skip to primary navigationskip to content

Installation and deployment

Once your certificate is ready, it will be emailed to the address you supplied in your request. A copy of the certificate itself will appear in the email, and a zip file will be attached containing:

  • Your Certificate, in a file named after its primary hostname, e.g. www_example_cam_ac_uk.crt
  • A copy of the appropriate QuoVadis intermediate certificate, which you can also download directly from QuoVadis:
    • For standard OV and wildcard certificates (QuoVadis Global SSL ICA G3 on QuoVadis' website)
    • For extended validation (EV) certificates (QuoVadis EV SSL ICA G3 on QuoVadis' website).

You can also download certificates that you have requested, and check the status of your requests, on the TLS certificate administration site.

QuoVadis provide certificate installation instructions. A summary of the key points for Apache and Microsoft IIS appears below.

These certificates need an 'intermediate' certificate to link them to the to the trusted 'root' certificates that come pre-installed in browsers and other clients. You must arrange for your server to supply this additional certificate - if you don't then visitors to your site may be told that your certificate can't be trusted or connections may be refused. The appropriate intermediate certificate is included in the ZIP file supplied with your certificate, is available from the links above, or can be dowloaded directly from QuoVadis.

  • Users of Apache before version 2.4.8 should adjust their configuration to
    • refer to their key from a SSLCertificateKeyFile directive
    • refer to their certificate from a SSLCertificateFile directive
    • refer to a copy of the appropriate intermediate certificate (see above) from a SSLCertificateChainFile directive
  • Users of Apache from version 2.4.8 onward should:
    • refer to their key from a SSLCertificateKeyFile directive
    • copy their certificate and the appropriate intermediate certificate (see above, in that order) into a single file, and then refer to this new file from a SSLCertificateFile directive
  • Users of Microsoft IIS should install a copy of the appropriate intermediate certificate (see above) in the Local Computer certificate store

For more information on using intermediate certificates with Apache see the documentation for Apache 2.2 or Apache 2.4. For IIS, see 'How to configure intermediate certificates on a computer that is running IIS for server authentication' in the Microsoft Knowledge Base.

To copying multiple certificates into a single file you can either use a tool that concatenates files (such as the Unix 'cat' command or Windows 'copy'), or a text editor. Be sure to preserve the complete 'BEGIN CERTIFICATE' and 'END CERTIFICATE'  lines that appear at the start and end of each certificate. It doesn't matter what you call the resulting file, but <host name>.bundle (replacing <host name> with the primary name of the server) would be a possibility.

When testing, beware that most modern browsers will automatically download intermediate certificates if your server fails to supply them so it can be difficult to tell if you have got things right for any that won't. One way to double-check is to use the SSL test service run by SSL Labs which will identify certificate chain problems (amongst a range of other issues) - see under 'Certification Paths' in the report it produces. Note that this test service is very picky and as a result it is difficult to get a high overall ranking on many servers.

Alternatively you can use the 'openssl s_client' command from the OpenSSL package to inspect the certificates being returned by a web server:

openssl s_client -connect <server>:<port> -showcerts

Replacing <server> and <port> appropriately (<port> probably needs to be 443). This establishes a connection to the server - you can terminate it by typing ctrl-d or similar. The message "unable to get local issuer certificate" just means that your local OpenSSL doesn't have, or hasn't been configured to find, an appropriate root certificate for the chain presented. This isn't necessarily a problem with the server - if you care, research s_client's -CApath and -CAfile options. What is important is that your certificate and the appropriate chaining certificate appear in the output.

See 'Renewal process' for what to do about renewing your certificate when it eventually expires.

UIS Service Status

Phone padded  Service status line: (01223) 463085
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin

A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >  |  Back issues

RSS Feed Latest news

University Map coverage expanded

Nov 20, 2020

The UIS map team have recently completed work on increasing the coverage of the University Map. They have also updated the search index and improved the underlying system that compiles and displays the map.

TechLink Community programme and updates: October 2020

Oct 29, 2020

More than 100 TechLink members registered to join UIS Director, Prof. Ian Leslie's online TechLink Community event on Tuesday 20 October.

View all news