Managed Service If you are using multiple SSL Certificates for your organization, speak to Sales about saving costs by upgrading to the SSL Managed Service. This upgrade is automatic and gives you immediate discounts, granular user management and allows you to submit your domains for pre-vetting. When you need a new SSL Certificate you simply log in and apply, your SSL Certificate will be issued instantly.
    
    
    SSL RESELLER PARTNER OPPORTUNITIES
    Is your organization buying SSL on behalf of your customers? Talk to us today about reselling GlobalSign SSL Certificates. Use GAS to manage end customer SSL requirements as well as your own SSL Resellers and gain discounts on Pay As You Go.
    
    
    We hope that your application process was quick and easy and you have
    enjoyed the GlobalSign experience.
    
    
    ***CONTACT US
    --------------------------------------------------
    For Technical Support & Account Queries:
      http://www.globalsign.com/support
      http://www.globalsign.com/help.html
    
    Global Office Contact Details:
    Toll Free: 877-775-4562  |  Fax: +1 603-570-7059
      
    --------------------------------------------------
    A Leader in Online Security & Authentication Solutions for over 
    10 years
    --------------------------------------------------
    
    
    
    Your SSL Certificate (Formatted for the majority of web server 
    software including IIS and Apache based servers):
    
    -----BEGIN CERTIFICATE-----
    MIIE+jCCA+KgAwIBAgILAQAAAAABLc8cZm4wDQYJKoZIhvcNAQEFBQAwajEjMCEG
    A1UECxMaT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gQ0ExEzARBgNVBAoTCkdsb2Jh
    bFNpZ24xLjAsBgNVBAMTJUdsb2JhbFNpZ24gT3JnYW5pemF0aW9uIFZhbGlkYXRp
    b24gQ0EwHhcNMTEwMTI4MjM1NDA5WhcNMTIwMzEzMjEwNjExWjByMQswCQYDVQQG
    EwJDQTEQMA4GA1UECBMHT250YXJpbzERMA8GA1UEBxMIV2F0ZXJsb28xHzAdBgNV
    BAoTFlVuaXZlcnNpdHkgb2YgV2F0ZXJsb28xHTAbBgNVBAMMFHBsZzEuY3MudXdh
    dGVybG9vLmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxYOQUZ4X
    RfVa9YntRylvv7hf57itkG/se5fr1CfMiZZP7SWm7L+ZEl6PngLAvlVLyNe8bFL6
    x6NjTCHAOxkTleCxr0bDPXrxjKb5ekA+4Y8TEy8XZzuKXNTe3C1GsC7KEdDWTW55
    tJYn8ubIyyfMtF0DidSrujmSg+BeRBwMdL7HLtM9ZSo9HtX6LgI0UhEUJtFHJ9VJ
    n4TC/rfX64tiDS1kpTUacxvkALXzsAbI6xeXo2zRiqCbkv4mK9U6Zc0tTE5UP4EE
    nlRFYDfjVEskeoRl8zuulb4a9IVVuOLwdXEM71JshblVjebgWqf286P262VaoVTx
    ZRtWHKpPLDUrEQIDAQABo4IBlzCCAZMwHwYDVR0jBBgwFoAUfW0q7Garp1E2qwJp
    8XCPxFkLmh8wSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzAChi1odHRwOi8vc2Vj
    dXJlLmdsb2JhbHNpZ24ubmV0L2NhY2VydC9vcmd2MS5jcnQwPwYDVR0fBDgwNjA0
    oDKgMIYuaHR0cDovL2NybC5nbG9iYWxzaWduLm5ldC9Pcmdhbml6YXRpb25WYWwx
    LmNybDAdBgNVHQ4EFgQUnQS7i3B8caVD1vafco553LbJSKkwCQYDVR0TBAIwADAO
    BgNVHQ8BAf8EBAMCBaAwKQYDVR0lBCIwIAYIKwYBBQUHAwEGCCsGAQUFBwMCBgor
    BgEEAYI3CgMDMEsGA1UdIAREMEIwQAYJKwYBBAGgMgEUMDMwMQYIKwYBBQUHAgEW
    JWh0dHA6Ly93d3cuZ2xvYmFsc2lnbi5uZXQvcmVwb3NpdG9yeS8wEQYJYIZIAYb4
    QgEBBAQDAgbAMB8GA1UdEQQYMBaCFHBsZzEuY3MudXdhdGVybG9vLmNhMA0GCSqG
    SIb3DQEBBQUAA4IBAQBGe926vpyQEs9Sk7d0sW2c8+FAL+cFn6JCayc1ua1v4WAh
    wOpjHybXfmKik+adZtDKmAPEjAdD7MelElKxf79vYeILU8FkCy0u+N1HrfZEn2Dn
    OFWThyFw5+fhRfmejg5QMFWkaEKpEE9MRQYBpYlfKnNBhGLbXWJk2lsRXqj6FgSk
    KsLCOkyYpibyboWPJs1Js7C2pe14tcxx1SHPsTsGRveyqhp0S4E5VxQ2OVJX9vtm
    Z6Z57cmZyGBa7N3NJ3mJZ44CCUTe4tVi69DU83vZ2oK2oL8pIp9UwKG5Obf9axfc
    +hzesAhKSb27EG7YfAknG1dZUtkZvvj7XVP6bzHk
    -----END CERTIFICATE-----
    
    
    OrganizationSSL Intermediate Root Certificate (Formatted for the 
    majority of web server software including IIS and Apache based 
    servers):
    
    -----BEGIN CERTIFICATE-----
    MIIEZzCCA0+gAwIBAgILBAAAAAABHkSl9SowDQYJKoZIhvcNAQEFBQAwVzELMAkG
    A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
    b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0wNzA0MTExMjAw
    MDBaFw0xNzA0MTExMjAwMDBaMGoxIzAhBgNVBAsTGk9yZ2FuaXphdGlvbiBWYWxp
    ZGF0aW9uIENBMRMwEQYDVQQKEwpHbG9iYWxTaWduMS4wLAYDVQQDEyVHbG9iYWxT
    aWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBMIIBIjANBgkqhkiG9w0BAQEF
    AAOCAQ8AMIIBCgKCAQEAoS/EvM6HA+lnwYnI5ZP8fbStnvZjTmronCxziaIB9I8h
    +P0lnVgWbYb27klXdX516iIRfj37x0JB3PzFDJFVgHvrZDMdm/nKOOmrxiVDUSVA
    9OR+GFVqqY8QOkAe1leD738vNC8t0vZTwhkNt+3JgfVGLLQjQl6dEwN17Opq/Fd8
    yTaXO5jcExPs7EH6XTTquZPnEBZlzJyS/fXFnT5KuQn85F8eaV9N9FZyRLEdIwPI
    NvZliMi/ORZFjh4mbFEWxSoAOMWkE2mVfasBO6jEFLSA2qwaRCDV/qkGexQnr+Aw
    Id2Q9KnVIxkuHgPmwd+VKeTBlEPdPpCqy0vJvorTOQIDAQABo4IBHzCCARswDgYD
    VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFH1tKuxm
    q6dRNqsCafFwj8RZC5ofMEsGA1UdIAREMEIwQAYJKwYBBAGgMgEUMDMwMQYIKwYB
    BQUHAgEWJWh0dHA6Ly93d3cuZ2xvYmFsc2lnbi5uZXQvcmVwb3NpdG9yeS8wMwYD
    VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWduLm5ldC9yb290LmNy
    bDARBglghkgBhvhCAQEEBAMCAgQwIAYDVR0lBBkwFwYKKwYBBAGCNwoDAwYJYIZI
    AYb4QgQBMB8GA1UdIwQYMBaAFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA0GCSqGSIb3
    DQEBBQUAA4IBAQB5R/wV10x53w96ns7UfEtjyYm1ez+ZEuicjJpJL+BOlUrtx7y+
    8aLbjpMdunFUqkvZiSIkh8UEqKyCUqBS+LjhT6EnZmMhSjnnx8VOX7LWHRNtMOnO
    16IcvCkKczxbI0n+1v/KsE/18meYwEcR+LdIppAJ1kK+6rG5U0LDnCDJ+6FbtVZt
    h4HIYKzEuXInCo4eqLEuzTKieFewnPiVu0OOjDGGblMNxhIFukFuqDUwCRgdAmH/
    /e413mrDO9BNS05QslY2DERd2hplKuaYVqljMy4E567o9I63stp9wMjirqYoL+PJ
    c738B0E0t6pu7qfb0ZM87ZDsMpKI2cgjbHQh
    -----END CERTIFICATE-----
    
    
    -----------------------------------------------------------------------------
    GlobalSign - over 10 years of securing identities, web sites and transactions
    -----------------------------------------------------------------------------
    
    

Generally speaking, the Intermediate Certificate will already be installed on systems where you are renewing certificates. If you are setting up a new SSL service for the first time, you will need to ensure the Intermediate Certificate is appropriately available. Actually, I am rethinking that assumption right now. -- AdrianPepper - 29 Sep 2011

Installing and Testing

Installing the Certificate

IncludeCertUpdateCertificate
Theoretically, the file system locations of old versions of certificates could be almost arbitrary. To be sure of updating (or installing anew) all certificates, including the intermediate certificate, and private keys, you would need to read the configuration for all server applications involved, and install or replace the contents in the appropriate format.

In practice, locations of certificates are constrained somewhat.

There are potentially four pieces of data to install or make accessible for each server application.

1. The host private key

2. The host certificate

3. The OrganizationSSL (or IntranetSSL) Intermediate Root Certificate

4. An appropriate Certificate Authority Root Certificate

Of those, 2 (the host certificate) is the one you will always need to install or update. If you generated a new 1 private key, you will need to ensure it is correctly updated to match each certificate you install or update. In general 3 (intermediate certificate) will have been appropriately installed, unless you are setting up a brand-new server.

And 4 (CA root certificate) isn't actually required by most server applications. A CA root certificate is really only meaningful to the clients if it is obtained from a source different from the server presenting a certificate allegedly signed by that authority. Nonetheless, many servers are set up with CA root certificates available, although most client and server software will not actually have any reason to access that particular certificate from that source.

Certificate Location under Xhier

IncludeCertLocationXhier
The great Xhier guru Patrick Matlock conceived that all applications configured under xhier should have a single location in which SSL certificates (and private keys) should be kept.

