Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2009-10-08 13:18:13.0

TN 7870 - Installation of SSL Certificate using the 2048 chain into Microsoft IIS5 and IIS6

Installation of SSL Certificate into Microsoft IIS5 and IIS6

 

Issue: Server requires a certificate from CA that has the basic constraint field

Solution: The entrust.net Certification Authority (2048) does not contain the basic constraint field. To resolve this issue we must replace the 2048 root with a 2048 chain certificate that will chain the certification path back to the Entrust Secure Server Certification Root that contains the basic constraint.

Install the server certificate

1. Copy the Entrust SSL Certificate to your clipboard. You must include the "----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines.
2. Paste the certificate into a text editor such as Notepad, and ensure that the entire text is flushed to the left with no leading or trailing white space.
3. Launch the Microsoft Internet Services Manager:
      Select Start /Programs/ Administrative Tools/ Internet Services Manager
4. Select and right-click your Web site from the left preview pane.
5. Select Properties.
6. Select Server Certificate from the Secure Communications menu.
7. The Web Server Certificate Wizard appears.
8. Select Next.
9. Select Process the pending request and install the certificate.
10. Supply the Path and file name of the file that contains your Entrust SSL Certificate.
11. Select Next
12. Review the Certificate Summary.
13. Select Next
14. Select Finish to complete the certificate installation.

You have just installed your server certificate.

Install the Entrust Chain Certificates:

To install the Entrust L1B Chain Certificate in your web server you should:

1. From your CMS account, click on the link which brings you to the certificate pickup page. The server certificate is in the tab named "Cross Certificate". Alernatively, you can download the Entrust L1B Chain Certificate from this link: https://www.entrust.net/downloads/binary/entrust_l1b.cer
2. Copy the L1B Chain Certificate to your clipboard. You must include the "----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines:
3. Paste the certificate into a text editor such as Notepad, and ensure that the entire text is flushed to the left with no leading or trailing white space.
4. Save the file.
5. Rename the text file. Because you are installing the certificate in a Microsoft Windows-based web server the filename should have the extension .crt (for example, "entrustL1Bchaincert.crt").
6. Open the file that contains the chain certificate in Windows Explorer (for example, double-click the file). The Certificate dialog box appears.
7. In the General tab Click Install Certificate. The Certificate Manager Import Wizard appears.
8. Select Next
9. Select Place all certificates into the following store.
10. Select Browse... The Select Certificate Store dialog box appears.
11. Select Show Physical Stores.
12. Expand Intermediate Certification Authority by clicking the "+" sign beside the item in the dialog box
13. Select Local Computer and click the OK button.
14. Select Next
15. Select Finish. A confirmation dialog appears.
16. Select OK

To install the Entrust 2048 Chain Certificate in your web server you should:

1. Download the certificate named Entrust 2048 Chain from the Entrust web site at this link: https://www.entrust.net/downloads/binary/entrust_2048_ssl.cer
2. Copy the 2048 Chain Certificate to your clipboard. You must include the "----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines:
3. Paste the certificate into a text editor such as Notepad, and ensure that the entire text is flushed to the left with no leading or trailing white space.
4. Save the file.
5. Rename the text file. Because you are installing the certificate in a Microsoft Windows-based web server the filename should have the extension .crt (for example, "entrust2048chaincert.crt").
6. Open the file that contains the chain certificate in Windows Explorer (for example, double-click the file). The Certificate dialog box appears.
7. In the General tab Click Install Certificate. The Certificate Manager Import Wizard appears.
8. Select Next
9. Select Place all certificates into the following store.
10. Select Browse... The Select Certificate Store dialog box appears.
11. Select Show Physical Stores.
12. Expand Intermediate Certification Authority by clicking the "+" sign beside the item in the dialog box
13. Select Local Computer and click the OK button.
14. Select Next
15. Select Finish. A confirmation dialog appears.
16. Select OK

Verify the Entrust root certificate on the server

The Entrust 2048 Chain certificate is used to ensure the certification path for the server certificate ends with the Entrust root CA named the Entrust.net Secure Server Certification Authority. If the alternate root CA, Entrust Certification Authority (2048), exists in the Trusted CA store on the server, the chain certificate will be ignored. Follow this procedure to remove the Entrust Certification Authority (2048) certificate if it exists.

1 - Click Start > Run

2 - Enter ''mmc'' and click OK

3 - Go to File > Add/Remove Snap-in

4 - Click Certificates and select Add

5 - Select Computer Account and click Next

6 - Select Local Computer and click Finish. Click OK to close the window.

7 - Expand Certificates (Local Computer).

8 - Expand the Trusted Root Certification Authorities folder and click on Certificates.

9 – If  the certificate Entrust.net Certification Authority (2048) with expiration date 12/24/2019 exists, remove it by right-clicking on it and select Delete.

10. Expand the Intermediate Certification Authorities folder and click on Certificates. Ensure the L1B and 2048 Chain certificates are in this folder as in the screen capture below.

Affected Products:

• Entrust Certificate Services 2 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable