Intermediate CA Certificates are required on all webservers that have the high-end Global Server Certificate installed

If you have installed a VeriSign Global Server ID (128 bit / GSID / Secure Server Pro etc.) on your webserver, you also need to ensure that you have the most recent Intermediate CA Certificate on your webserver. This Intermediate CA Certificate will ensure that your Global Server ID does the "unconditional 128 bit encryption" that it is designed to do!

The following are the instructions for installing the Intermediate CA Certificate for the most common webservers.    

Microsoft IIS 4.0    

Microsoft IIS 5.0    

Apache Server    

Netscape / iPlanet servers    

IBM HTTP Server    

Lotus Domino R5 Server    

BEA Weblogic V.6.0    

Zeus    

Red Hat Apache / SSL Server    

 

--------------------------------------  

Microsoft IIS 4.0 

To replace the Intermediate CA certificate on IIS 4 server follow these instructions:

  1. Obtain the correct Intermediate CA certificate by clicking on the Link below:

Get Intermediate CA Here

  1. Save this Intermediate CA to a directory on the server

  2. Go to this directory and double click on the .cer file that contains the 2011 intermediate CA certificate

  3. Under the General tab hit the Install Certificate button

  4. The Certificate Manager Import Wizard window will open, select "Place all certificates into the following store" radio button

  5. Hit the "Browse" button

  6. Click on "Show Physical Stores"

  7. Open the "Intermediate Certification Authorities directory

  8. Click on the "Local Computer" directory

  9. Hit the "OK" button

  10. Hit the "Next" button

  11. Double check where the certificate is going to be installed, this should read "Intermediate Certification Authorities\Local Computer"

  12. Go to the Internet Information Services and Stop and re-start the "ISS Admin Services"

Your IIS 4 server should now use the most current intermediate CA with an expiration date of 10/24/11.  

 

--------------------------------------

Microsoft IIS 5.0

To replace the Intermediate CA certificate on IIS 5 server follow these instructions:

  1. Obtain the correct Intermediate CA certificate by clicking on the Link below:

Get Intermediate CA Here

  1. Save this Intermediate CA to a directory on the server

  2. Add the certificate snap-in through the MMC. (Please refer to your server instructions for details.)

  3. Open Certificate (Local Computer)

  4. Open Intermediate Certification Authorities directory

  5. Open Certificates directory

  6. Locate all certificates issued to

"www.verisign.com/CPS Incorp.by Ref.LIABILITY LTD. (C)97 VeriSign"

  1. Make backups of these certificates by right clicking on them, select All Tasks then Export, leave all settings to the defaults and "save as" to another location. You may name this file whatever you want, this is a backup of an older intermediate CA and is saved for archiving purposes only.

  2. Remove these certificates from the Certificates directory by right clicking on them and selecting Delete

  3. Right Click on the Certificates directory, select All Tasks then Import. Follow the Import Wizard selecting the Intermediate CA certificate that was obtained in step 1

  4. From the Internet Information Services stop and then restart your web server.

Your IIS 5 server should now have only one intermediate CA that expires in 2011.

 

--------------------------------------

Apache Server

Replacing the Intermediate CA on an Apache Server

  1. Obtain the current Intermediate CA by hitting the below button.

Get Intermediate CA Here

  1. Save this certificate in a plain text editor such as note pad name it "intermediate.crt".

  2. Locate the Intermediate CA that is already installed on your server, you should be able to find this file by following the path listed next to the SSLCACertificateFile directive in your httpd.conf file.

Sample path to intermediate certificate:

SSLCACertificateFile /etc/ssl/crt/intermediate.crt

  1. If you are using a different location and certificate file names (which is likely) you will need to change the path and filename to reflect your server.

  2. Make a copy of this intermediate certificate file for archival purposes. Then delete this intermediate CA certificate file and replace it with the Intermediate CA certificate that you obtained in step 1.

  3. Stop and then restart your Apache server.

Your server should now be using the most current intermediate CA certificate, the validity dates for the most current intermediate CA are: Valid from 4/16/97 to 10/24/11.  

--------------------------------------

Netscape / iPlanet servers

Replacing Intermediate CA Certificate on Netscape Server

  1. Obtain the correct Intermediate CA certificate by clicking on the button below:

Get Intermediate CA Here

  1. Hit the "Select All" button, paste contents into a plain text editor such as Notepad and save file.

  2. Log onto the Netscape Server Administration or Server Manager as the case may be

  3. Under General Administration select "Keys & Certificates"

  4. Under Keys and Certificates (left hand panel) select "Install Certificates".

  5. Select "Server Certificate Chain" radio button.

  6. Enter a Certificate name that will let you identify this certificate in the future.

  7. Select the "Message text (with headers): radio button and copy and paste contents of the file that you saved during steps 1 & 2 in the text box. Select the proper Alias from the drop down menu and hit the "OK" button.

  8. Review the Certificate information, if correct CA certificate is displayed hit the Add Certificate button.

Note: The current Intermediate CA is valid from Wed Apr 16, 1997 to Mon Oct 2011.

  1. A dialog box will appear with instruction to shutdown the admin server to ensure the changes take effect, hit the "OK"

Note: Follow the instructions listed in the dialog box.

  1. A dialog box will appear letting you know that you have successfully installed the intermediate CA certificate, hit the "OK" button to finish.

  2. Your Netscape server now has the current Intermediate CA certificate installed and should be the one that is used when a secure connection is established.

If your server is still using the VeriSign, Inc. Intermediate CA that has validity dates of 4/16/97 to 1/7/04 you should remove this Intermediate CA from your server by going to the "Keys and Certificates" menu and selecting "Manage Certificates". Your certificate database will be displayed, search for the VeriSign, Inc. CA certificate that expires 1/7/04. Double click on this entry to display the details, if this is the old Intermediate CA certificate hit the "Delete this Certificate" button.

Note: Do not delete any certificates if you are not sure what certificate it is, or if you are un-sure of it's purpose.

 

--------------------------------------  

IBM HTTP Server

Follow the instructions below to install the VeriSign Intermediate CA:

  1. Enter ikeyman on a command line on Unix or start the Key Management utility in the IBM HTTP Server folder on Windows NT.

  2. Select Key Database File from the main menu, then select Open.

  3. In the Open dialog box, enter your key database name or click on key.kdb if you are using the default. Click OK.

  4. In the Password Prompt dialog box, enter your correct password and click OK.

  5. Select Signer Certificates in the Key Database content frame, then click the Add button.

Get Intermediate CA Here

  1. In the Add CA's Certificate from a File dialog box, select the Base64-encoded ASCII data certificate file name, or use the Browse option. Click OK.

  2. In the Label dialog box, enter a label name and click OK.

--------------------------------------  

Lotus Domino R5 Server

You should replace the existing certificate that is due to expire with the updated one in the following places:

  • Domino server key ring file

  • Domino Directory

  • Web browser

In Lotus Domino, the VeriSign Intermediate CA is synonymous with the "VeriSign International Server CA - Class 3" certificate. The expiring certificate shows an expiration date of 1/7/2004. The updated certificate shows an expiration date of 10/24/2011.

Domino server key ring file
In order to update your Trusted root in the key ring file, follow the steps below. You should know the password for the key ring file before beginning.

  1. Open the Server Certificate Admin database

  2. Click "View & Edit Key Rings"

  3. Click "Select Key Ring to Display" and enter your server's key ring file

  4. In the list of certificates that appears in the view, find the "VeriSign International Server CA - Class 3" and open that document

Important: Do not delete the "VeriSign Class 3 Public Primary Certification Authority." Otherwise you will need to contact VeriSign to obtain that certificate and merge it before continuing.

  1. Click on the "Delete Certificate" button to remove the "VeriSign International Server CA - Class 3" certificate

  2. Return to the "Create Key Rings & Certificates" option in the Server Certificate Admin database

  3. Choose "3. Install Trusted Root Certificate into Key Ring"

  4. Enter the server's key ring file name in the Key Ring Information section

  5. In the "Certificate Label" field enter the following text:

  6. VeriSign International Server CA - Class 3

  7. Using a Web browser, go to the URL below and click on the "Get Intermediate CA Here" button. Follow the instructions to copy the certificate.

    https://www.verisign.com/support/site/caReplacement.html

  8. Return to the Domino Server Certificate Admin document. Copy the contents of that certificate and paste it into the "Certificate from Clipboard" area.

  9. Click on the "Merge Trusted Root Certificate into Key Ring" button. This adds the updated certificate, which expires in 2011, to your key ring.