Therefore he created an sslCerts xhier package (which has had an only version sslCerts-1) under which certificates should be stored.

On xhiered systems, certificates should be placed in

       /software/sslCerts/config/certs/
and software configured to reference them from there.

Similarly private keys should be put in

       /software/sslCerts/config/certs/private/
with configuration set appropriately.

Note that, although one suspects the idea was that directory should be mode 700, it now tends to be 711 or worse, so you should make sure the individual files are not readable by world or inappropriate groups. (The search permission may be designed to allow daemons running as non-root to access individual key files?)

An automated process, part of the sslCerts packages, makes sure

       /software/sslCerts/config/certs/cacert.pem
contains the OrganizationSSL certificate.

Actually, I'm not certain IST updated the automated process when the intermediate certificate changed in 2011.

In general, xhiered software which requires certificates will by default refer to them in these locations.

Certificate Format Used by UW IMAPD and perhaps others

IncludeCertInetdFormat

Here is the format of certificate files used by stunnel , University of Washington imapd and ipopd and perhaps other servers.

Because the connections for these services are initiated by inetd, startup efficiency is important and so all necessary certificate information is placed in one file. Because the private keys are included in these files, the files must not be world-readable. In addition it seems there can be no additional data before the first -----BEGIN line or between the -----END and -----BEGIN lines--no readable certificate forms or other comments. This is in contrast to other services which do allow such comments.

root@services116.cs>2# cat stunnel.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCeSOyOK6EZIqyG1cStXwsxlNlD/RayeMjjFBgn++9OjyRF/zUm
vnXUKBHi29z8yGgnWJ2cS8qYkAlfvhsmHAuOIQh3x/nuKtvCu1/ssghNXkMmVoJL
+Zkk2QaZX0bf8TnZ0OYC3qFS9HxgRKt6FIvsblbxme4mAreQMhpwDtB/+QIDAQAB
AoGAJHvmmraPwX1uiv3HAbdAm0MV+Ufi7WxN0ZmWH9FATblMwR2cILwR6L77sHDB
NTr0Vu1kFtyZbCT3JCxrkZMxTkqX/+uSh33+NNPc7gStwFQ7LjOyO6AthOpr4OIi
GzZrkVdlfvHakc9yoU3cBSNLbPuSefC6X773bM54KtZsDOkCQQDOGTqyXe3Uz3Oo
EaGpdvTZEi4+7X38HDydybFpl7aWu2ZEXgsRbwiWmM5j5mHmQBbBfWQv4+cDQLSN
i9IFkFt3AkEAxJwFRL+BBag039NCs8Ty8NirGrncsXHW2EnU1+ifZZBinp3Bg8G8
HTZKugG/W1ThLqNupvEfa4glzeQb+b78DwJAEdcbPp9k2/wNLepAzTOP5E5vlGDo
e+9Ry/LOma5ZTtjv9FETsjGjU63sh7dEmDLKBXu+NWsL7zslpe8JghPJ5wJACLDg
5r4UZPyfgblj/HBbUNwzDBZlNA7VMXBqETU+Po4YXeyZTkq1FxF8Uiabn9zrq1Uc
IhMMkYNOMIDB39NabwJBAKogdyM76Zfgd9I1fZf8AQKZVs4C1yq0JdPW6nl0gpKK
+nMCU7RIx0mdrEsTJNyR63hdPJ/37+OjvtRefBMVowE=
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIIEdjCCA16gAwIBAgILAQAAAAABJ24e8gcwDQYJKoZIhvcNAQEFBQAwajEjMCEG
A1UECxMaT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gQ0ExEzARBgNVBAoTCkdsb2Jh
bFNpZ24xLjAsBgNVBAMTJUdsb2JhbFNpZ24gT3JnYW5pemF0aW9uIFZhbGlkYXRp
b24gQ0EwHhcNMTAwMzE3MjEyNDE3WhcNMTEwMzE4MjEyNDExWjByMQswCQYDVQQG
EwJDQTEQMA4GA1UECBMHT250YXJpbzERMA8GA1UEBxMIV2F0ZXJsb28xHzAdBgNV
BAoTFlVuaXZlcnNpdHkgb2YgV2F0ZXJsb28xHTAbBgNVBAMMFG1haWwuY3MudXdh
dGVybG9vLmNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhrXXLjlNIBjkX
+FF9xV99R9dzOFNTuMvAZew18VOQzwscyVvxilVeXRjQoKB2osz22VNCof/Uf9pm
VSH5enWP5XwIUopkMG5uJGPOAPzr4smrEOVQ68VCtgR/M62iH9w6nuh1uUACgqW9
7ykzhwUZq5wntqBsnNvBszxHpUeZqwIDAQABo4IBlzCCAZMwHwYDVR0jBBgwFoAU
fW0q7Garp1E2qwJp8XCPxFkLmh8wSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzAC
hi1odHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24ubmV0L2NhY2VydC9vcmd2MS5jcnQw
PwYDVR0fBDgwNjA0oDKgMIYuaHR0cDovL2NybC5nbG9iYWxzaWduLm5ldC9Pcmdh
bml6YXRpb25WYWwxLmNybDAdBgNVHQ4EFgQUa4CiDe86Vx2LK1uGANpOHnoOtaEw
CQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwKQYDVR0lBCIwIAYIKwYBBQUHAwEG
CCsGAQUFBwMCBgorBgEEAYI3CgMDMEsGA1UdIAREMEIwQAYJKwYBBAGgMgEUMDMw
MQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2xvYmFsc2lnbi5uZXQvcmVwb3NpdG9y
eS8wEQYJYIZIAYb4QgEBBAQDAgbAMB8GA1UdEQQYMBaCFG1haWwuY3MudXdhdGVy
bG9vLmNhMA0GCSqGSIb3DQEBBQUAA4IBAQAnAMxl6RKmiO6kBHkcrcNAdevfpC9h
UYN4u3XMYpsdkK03LtneRnVBVY5RBKw49WaEavJgFNXL/dGDJ1nAFSUqX/LnV6vR
wvrwArdruwNvMCOSHhTSzEI94TU8pYuqtG5JodTrVb9fGEXwmrQJp+Een974zWRE
HHQQ/NGjcBPTI+ts8BoTQaMZGEcxZ2zGHUTChbmVzjZgZPzIMSEcMGKuTAY1weGP
LyFKn7dOxIbN0lQVezCfHtSntTGaoLum5phnbsrU5qRTnVndDYSOtgS4wU2pXWal
ezqliW3+kStgu67NMOVtJP2yd3VNaDILoLme2OJiMNRTf27zyo6QAn1p
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEZzCCA0+gAwIBAgILBAAAAAABHkSl9SowDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0wNzA0MTExMjAw
MDBaFw0xNzA0MTExMjAwMDBaMGoxIzAhBgNVBAsTGk9yZ2FuaXphdGlvbiBWYWxp
ZGF0aW9uIENBMRMwEQYDVQQKEwpHbG9iYWxTaWduMS4wLAYDVQQDEyVHbG9iYWxT
aWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAoS/EvM6HA+lnwYnI5ZP8fbStnvZjTmronCxziaIB9I8h
+P0lnVgWbYb27klXdX516iIRfj37x0JB3PzFDJFVgHvrZDMdm/nKOOmrxiVDUSVA
9OR+GFVqqY8QOkAe1leD738vNC8t0vZTwhkNt+3JgfVGLLQjQl6dEwN17Opq/Fd8
yTaXO5jcExPs7EH6XTTquZPnEBZlzJyS/fXFnT5KuQn85F8eaV9N9FZyRLEdIwPI
NvZliMi/ORZFjh4mbFEWxSoAOMWkE2mVfasBO6jEFLSA2qwaRCDV/qkGexQnr+Aw
Id2Q9KnVIxkuHgPmwd+VKeTBlEPdPpCqy0vJvorTOQIDAQABo4IBHzCCARswDgYD
VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFH1tKuxm
q6dRNqsCafFwj8RZC5ofMEsGA1UdIAREMEIwQAYJKwYBBAGgMgEUMDMwMQYIKwYB
BQUHAgEWJWh0dHA6Ly93d3cuZ2xvYmFsc2lnbi5uZXQvcmVwb3NpdG9yeS8wMwYD
VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWduLm5ldC9yb290LmNy
bDARBglghkgBhvhCAQEEBAMCAgQwIAYDVR0lBBkwFwYKKwYBBAGCNwoDAwYJYIZI
AYb4QgQBMB8GA1UdIwQYMBaAFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA0GCSqGSIb3
DQEBBQUAA4IBAQB5R/wV10x53w96ns7UfEtjyYm1ez+ZEuicjJpJL+BOlUrtx7y+
8aLbjpMdunFUqkvZiSIkh8UEqKyCUqBS+LjhT6EnZmMhSjnnx8VOX7LWHRNtMOnO
16IcvCkKczxbI0n+1v/KsE/18meYwEcR+LdIppAJ1kK+6rG5U0LDnCDJ+6FbtVZt
h4HIYKzEuXInCo4eqLEuzTKieFewnPiVu0OOjDGGblMNxhIFukFuqDUwCRgdAmH/
/e413mrDO9BNS05QslY2DERd2hplKuaYVqljMy4E567o9I63stp9wMjirqYoL+PJ
c738B0E0t6pu7qfb0ZM87ZDsMpKI2cgjbHQh
-----END CERTIFICATE-----
root@services116.cs>2# 

Although I based this on an actual certificate chain, I substituted an incorrect private key.

The contents are:

-----BEGIN RSA PRIVATE KEY-----
[ Private key for the host certificate immediately following ]
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
[ Host certificate (corresponds to that private key) ]
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
[ Intermediate OrganizationSSL Certificate..... ]
-----END CERTIFICATE-----

The openssl command can be used, as in openssl x509 -text, using one of the certificate portions as input. That will show a readable (well, verbose) form of the certificate. That can be useful to help be sure you are replacing the correct host certificate, and also to check the expiry date, etc. But remember that data such as that cannot be included in the installed file; it will cause the service to stop working.

Note that no Certificate Authority Certificate is included. That's because a Certificate Authority Certificate is really only meaningful if the client obtains it from a source different from the server providing the service. Note how the OrganizationSSL Intermediate Root Certificate is used to connect the host certificate to the Certificate Authority.

