Third party certificates - PEM encoded options

[CaseyR]

Hi, Bruce

One of our clients is part of a bulk acquisition arrangement for certificates.  He has received the following for his certificate. This will likely be a common issue for our clients, so I would like to be able to provide specific instructions both for the certificate option and pem decoding.  All identifying information has been redacted ... .

Much appreciated. Thanks

---------------------------------------------------------------------------------------------------------   
You have successfully enrolled for an InCommon SSL certificate.

You now need to complete the following steps:

    * Click the following link to download your SSL certificate (generally try to use a version that includes intermediates & root or your certificate may be rejected by some older clients)

    Format(s) most suitable for your server software:
       as Certificate only, PEM encoded: https://cert-manager.com/customer/InCommon/ssl?action=download&sslId=....&format=x509IO
       as Root/Intermediate(s) only, PEM encoded: https://cert-manager.com/customer/InCommon/ssl?action=download&sslId=....&format=x509IO
       as Intermediate(s)/Root only, PEM encoded: https://cert-manager.com/customer/InCommon/ssl?action=download&sslId=...&format=x509IOR

    Other available formats:
       as Certificate (w/ chain), PEM encoded: https://cert-manager.com/customer/InCommon/ssl?action=download&sslId=...&format=x509
       as PKCS#7, PEM encoded: https://cert-manager.com/customer/InCommon/ssl?action=download&sslId=...&format=base64
       as PKCS#7: https://cert-manager.com/customer/InCommon/ssl?action=download&sslId=....&format=bin


    * Import your new certificate into your server (Please contact your administrator for help with this).

    * Your renew id: ....

Certificate Details:
    Common Name :  ......edu
    Subject Alternative Names :
    Number of licenses :
    SSL Type :     InCommon SSL (SHA-2)
    Term :         $Term:  2 Year(s)    Server :       Apache/ModSSL
    Requested :    02/04/2020 09:02 GMT
    Approved :     02/04/2020 09:02 GMT
    Expires :      02/03/2022 23:59 GMT
    Order Number : .....
    Self-Enrollment Certificate ID :....
    Comments :   ....

[Bruce]

Hi Casey,

NetTalk uses the combination CRT / KEY format.
You can convert PEM to these using the OpenSSL.Exe utility.
(just google around for instructions, there's no shortage.)

cheers
Bruce

[CaseyR]

Thanks, Bruce

Fair enough on the pem encoding,  but I would just like to confirm the best download option. I think it is Certificate (w/ chain).  Normally, I would just try it out but I don't have access to the sever.

[Jane]

Some things (particularly mobile devices) will really want everything in the chain.

That said, you can download the chain items separately (as you mention in your first post).

There are specific instructions for NT as to how you need to paste together the server's certificate and any intermediate/root certificates.  https://www.capesoft.com/docs/NetTalk11/NetTalkWebSecure.htm#UsingIntermediateCertificates

Cheers,

Jane

[CaseyR]

Thanks, Jane

[bshields]

Hi Casey,

Use https://www.ssllabs.com/ssltest to verify you have it correctly.

Nettalk usually requires the certificate plus chain but not root (some domain registry's may require the root).

But ssllabs will tell you exactly, so no guess work.

Regards
Bill

[CaseyR]

Thanks Bill