0
0



The Digicert Certificate Utility is probably one of the best certificate encryption tool out on the net.

A lot of people become scared with key-pair encryption but key-pairs/certificates are actually fundamental easy to figure out. You have a secret private key that rests on a system or application, and that system/application gives to another system/application the public key. From there they scrabble and authentication communication. That’s about it.

The struggles with Encryption, and  SSL certificates is associated with the systems/applications that use them. Different applications from different venders tend to want things their own way, in certain formats, extensions, files, etc..

Key features of the  Digicert Certificate Utility that can help with the SSL Management  are..

SSL Certificate:

  • Install certificates with a single click
  • Generate a CSR for your order
  • Install certificates to pending requests
  • Re-install certificates in one click
  • Find SSL Certificates on your server
  • View certificate details
  • Copy certificates between servers
  • Convert certificate into various formats
  • Renew certificates
  • Fix intermediate certificate chain errors
  • Edit certificate friendly names
  • Verify certificate chains
  • Test certificates
  • Delete certificates

Things to know:

  • If you use the utility to generate a CSR for an SSL Certificate then once the certificate is issued you will have to import your SSL Certificate using the utility to successfully configure your SSL certificate for binding into IIS, exporting as pfx format, exporting it as a .pem format, etc.. 
  • The Digicert Certificate Utility for SSL Certificates Automatically refers to the Windows account certificate stores on the Windows system. 
  • After installation you can export the certificate in an Apache .pem, .crt-.key format or a Windows pkcs12 .pfx format. Appling the certificate to what ever systems require it.

Downloading and Installing The Digicert Certificate Utility.

  1. On your Windows server or workstation, download and save the Digicert Certificate Utility for Windows executable (DigiCertUtil.exe).
  2. Run the Digicert Certificate Utility for Windows by Double-click DigiCertUtil.

Congrats you have downloaded and installed the Digicert Certificate Utility.


This Guide Includes The Following: 

How To Generate a CSR.

How To Install Your New SSL Certificate Into The Digicert Certificate Utility.

Exporting Your SSL Certificate From The Digicert Certificate Utility In PFX or Apache pem/x509/.key Compatible Format.

Using The Digicert Certificate Utility To Fix Certificate Chain Errors.

Certificate Installation Checker.


How To Generate a CSR:

To generate a CSR to get an SSL Certificate perform the following.

  1. Run the Digicert Certificate Utility by Double-clicking the DigicertUtil.exe.
  2. In the Digicert Certificate Utility, Click SSL.
  3. Click Create CSR.
  4. In the Create CSR window under Certificate Type: select SSL.
  5. In the Certificate Details fill out the following fields:
    • Common Name: The Fully Qualified Domain Name that the certificate will be issued to and secure. for example www.yourdomain.com or if you are enrolling for a wildcard certficaite *.yourdomain.com
    • Organization: Repeat the legal name of your organization again.
    • Department (optional): Enter the sub team or organizational unit that this certificate pertains to. Examples: IT, Marketing, etc.
    • City: Legal corporate headquarters. Example Boston.
    • State: Enter the state or province where your legal corporate headquarters is located.
      Note: The state your organization is located in or if you’re creating a CSR for a location outside of the USA, you can enter anything into the list. It will accept any state name you type.
    • Country: From the drop down menu select the county.
    • Keysize: Any will do. (Leave at default).
    • Provider: Leave at default.
  6. When all the information has been filled click Generate.
  7.  You will get another window that will display your CSR request. Copy the text, including the  —–BEGIN NEW CERTIFICATE REQUEST—– and —–END NEW CERTIFICATE REQUEST—– tags, and paste it into the your CA order form.
  8. When you are done, click Close.

Congrats you have just created you have just generate your CSR. During the enrollment of your SSL Certificate the CA should provide you with a field to paste this CSR into.

Note: Depending on the CA when enrolling they may ask you for a Server or Format type you would like for your certificate. Select either Microsoft/Windows or pkcs7. This will ensure you receive your certificate and all its required intermediates in one file, and will make installation back into the Digicert Utility easier.

After the SSL Certificate gets issued you will then Import your new SSL Certificate back into the utility to have a functional working keypair.