Note that the private key and host certificate shown are only 1024-bit; GlobalSign now requires 2048-bit keys, and so on renewal the above would be (have been) upgraded.

Certificate Format Used by most Web and SMTP Servers

IncludeCertWebFormat

Here is the format of certificate files used for web , SMTP and perhaps other servers. The private keys must not be world-readable, but the certificates themselves can. Typically, the private keys are stored in not-world-readable files in a subdirectory "private" which can also be not-world-readable.

root@services08.student.cs>2# pwd
/fsys1/.software/local/sslCerts-1/config/certs
root@services08.student.cs>2# cat private/httpsd-key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAzIFZVDKTDnooK5rCFVwKVDVpirsOxh5oqudSIUyxPH5pG7wJ
vGGBwdHgoyo/J9LZEieBWcqlLXXMK7IALAmo3MKJ8V8A3G65DrD2nc0PbZFWlu8D
WadeM53hKBcAcSilFR+IjAiAPK5w0xm5jfFL48nfnWDHdwcc2wILYnQLgwDORLH4
1fkGYGtGfGKA8QLtFpR1SJOFnNFwq4GAb1ibIHEitIfAQG3LEpn0bUKACDuKAJVI
/yI+AUlBS92r/YPzE0Hs07DwcqB0cqQk1E0AIkaWyTzSHFnvI0Izv+HBOFhbIquD
MbNlE8u8QxF7Gdt8St5DKm3VXmFnzYsk5Bj9aQIDAQABAoIBAQCfQWurIedbMs3t
hwr1T0PL5/xUyO7sYenojVNsEylCjr6Tlo+OX/CIW0SwS8n63Tul45Xbsu+Gw2FH
9cokgTE7GVQK34zwHFmIk065/GKzVKc1ytO1EZ1OXPhmG+OAO8Ky/Gd9hXE30DCU
dEgHvYz3ytGU4TT0AFn8Q09SUERWsvkztQQI3R/yMdekaGQf3LP8whKj+IRKBJgN
LfJelGCuaq5UfyiRX15tu4YpES6cZ0gB0ZT3/FhbS3tfPFX7rb6FyDowxBS5cRTk
usCqURDy4U6/Zb4QASUc1vNxzJhIc0kMHwNAYbrwgIkIz3dPh8MyzYilZAkA4rLz
XJY8Wk4BAoGBAO9aH0cCl8xjJscnUcHXGJDW8m3MznzAWZ03NZ3jAHyxLrYuAF+6
SsubS65tmMoNf15slB4oOb6m2WtctqqOMa1xxkTEzKwOHpv3sSWGi/DpvggwgahN
l+HxBS6eX4kRDQr6Zqj8EbjNdLQWhsfsL6nPKriOym9Dbi4qbZlBx9TxAoGBANq6
v64VlggXyJdgyGRejRo1sNb1M+2zl7zkpXRAlnt6ie3iS5mqEndIyXf0q8dyjKLL
ZN9uGx4vDwhDBcDEhAASAn0OMrYCSJcumz/OE5Zk4ltEx52rh3VR4R/QBwjL7HY4
4cITQas4YLw+egvEZguIeoWEXD0rZ3+XR6HcTM/5AoGBAKbv13LCdzdBTFGItfgZ
WnPixxEX0EioK5iAYi/tnHBbb7X2naImn3YkqQNOQ0thYJ1t41ypN6UmX+wGrQyF
wlYzTVK3Y/z4mBa2CeKfVclAbZ7une/RtoYKgU/De+RwdQVcIe/oZz/aZHQaZgTY
UWIBMM2qIby6bgVa6DgE7igxAoGBAK+3QQ+wJbRgrvP1e2cukjqREXzOxaXbFjZY
lRa8YGfYPIBPwJ41A9qyLa/hbjKvMo4Bygq4oK5x7aicdz2yYbzQuxEN2+1eDkTt
2yi5/ABhEXty2M4wo4S7f5iX/V6yvEcJUUwhPis4AnaX1mInqDbxsEQc3iECAoZ8
2L4OheK5AoGAdJLuCK/VqB+bjqdSuv+id4UhVyB4cPqkNyHt3Yqydi+KYYj2iIAe
Kel0739XTJXv4GaL6T4Cl5ZZHxajTzrbV36XthSOfIBE3IAdeEcwWoQF4ISwEyLP
vrnRcgUQEWUbSxSGU+OZDqa80E6Uqe4lPLnXC2BMxdGWNTV1AN4gsF8=
-----END RSA PRIVATE KEY-----
root@services08.student.cs>2# 
root@services08.student.cs>2# cat httpsd.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:00:00:00:00:01:27:e4:b2:1c:14
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: OU=Organization Validation CA, O=GlobalSign, CN=GlobalSign Organization Validation CA
        Validity
            Not Before: Apr  9 21:30:10 2010 GMT
            Not After : May 20 13:14:24 2011 GMT
        Subject: C=CA, ST=Ontario, L=Waterloo, O=University of Waterloo, CN=www.student.cs.uwaterloo.ca
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b2:35:32:33:ed:6c:f4:6d:b5:5c:39:55:b7:2f:
                    1c:ca:b4:8f:0e:5f:58:dc:4e:c5:8f:50:a0:83:04:
                    bd:48:ac:48:49:ed:a1:6d:4d:d6:ef:86:2a:0c:2a:
                    c3:87:57:c0:37:9b:20:03:72:f1:a0:4f:2a:7d:4b:
                    b4:51:e1:13:03:37:14:f5:49:91:25:21:ca:e0:a6:
                    e2:71:e4:23:d2:ff:51:ff:d1:a4:b4:f2:9b:7d:4e:
                    cd:49:4f:73:a3:34:5e:a0:f0:7d:ad:11:11:3b:46:
                    1d:cb:c5:d2:95:69:50:18:0c:f4:1b:d3:d9:af:7f:
                    1c:f4:77:de:c0:20:28:0d:71
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:7D:6D:2A:EC:66:AB:A7:51:36:AB:02:69:F1:70:8F:C4:59:0B:9A:1F

            Authority Information Access: 
                CA Issuers - URI:http://secure.globalsign.net/cacert/orgv1.crt

            X509v3 CRL Distribution Points: 
                URI:http://crl.globalsign.net/OrganizationVal1.crl

            X509v3 Subject Key Identifier: 
                DC:55:92:06:B7:F7:0A:D5:4C:78:C3:AA:1D:9E:71:FA:BA:2D:90:04
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication, Microsoft Server Gated Crypto
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.4146.1.20
                  CPS: http://www.globalsign.net/repository/

            Netscape Cert Type: 
                SSL Client, SSL Server
            X509v3 Subject Alternative Name: 
                DNS:www.student.cs.uwaterloo.ca, DNS:student.cs.uwaterloo.ca
    Signature Algorithm: sha1WithRSAEncryption
        3f:04:fd:0d:9f:dc:e1:9e:c3:df:25:c6:a4:7b:d3:80:4a:11:
        85:d7:c2:5a:be:46:92:25:62:f1:ae:c0:88:53:cb:02:dd:10:
        07:05:e9:dc:ef:c3:7b:fd:67:44:ec:c1:f6:45:e8:d6:be:26:
        56:51:94:41:4c:c7:51:45:4d:52:5e:a8:e2:08:82:b7:58:5f:
        44:f8:1c:21:c4:6c:c7:37:d4:2f:a3:9e:f2:80:c9:14:b2:8f:
        77:f5:6e:81:0b:27:b3:08:14:43:2e:5b:e0:1f:9b:02:60:36:
        07:e6:8f:c9:cf:34:40:19:67:de:93:a3:fe:3c:b4:17:66:4f:
        7e:e9:c5:f3:8f:91:9c:18:7f:3b:b1:c7:8f:7a:a6:ba:e1:30:
        51:4b:6c:ca:33:7e:d6:91:0e:69:27:46:a4:08:2e:a7:7d:d5:
        06:82:ca:3c:e2:48:1d:48:5d:1a:35:42:48:53:50:60:40:6b:
        b6:b0:00:39:0d:af:b5:45:9d:ca:2d:0b:61:be:b8:c0:2e:05:
        7d:9a:43:c8:b2:d5:81:a0:10:12:fd:21:a2:39:6a:5f:8b:90:
        70:5c:60:e0:ef:ad:d4:c6:6c:1b:70:36:9c:2c:2b:88:79:a5:
        82:dc:a3:37:6c:94:2d:f7:c2:1f:be:b1:37:60:47:08:6a:70:
        50:81:fa:52
-----BEGIN CERTIFICATE-----
MIIEnTCCA4WgAwIBAgILAQAAAAABJ+SyHBQwDQYJKoZIhvcNAQEFBQAwajEjMCEG
A1UECxMaT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gQ0ExEzARBgNVBAoTCkdsb2Jh
bFNpZ24xLjAsBgNVBAMTJUdsb2JhbFNpZ24gT3JnYW5pemF0aW9uIFZhbGlkYXRp
b24gQ0EwHhcNMTAwNDA5MjEzMDEwWhcNMTEwNTIwMTMxNDI0WjB5MQswCQYDVQQG
EwJDQTEQMA4GA1UECBMHT250YXJpbzERMA8GA1UEBxMIV2F0ZXJsb28xHzAdBgNV
BAoTFlVuaXZlcnNpdHkgb2YgV2F0ZXJsb28xJDAiBgNVBAMMG3d3dy5zdHVkZW50
LmNzLnV3YXRlcmxvby5jYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsjUy
M+1s9G21XDlVty8cyrSPDl9Y3E7Fj1CggwS9SKxISe2hbU3W74YqDCrDh1fAN5sg
A3LxoE8qfUu0UeETAzcU9UmRJSHK4KbiceQj0v9R/9GktPKbfU7NSU9zozReoPB9
rRERO0Ydy8XSlWlQGAz0G9PZr38c9HfewCAoDXECAwEAAaOCAbcwggGzMB8GA1Ud
IwQYMBaAFH1tKuxmq6dRNqsCafFwj8RZC5ofMEkGCCsGAQUFBwEBBD0wOzA5Bggr
BgEFBQcwAoYtaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLm5ldC9jYWNlcnQvb3Jn
djEuY3J0MD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5u
ZXQvT3JnYW5pemF0aW9uVmFsMS5jcmwwHQYDVR0OBBYEFNxVkga39wrVTHjDqh2e
cfq6LZAEMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCkGA1UdJQQiMCAGCCsG
AQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAzBLBgNVHSAERDBCMEAGCSsGAQQB
oDIBFDAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdsb2JhbHNpZ24ubmV0L3Jl
cG9zaXRvcnkvMBEGCWCGSAGG+EIBAQQEAwIGwDA/BgNVHREEODA2ght3d3cuc3R1
ZGVudC5jcy51d2F0ZXJsb28uY2GCF3N0dWRlbnQuY3MudXdhdGVybG9vLmNhMA0G
CSqGSIb3DQEBBQUAA4IBAQA/BP0Nn9zhnsPfJcake9OAShGF18JavkaSJWLxrsCI
U8sC3RAHBenc78N7/WdE7MH2RejWviZWUZRBTMdRRU1SXqjiCIK3WF9E+BwhxGzH
N9Qvo57ygMkUso939W6BCyezCBRDLlvgH5sCYDYH5o/JzzRAGWfek6P+PLQXZk9+
6cXzj5GcGH87scePeqa64TBRS2zKM37WkQ5pJ0akCC6nfdUGgso84kgdSF0aNUJI
U1BgQGu2sAA5Da+1RZ3KLQthvrjALgV9mkPIstWBoBAS/SGiOWpfi5BwXGDg763U
xmwbcDacLCuIeaWC3KM3bJQt98IfvrE3YEcIanBQgfpS
-----END CERTIFICATE-----
root@services08.student.cs>2# 