Note: These steps are required only on keyfiles created in Domino 5. Domino 6 keyfiles already contain the updated VeriSign certificate.


Domino Directory
In the Domino Directory, the certificate is found in the Certificates view. To update the certificate, perform the following steps.

  1. Using a Web browser, go to the URL below and click on the "Get Intermediate CA Here" button. Follow the instructions to copy the certificate.

https://www.verisign.com/support/site/caReplacement.html

  1. Copy the contents of that certificate and paste it into a text document such as Notepad. Save the text document.

  2. In the Domino Administrator client, go to the Configuration tab - Miscellaneous - Certificates view

  3. Go to Actions > Import Internet Certificates

  4. Select the "Binary encoded" option, and click on the "OK" button

  5. Browse to the text file that contains the new certificate, and click on the "Open" button

  6. Accept the certificate


To verify that the certificate has the correct date, you can open and view the certificate in the Certificates view. In the Certificates view, locate the following heading:

/Class 3 Public Primary Certification Authority/VeriSign, Inc./US

Below that heading, find the certificate labeled as follows:

www.verisign.com/www.verisign.com/VeriSign International Server CA - Class 3/VeriSign, Inc./VeriSign Trust Network

Open this certificate; click "Edit Certifier", and then "Examine Internet Certificate(s)". Highlight the certificate to view its information.

Web browsers

Certain Web browser versions may also need to update the certificate. Please contact the browser vendor for information about implementing this update for your Web browser.

 

--------------------------------------  

BEA Weblogic V.6.0 Server

Defining Trusted Certificate Authorities

When establishing an SSL connection, WebLogic Server checks the identity of the certificate authority against a list of trusted certificate authorities to ensure the certificate authority currently being used is trusted. Copy VeriSign's root certificate into the \wlserver6.0\config\mydomain directory of your WebLogic Server and set the fields described in Defining Fields for the SSL Protocol. If you want to use a certificate chain (Global Certificate for example), append the additional PEM-encoded digital certificate to the digital certificate that VeriSign issued for WebLogic Server. This is the intermediate CA. The last digital certificate in the file chain will be VeriSign's digital certificate that is self-signed (that is, the rootCA certificate).


Get Intermediate CA Here

If you want to use mutual authentication, take the root certificates for the certificate authorities you want to accept and include them to the trusted CA file. Defining Fields for the SSL Protocol To define fields for the SSL protocol, perform the following steps:

  1. Open the Administration Console.

  2. Open the Server Configuration window.

  3. Select the SSL tab. Define the fields on this tab by entering values and checking the required checkboxes. (For details, see the following table.)

  4. Click the Apply button to save your changes.

  5. Reboot WebLogic Server.

The following table describes each field on the SSL tab of the Server Configuration window. Note: Remember if you are using a PKCS-8 protected private key, you need to specify the password for the private key on the command line when you start WebLogic Server.

--------------------------------------  

Zeus

In many cases, you can just replace the contents of the public certificate file (the self signed cert) with the new one. Alternatively, you can use the 'SSL Configuration' form to change the filename that webserver uses for the public certificate. However, your CA may require that you create a certificate chain to use their certificate. In this case, you will receive two certificates from the CA in response to your signing request. One of these will be your public certificate, and the other an intermediate certificate. Append the intermediate certificate onto your public certificate to create your certificate chain:

Get Intermediate CA Here

$ cat public.cert intermediate.cert > chained.cert

Replace your self-signed public certificate file with your new certificate chain file.
Restart your website for the changes to take effect.

 

--------------------------------------  

Red Hat Apache/SSL Server

Click on the Get Intermediate CA below. You'll see a page containing the PEM-encoded form of VeriSign's Intermediate CA Certificate.

Get Intermediate CA Here

  1. Cut and paste the entire text of the certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines, into a file named etc/httpd/conf/ssl.crt/gsid.crt. Be careful not to include any leading or trailing whitespace before the beginning and ending hyphens.

  1. Add the following directive to your /etc/httpd/conf/httpd.conf file, within the virtual host tags that define your secure Web server and with the other SSL directives: SSLCACertificateFile /etc/httpd/conf/ssl.crt/gsid.crt

For any clarifications, please contact SafeScrypt Support!

--------------------------------------