How to Install Your New SSL Certificate Into The Digicert Certificate Utility:

After you have enrolled for your SSL Certificate using a CSR generated from the utility you will then have to Import/Install the SSL Certificate after it gets issued. The CA should give you a pkxs7 format certificate also known as a .p7b. The way they give you this certificate will vary.

Save and move this .p7b file to the system where you have created the CSR using the Utility on.

To complete and install your SSL Certificate perform the following.

  1. Run the Digicert Certificate Utility by Double-clicking the DigicertUtil.exe.
  2. In the Digicert Certificate Utility, Click SSL.
  3. Click Import.
  4. In the Certificate Import window click Browse.. and Open to specify the location and path of your SSL Certificate. Change the file type to either PKCS#7 Certificates (*.p7b) or All from the drop down to find your certificate.
  5. After specifying the location and path of the file click Next.
  6. You will see information about the certificate you have selected to import. In the Enter a new friendly name or you can accept the default field type a friendly name for the certificate. Something unique so that you can quickly identify this certificate.
  7. Click Finish.

  8. You should get confirmation that the certificate has been successfully install and see it within your list of SSL certificates.
    Note: If you get an error that states “Private Key Missing” this is due to the following causes…

    • You did not create the CSR/Private key on this machine:
      Resolutions:

      • Make sure you are on the correct system that has the Digicert Certificate Utility installed where you generated the CSR from.
      • If you lost your private key or if the system where the CSR was generated using the Utility blew up then you will have to start from scratch by generating a new CSR, and performing a reissue/rekey of your SSL Certificate.
    • You are installing the a wrong certificate:
      Resolutions:

      • Make sure you are installing the correct certificate. Typically once the certificate is on your desktop as a .p7b file you can double click on it to read the information. make sure the certificate or one of the certificates in its chain is issued to your organization with the correct dates.

Congrats you have just installed your SSL Certificate using the Digicert Certificate Utility for SSL.

Since the Digicert Utility for SSL uses the systems personal local computer for certificates your SSL Certificate will be ready to Assign and Bind to your IIS or Exchange. For instructions on how to bind  your SSL Certificate refer to our IIS or Exchange installation instructions and focus on steps Assigning or Binding the SSL Certificate to your web site Here

If you only used the Digicert Utility for the keypair generation of your SSL Certificate you can Export it in either .pfx or Apache pem and distribute it to what ever systems require it.


Exporting Your SSL Certificate In PFX/PKCS12 or Apache Pem/x509 Format:

Depending on the circumstance you may need to export your SSL Certificate to wherever else it is needed.

Exporting your SSL Certificate from the Digicert Certificate Utility as a .pfx:

  1. Run the Digicert Certificate Utility by Double-clicking the DigicertUtil.exe.
  2. In the Digicert Certificate Utility, Click SSL.
  3. Select the SSL Certificate that you want to export and then click Export Certificate.
  4. In the Certificate Export wizard, select Yes, export the private key.
  5. Select PFX file
  6. Check Include all certificates in the certification path if possible.
  7. Click Next.
  8. In the Password and Confirm Password fields enter and confirm a password you can remember.
    Note: This password is required when you install or import your SSL Certificate into any other system. Do not forget it. If you do then you will have to repeat the export of  the certificate and create a new password.
  9. Click Next.
  10. Next to the File Name field click the to browse to a location and path you want to save your .pfx file. Give it a name of your choice, click Save and then Finish when done.
  11. You will receive a message stating that the export was successful, click OK.

Congrats you have exported your SSL Certificate as a pfx, and are now able to distribute/apply it.


Exporting your SSL Certificate from the Digicert Certificate Utility in Apache pem/x509/.key compatible format:

Depending on the circumstance you may need to move install, etc.. your certificate and its private key into an Apache type system. The Digicert Utility has the capability of exporting an installed SSL certificate in the an Apache format.

  1. Run the Digicert Certificate Utility by Double-clicking the DigicertUtil.exe.
  2. In the Digicert Certificate Utility, Click SSL.
  3. Select the SSL Certificate that you want to export and then click Export Certificate.
  4. In the Certificate Export wizard, select Yes, export the private key.
  5. Select Key file (Apache compatible format).
  6. Click Next.
  7. By default the exported file will be saved to your desktop. otherwise click the and specify the file name and path you would like to save your file.
  8. Click Finish.
  9. You will see at least two files put into the location, name and path you specified to save your exported Apache compatible files.
    • name.key: This is your private key file.
    • name.crt: This is your SSL Certificate.
    • CACert.crt: Any CA intermediate chain trust certificates that went along with your SSL Certificate during its export is put into this file.
  10. Congrats you know have pem x509 apache format certificates. With your two – three files you can re-name the or change the extensions of the files as you see fit. Opening the files in notepad will give you a copy paste method to import the certificate into hosting environments or other applicable systems. If you have a system that needs pem simply change the .crt extension of the files by renaming them to .pem. Typically you will leave you.key file as if.

For a list of Installation instructions check out our SSL Installation articles.


Using the Digicert Certificate Utility To Fix Certificate Chain Errors.

When on a Windows server system you may receive errors pertaining to the trust of the SSL Certificate varying from browser to browser.

The cause of this is usually due the server us not sending or is missing all the required intermediate chain certificates. These certificate are responsible for aiding the trust of your SSL Certificate to the various different browsers or supplications that it connects with. They come with your SSL Certificate.

To fix intermediate certificate errors with the Digicert Utility perform the following:
Note: This this feature will only work on Windows server systems that have a connection to the internet. If you are having intermediate issues with a non windows server consult our installation articles for the system in question and focus on its intermediate installation instructions.

  1. Run the Digicert Certificate Utility for Windows (double-click DigiCertUtil).
  2. In the Digicert Certificate Utility for Windows, click SSL
  3. Select the certificate your want to repair, and then click Repair Certificate.
  4. In the pop up, click Yes.
  5. After you receive the “This certificate has been successfully repaired” message, click OK.
  6. Now that the intermediate chain has been repaired you will need the system to make the acknowledgment of the change. You can do this by either restarting the website, unbinding and rebinding the SSL Certificate or lastly reboot the server system.

Congrats you have fixed the Trust of your SSL Certificate has been fixed using the Digicert Utility.

Note: If you still are having certificate trust issues then you may have another system or firewall in the mix that will require an update of the intermediates. Consult your CA for those intermediates and import them manually to the system in question.

  • The SSL Support Desk features many intermediate and roots from various CA here. 
  • The SSL Support Desk features many installation articles located here. Focus on intermediate installation. If you do not see your server system listed within the SSL Support Desk contact your Server vender on installation of these intermediates.
Manual Windows intermediate certificate chain fix instructions can be found within our following article if you want to double check to see if the utility worked.

Certificate Installation Checker:

The Digicert Certificate Utility – Certificate Installation Checker allows you to perform an SSL handshake with a local or remote SSL socket (https, pop3s, imaps, ldaps, etc.) and then show you what certificate, and chain that is currently bound to that application returning to its clients.

This is useful for troubleshooting intermediate certificate issues, errors with certificates on websites, figuring out what certificates are bound to websites/applications/IP’s,  etc.. for both Internal and External Networks.

To check a website or IP address’s SSL Certificate perform the following:

  1. Run the Digicert Certificate Utility for Windows (double-click DigiCertUtil).
  2. Click Tools.
  3. Under Certificate Installation Checker, click Check Install.
  4. In the Certificate Installation Checker pop up specify the following:
    1. Server Address: The fully qualified name of the website or IP address.
    2. Port Number: Specify the port. Usually SSL encryption runs on default portal 443 or 8443, yet your environment may differ.
    3. SSL TLS mode: Leave at default.
  5. Click Query Server.
    You Certificate Checker will pull up a list of information regarding the current certificate found on that website. You should see an SSL certificate and any subsequent chain intermediates radiating from the website you just queried.

The Certificate Checker is good at pointing out if what certificates are installed on what system.  If I specified in the Server Address www.Ametek.com yet the Certificate list returned from the server came back with a certificate issued to www.SSLSupportDesk.com then the wrong certificate must be bound to that website.

Note: Some certificates have SAN or wildcards meaning that a certificate can work for multiple websites. You can double-click on each certificate in the results to view more details about the certificates that are currently bound to the Server.


 

LoadingAdd to favorites

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.