Although I based this on actual certificates, I substituted an incorrect private key.

The openssl command can be used, as in openssl x509 -text, using one of the certificate portions as input. That will show a readable (well, verbose) form of the certificate. That can be useful to help be sure you are replacing the correct host certificate, and also to check the expiry date, etc. Typically, as is shown here, the previous installer will include that information in the .pem file. But it is optional, and occasionally the text may not match the certificate.

The following matches a particular sequence known to exist in the encoding of the OrganizationSSL certificate, in order to find and extract it from the cacert.pem file where the Apache web software is typically configured to find it.

     perl -ane < /software/sslCerts/config/certs/cacert.pem \
'if(/---BEGIN C/){$c="";$p=0}; \
if(/^c738B0E0t6pu7qfb0/){$p=1}; \
$c.=$_;if(/---END C/){if($p){print $c;$p=0}}'
To see details of that certificate, you could even do...
     perl -ane < /software/sslCerts/config/certs/cacert.pem \
'if(/---BEGIN C/){$c="";$p=0}; \
if(/^c738B0E0t6pu7qfb0/){$p=1}; \
$c.=$_;if(/---END C/){if($p){print $c;$p=0}}' | openssl x509 -text

Relevant Apache config lines will look like...

root@services08.student.cs>2# pwd
/fsys1/.software/local/wwwapache-1.3_server/config
root@services08.student.cs>2# grep /sslC * /dev/null /dev/null | grep -v ':#'
httpd.conf:  SSLCertificateFile    /software/sslCerts-1/config/certs/odyssey.student.cs.uwaterloo.ca.pem
httpd.conf:  SSLCertificateKeyFile /software/sslCerts-1/config/certs/private/httpsd-key.pem
httpd.conf:SSLCACertificateFile /software/sslCerts-1/config/certs/cacert.pem
root@services08.student.cs>2# 

Which reveals a lie in our presentation. The www.student.cs.uwaterloo.ca certificate has actually been superseded by the odyssey.student.cs.uwaterloo.ca certificate. (Note that correspondence between names of files and the certificates they contain is not mandatory, but is advisable).

It is beyond the scope of these pages to tell you how to set up such Apache configuration; what is here is just hints to help you analyze any particular configuration for which you may have been entrusted with the update of a certificate.

Anecdotal warning: although Apache will find the OrganizationSSL certificate from the cacert.pem file, as it is configured to do in the example, that OrganizationSSL certificate can in fact be placed in the SSLCertificateFile. In such a case the SSLCACertificateFile may in fact not be defined. At least once it happened that such a pair of certificates was replaced during renewal by the host certificate only. With no SSLCACertificateFile defined, the web server could not return the OrganizationSSL certificate. However, that was initially undetected because clients (web browsers) typically will be able to use the certificate they obtained from another uwaterloo.ca web site. That is, the problem thus created is only evident if the thusly broken site is the first uwaterloo.ca site a browser visits.

Further experimentation suggests that the previous was true only for Apache 1.3, if at all. Apache 2 appears to require the variable SSLCertificateChainFile to be specified if you wish to include a chain of several certificates.

Testing

Using openssl command to check Certificate installations

IncludeCertTestOpenssl
The openssl command has an s_client sub-command which can be a simple client for SSL smtp, imap, pop or ftp.
    arpepper@cscfpc20:~$ echo quit | openssl s_client -crlf -connect mail.cs.uwaterloo.ca:465
    arpepper@cscfpc20:~$ echo quit | openssl s_client -starttls smtp -crlf -connect mail.cs.uwaterloo.ca:25
    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap
    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -crlf -connect mail.cs.uwaterloo.ca:imaps
    arpepper@cscfpc20:~$ echo quit | openssl s_client -starttls pop3 -crlf -connect plg2.cs.uwaterloo.ca:110
    arpepper@cscfpc20:~$ echo quit | openssl s_client -crlf -connect plg2.cs.uwaterloo.ca:995

I had to hunt around for a pop3 example, because that is being shut down. The output from the above is lengthy, and includes the main server certificate. You can use the openssl command to view its details.

Other options can be given to the above. Most useful might be -showcerts which will show the entire certificate chain. Also -CAfile <file> or -CApath <dir>.

    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -showcerts -CApath /etc/ssl/certs -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap

-starttls http is not supported, since there is no such concept. But since https is a standard SSL protocol port, the following does work to view the certificate used by https:

   arpepper@cscfpc20:~$ cat /dev/null | openssl s_client -crlf -connect cs.uwaterloo.ca:443

Since openssl x509 -text does ignore information outside the recognized CERTIFICATE area, the above commands can all be piped directly into it.

    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap | openssl x509 -text

There might be a little untidy stderr output at the beginning, so...

    arpepper@cscfpc20:~$ echo 0 logout | 2>/dev/null openssl s_client -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap | openssl x509 -text

Testing a Recently Changed Web Server Certificate

IncludeCertTestWWW
It is easy to check what certificate is being presented using the FireFox browser.

However, you should verify that the OrganizationSSL Intermediate Root Certificate has been installed correctly. FireFox will show you the chain of certificates, but a problem is it might have remembered the intermediate certificate from another University of Waterloo site.

You can ensure FireFox gets the certificate from your web server by creating a new, empty profile using

    arpepper@cscfpc20:~$ firefox -no-remote -ProfileManager

Choose "Create Profile" and then complete the one-step wizard to create a new empty profile (you just need to choose a name), and then click on that profile to start a session using it. And then immediately browse to an https page on the server whose certificate you have just updated. There should be no negative diagnostics, although the default warning about an encrypted page should occur.

With version of FireFox available as I write this page, choose

[Tools] => [Page Info]

[Security] => [View Certificate]

The Expiry Date is visible (although the date format is obscure).

[Details]

should show you the Intermediate Certificate as GlobalSign Organization Validation CA - G2; you should be able to confirm the validity dates. (Although it's a little painful). (Older certificates will have been using simply GlobalSign Organization Validation CA).

Although this facility should remain available in future FireFox, details of the interface will probably change.

For tidiness, you probably want to immediately delete your new profile using the dialog generated by:

    arpepper@cscfpc20:~$ firefox -no-remote -ProfileManager
and then selecting it for [Delete]. (You will want a brand new profile for any future tests; this one will have become "contaminated").

If the certificate chain was not set up correctly, you will probably have difficulty even navigating to the page in question--You will get errors complaining about an untrusted certificate authority.

-- AdrianPepper - 01 Jun 2012

There is a website that verifies certificates: http://www.digicert.com/help/ It seems to go beyond what even FireFox wants - if the certificate chain is out of order it will display the links in red, even though all the appropriate certificates are present.

-- IsaacMorland

Get Certificates from a Web Page using Firefox

IncludeCertGetFromFirefox
If you are viewing an https page in FireFox then you can perform the following menu/button selections to save its certificates.

[Tools]
. => [Page Info]
... => [Security]
..... => [View Certificate]
........ => [Details]
........... => [Export]

You can choose to save the certificate and/or chain as PEM, DER, or PKCS#7. The files you save can then be manipulated using the appropriate openssl commands.

This was the case with the FireFox version I had available at the time of writing. YMMV.

Testing a Recently Changed Mail Server Certificate

IncludeCertTestImap
It is not easy to check what certificate is being presented using the ThunderBird mail client.

However, you should verify that both host certificate and the OrganizationSSL Intermediate Root Certificate have been installed correctly. ThunderBird will show you the chain of certificates.

You can ensure ThunderBird gets the certificates from the mail server by creating a new, empty profile using

    arpepper@cscfpc20:~$ thunderbird -no-remote -ProfileManager

Choose "Create Profile" and then complete the one-step wizard to create a new empty profile (you just need to choose a name). Then click on that profile to start a session using it. You will be asked to set up an account. When asked for imap and smtp server, enter a version of the name which will not actually match the full name in the certificate you wish to test. For example, enter just plg.cs instead of plg.cs.uwaterloo.ca. If the host uses imaps and not TLS under imap the profile will fail initially, and you will need to find and click [View settings for this account] and [Server Settings] and change the connection type to SSL. If you then click on Inbox, you should get a warning about the name mismatch, in a dialog box which allows you to [View Certificate].

[Details]

should show you the Intermediate Certificate as GlobalSign Organization Validation CA; you should be able to confirm its validity dates (Although the procedure is a little painful). There does not appear to be any way to save or export any of the certificates.

Although this facility should remain available in future ThunderBird, details of the interface will probably change.

For tidiness, you probably want to immediately delete your new profile using the dialog generated by:

    arpepper@cscfpc20:~$ thunderbird -no-remote -ProfileManager
and then selecting it for [Delete].


-- AdrianPepper - 2015-04-07

Topic revision: r26 - 2016-06-17 - AdrianPepper
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback