Old CSR Microsoft

I wanted to send you a quick email to let you know I located your CSR from last year and uploaded it to your pending order.
You can use our utility to import the new certificate files and assign it to the existing private key on your server.
Our utility can be found at: https://www.digicert.com/util/
Alternatively you can generate a new CSR and re-key your certificate inside your DigiCert account by clicking on the corresponding order number and then on Re-Key Your Certificate.

Linux/OpenSSL Hints

Search through config files to find SSL configuration:
grep -i -r "SSLCertificate" /etc/httpd/* | grep -v "#"
(for RedHat-based distributions; such as CentOS, Fedora, RHEL, etc.)
grep -i -r "SSLCertificate" /etc/apache2/* | grep -v "#"
(for Debian-based distributions; such as Ubuntu, Raspbian, LinuxMint, etc.)
Combine individual certificates into a PFX from separate files:

openssl pkcs12 -export -out [pfx file].pfx -inkey [private key file].key -in [certificate file].crt -certfile [intermediate (CA) file].crt

Extract the certificate(s) in a PFX to combined PEM file:
openssl pkcs12 -in [certificate].pfx -nokeys -out [cert file].crt
Extract the private key in a PFX to a separate file:
openssl pkcs12 -in [certificate].pfx -nodes -nocerts -out [key file].crt
Decode a PKCS#7 (P7B) into PEM-format:
openssl pkcs7 -print_certs -in [certificate].p7b -out [cert].crt
Check a remote certificate installation:
openssl s_client -connect [server:port] -servername [fqdn] -CAfile [intermediate].crt
Generate a new CSR using an existing private key:
openssl req -out [csr file].csr -key [private key].key -new
Native OS tools to list certificate infos:
Windows: certutil -dump [path to pfx]
Linux: openssl pkcs12 -info -in [path to pfx]
Check which certificate the server is handing out:
openssl s_client -connect
To make the result cleaner you can also run:
openssl s_client -connect | grep "s:/"
To Check the date of the server certificate being handed out:
echo | openssl s_client -connect 2>/dev/null | openssl x509 -noout -dates
- or -
openssl s_client -connect | openssl x509 -noout -dates

Apache2 Rewrite Rule (Force SSL)

Make sure rewrite module is enabled and under the http port 80 Virtual Host put:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

DigitalOcean Apache issue, HTTPS just won't work

DigitalOcean adds a DENY ALL to the IPtable firewall in linux, so if 443 isn't explicitly allowed, it will not work.
Run the following commands as root or sudo to make changes to the firewall.
iptables -L Lists current firewall rules.
iptables -A INPUT -p tcp --dport https -j ACCEPT Adds HTTPS 443 rule to ALLOW.
iptables -D INPUT 5 MAKE SURE TO CHANGE 5 to whichever line number the DROP ALL is located.
iptables -A INPUT -j DROP Adds the DROP ALL back to the end of the table.

Getting a Duplicate

To get a duplicate:
  1. Generate a CSR from the new server
  2. Login to your DigiCert account and click on the order number
  3. Click the gray button 'Get a Duplicate'
  4. Paste or upload the new CSR into the window
  5. Select the server and click 'Submit'
Your duplicate will be at the bottom of the order page.

How to check if a certificate is revoked or valid

openssl ocsp -issuer DigiCertHighAssuranceCA-3.crt.pem -no_nonce -VAfile DigiCertHighAssuranceCA-3.crt.pem -url http://ocsp.digicert.com -serial 0xSERIALNUMBERHERE

You can also check if you have the certificate file by changing -serial to -cert and pointing to the file

OpenSSL Command to check if private key matches certificate

Please use the commands below to view and compare the modulii of the certificate, private key, and CSR.
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5
For each of those, you will receive the file's modulus, which looks something like a77c7953ea5283056a0c9ad75b274b96
If each is the same value (exactly), then the cert, key, and req are a match.

Wildcard with Exchange 2007/2010

The IMAP and POP certificate need to be set using these two commands in the Exchange Management Shell:
set-POPSettings -X509CertificateName mail.yourdomain.com
set-IMAPSettings -X509CertificateName mail.yourdomain.com

EV not showing green bar

The page includes other resources that aren't secure. Anything that is a callout (such as image links) to a non-https:// will result in this.
It is very common with WordPress sites, and can be mitigated with a plugin.
You can check for insecure elements at https://whynopadlock.com

Tomcat Tricks/Hints:

Convert a keystore (JKS) file into a PKCS#12 (P12 or PFX) file:

keytool -importkeystore -srckeystore [keystore].jks -destkeystore [pfx file].pfx -deststoretype PKCS12 -srcalias [jks file alias] -deststorepass [keystore password] -destkeypass [pfx password]

Convert a PKCS12 file into a keystore file:

keytool -importkeystore -srckeystore [pfx file].pfx -destkeystore [keystore].jks -srcstoretype PKCS12 -alias [jks file alias] -deststorepass [jks store password] -destkeypass [jks key password] -srcstorepass [pfx password]

Dump your keystore contents to a text file:
keytool -list -v -keystore [keystore file].jks > [text file].txt

DigiCert Corporate Info

DigiCert, Inc.
2801 Thanksgiving Way
Ste. 500
Lehi, UT 84043
EIN/FEIN: 41-2089542

How to renew and apply a promo code at the same time?

Use a link like this:
Replace XXXXXXXX with the number of the order to be renewed and PPPPPPPPP with the promo code you want to apply.

Can I put an IP address as a SAN on the Multi-Domain or EV Mulit-Domain certificate?

Yes, as long as the IP address is in the public space.
The following address ranges are disallowed:

Where can I get a PKCS#12/P12/PFX format certificate?

A PKCS#12/P12/PFX certificate is one that would be created on the server by exporting the installed certificate with its private key.
Using our utility, you can highlight the cert then click 'Export' to make a .pfx file, which is a PKCS12 file.

Code Signing

They just need to select the re-key option.
They don't need a new CSR.
It will be re-emailed to the CS Certificate Requester found under the "Company Contacts" tab

Then, they can click on the link in the email again.
Once they click on the link, it will be installed in the browser they used to click on the link.
They can then export it from their browser as a .pfx file, OR if they used IE, it's installed in the windows store, and they're usually set.

There WILL be a link in the email he receives. It's an exact duplicate of the original. If he's working with a code signing cert, there's no way to log in to his account and download them. That's not the way our code certs work, so he must be looking at something else unless he can pass on that email to us so we can take a closer look.

Password reset

Send email to the email address listed for the master user on the account asking for permission to do so. If he can respond to it with an approval, then you are good.
If not, then he's stuck unless you can reach the master user on a verified phone number to approve him.

Easy CSR creater for Apache and any other OpenSSL


Add Change or delete names

The procedure to Add, change, delete, or fill domain names already purchased in your UC Certificate is as follows:
Log into your DigiCert account www.digicert.com
Select “My Certificates”
Click on your order number
Under the Heading Actions click on "Add, Remove, or Change Domains"
Enter in your new CSR, Reason, and server software. https://admin.digicert.com/csr-creation.htm

Edit the new details match the desired changes. Select “Process Reissue”. Make sure you include all the needed domains. Leaving an additional domain name section blank will remove that SAN from the certificate. See corresponding in the current details section for a list of current domains listed in the certificate.

Our support team will re-validate the changes and reissue the certificate. Note it may be necessary to resubmit a domain control validation email for the new or changed domain name before we can issue the certificate.

Install your new certificate. http://www.digicert.com/ssl-certificate-installation-microsoft-unified-communications.htm
Reissuing the certificate while removing a domain name will revoke the old certificate. If no domains are removed the older certificate will not be revoked.

Safekey Installer

Need to download the safenet installer for my code cert can you provide the link?
Make sure to change the XXXXXXXX to match the order number associated with the EV Code Signing Order.

Hardware Installer that actually installs the certificate to the token.
They have to click Re-Key, then it will give them a link to the Digicert Hardware Installer.
They download that, then run it and their account will guide them through the rest - it gives them a code they have to input into the installer to install the cert on the token.

Changing the Org Contact

Contact the master user on the account
OR contact the organization through a verified phone number to find out who it should be updated to.

Useful Information

Is there an easy way to convert a pfx cert to a .p12?
They are the same thing, just rename it

Create a new DigiCert account



If the original purchase of the current SSL was within the past 30 days then we can offer a full/complete refund, and it may be given either as a credit to the account or to the original payment source. If the purchase date of your order is more than 30 days past then we can offer a partial refund that is calculated to a pro-rated amount based on the number of months remaining until expiration of your order; and the refund could only be given as a credit to the account (because the bank will no longer have a the transaction gateway open to initiate a refund). This manual upgrade process also helps to reduce any down-time you might have on the existing server running the current cert.

Install additional intermediate for legacy devices

Just log in, click on the order number of that certificate, then click download.
After you do so, click on the blue link labelled 'Download Individual Certificates'
You need to download the 2nd intermediate and the new root certificate.
Install those and I think you should be all set without additional errors.

Get server/certificate details


Client getting expired certificate, even though the server has it installed correctly

It could be various things like the new certificate was installed but not actually applied.
It was installed to one server, but not another (assuming you have multiple servers), the new certificate wasn't assigned to all of the services being used,
the clock is actually wrong on that client machine for some reason, the client cached an old certificate.
I don't know exactly what it is but it could be various things.
Either way, according to the error, the client is either getting an expired certificate from the server it is connecting to, or the clock is off and it doesn't think the certificate it is getting is valid.


A PKCS12, also called a PFX, is a file that contains your private key, certificate, and intermediate. Since you create your own private key, we are not able to provide the certificate in PKCS12 format (because we don't have the private key).

However, it is easy to create a PKCS12/PFX using our DigiCert Utility:

First create the CSR in the DigiCert Utility:

Use the new CSR to re-key your certificate:

Import the new, re-keyed certificate into the Utility:
http://www.digicert.com/util/ssl-certificate-installation-using-digicert-utility-for-microsoft-servers.htm (Steps 1-4)

Finally, export the certificate in PFX format:

Cipher Suites

I'm not sure which server you are running, but I can point out a few things to get you headed in the right direction for working with the cipher suites, which is where I would start.

Windows: IIS Crypto - This is third party program, not related to DigiCert in any way, but it does provide a GUI to manage the ciphers in place of trying to edit the Registry in Windows.

Apache: You would edit your SSL conf file, which will include a section for the ciphers.

For Apache2, you would probably edit: /etc/apache2/mods-available/ssl.conf

For Apache, it might be located in /etc/httpd/conf.d/ssl.conf
You could adjust the cipher suite to the following: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!NULL

Tomcat: Edit the server.xml to set the sslProtocol= and ciphers= to what you want to use.

Citrix: There are multiple different products with different interfaces. I would consult that product's documentation.

Jigsaw.com countries

New Zealand
South Africa
United Kingdom

Apache Hints

httpd.conf usually refers to httpd-ssl.conf using an include (Make sure that include is not commented out
Inside of httpd-ssl.conf is where the SSL Configuration is generally at (Make sure SSLEngine ON)
Also look for maybe 443 Virtual Host being setup as its own website (If it is you will need to enable it a2ensite default-ssl or whatever it is
Can try to enable mod_ssl by running a2enmod SSL or a2enmod mod_ssl

Domain Authorization Email

Thanks for the email. The domain authorization emails are sent to anyone listed on the WHOIS record of the domain as well as (admin,administrator,hostmaster,postmaster)@domain.com

In order to send it to a different email address, you will need to update the registrant on the WHOIS record for the domain with your web registrar (such as GoDaddy or Network Solutions)

or alternatively to confirm you have control of the domain, we need you to set up a web page on YOURDOMAIN that we can access. The page should display the following: "Demonstration of domain control for DigiCert order #(your order number)". On a separate line say, "Please send the approval email to: ", and include the alternate email address you would like us to use.

S/MIME Certificates

Currently we do not offer email or personal ID certificates through our regular retail website, but they are available through our subscription-based Managed PKI
program. That program would be recommended if you had over 50 users needing certificates for the same domain. You can read about the program here:


If you just need a few email or personal ID certificates, and not the whole Managed PKI program on top of it, I would recommend using this site to find a provider:


Code Signing Generation

If you opened the link in IE or Google Chrome than the certificate was automatically generated and added into your computers certificate store. You can run our
DigiCert Utility to sign or export the certificate to use on other machines. https://digicert.com/util

If you used Mozilla Firefox you can export it by the following:

Tools -> Options -> Advanced Tab -> Certificates Tab -> View Certificates

Then choose the certificate from the list and choose 'Backup'

Download OpenSSL


Export Private Key from Java/Tomcat Keystore

keytool -importkeystore -srckeystore KEYSTORE.jks -destkeystore KEYSTORE.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass mysecret -deststorepass mysecret -srcalias myalias -destalias myalias -srckeypass mykeypass -destkeypass mykeypass -noprompt

openssl pkcs12 -in KEYSTORE.pfx -out KEYSTORE.pem -nodes

Create a PFX File

You will need to do is run our DigiCert Utility from any windows server/machine (can be your personal computer if you want) https://digicert.com/util Then you will create a CSR using the Utility, once generated you will login to your account, click on the order number and choose 'Get a Duplicate' Paste the new CSR from the utility and then submit. Once the duplicate is available for download, download it to the same machine where you ran the utility Click import on the utility and navigate to the .cer file you just downloaded, once its imported successfully you can then select it and choose 'Export' and there will be an option for pfx

IIS binding stuck and won't hand out new certificate

You can run netsh http show sslcert to view the certificate/bindings
Then you can delete that binding: netsh http delete sslcert ipport=
netsh http add sslcert ipport= certhash=a31c441be350fa90ad1aa1b0172fe0e4cbb71ecd appid={00112233-44556677-8899-AABBCCDDEEFF}
certhash= THUMBPRINT

Default Key Usage Fields

Digital Signature, Key Encipherment (a0)
Add ons available: Non-Repudiation, Data Encipherment, Encipher Only



Plesk error

plesk apache wont restart
/usr/local/psa/admin/bin/httpdmng --reconfigure-all

Chrome Keywords


Why are roots SHA-1

Taken from entrust*
In Microsoft’s responses to their SHA-1 deprecation policy, they state the following: “The SHA1 deprecation policy does not impact SHA1 root certificates, because Windows relies on other means to validate root certificates besides the signature. But all root CAs are expected to switch to use SHA2 to sign any subordinate CA certificates, CRLs, etc.”

So please do not be concerned if the website you are visiting does not use a SHA-2 signed root certificate.

Document Signing

Individual - CN And Org Name will pull from Organization
Organization - OLD WAY: Org Name = Org, CN = Org ---- NEW WAY: Org Name = Org CN = First.Last of DS User

OpenSSL commands to check which protocols are being used

SSL v2
openssl s_client -connect sslsimplified.com:443 -ssl2 -quiet
SSL v3
openssl s_client -connect sslsimplified.com:443 -ssl3 -quiet
TLS 1.0
openssl s_client -connect sslsimplified.com:443 -tls1 -quiet
TLS 1.1
openssl s_client -connect sslsimplified.com:443 -tls1_1 -quiet
TLS 1.2
openssl s_client -connect sslsimplified.com:443 -tls1_2 -quiet
It will return the certificate if the protocol is enabled or it will give a handshake failure if the protocol is disabled (or the https connection is down)

How to View a JAR Certificate

Open the .jar file using 7-Zip. Navigate to the META-INF Directory and then extract the SERVER.RSA to your machine.
Rename it to a .p7b and you will then be able to click on it and view the details as a normal certificate from Windows.

Single Sign On Safenet Token


Site Seal Options

		div id="DigiCertClickID_XXXXXXXX" data-language="en"
< script type="text/javascript">
var __dcid = __dcid || [];__dcid.push(["DigiCertClickID_XXXXXXXX", "3", "s", "black", "XXXXXXXX"]);(function(){var
cid=document.createElement("script");cid.async=true;cid.src="//seal.digicert.com/seals/cascade/seal.min.js";var s =
document.getElementsByTagName("script");var ls = s[(s.length - 1)];ls.parentNode.insertBefore(cid, ls.nextSibling);}());

The XXXXXXXX is where the unique identifier will be shown.. data-language can contain "en", "es", "ja" (en: English es: Spanish ja:Japanese) DigiCertClickID will be a 8 character unique identifier.. This is how the seal checks with DigiCert to ensure the seal is valid for the domain In the below example you will see a section that has "3", "s", "black" The 3 tells us which logo you want to use (for OV the options are 3, 5, and 7) (For EV the options are 10, 11, and 13) The "s" tells us size (Options are s, m, l for Small, Medium, and Large) black, tells us which font color to use, the options are black or white.. Site Seal Sizes are (80x58, 100x73, 130x9) (s,m,l)

3 Year/5 Year Validity Baseline Requirement

		6.3.2. Certificate Operational Periods and Key Pair Usage Periods
		Subscriber Certificates issued after the Effective Date MUST have a Validity Period no greater than 60 months.
		Except as provided for below, Subscriber Certificates issued after 1 April 2015 MUST have a Validity Period
		no greater than 39 months.
		Until 30 June 2016, CAs MAY continue to issue Subscriber Certificates with a Validity Period greater than 39
		months but not greater than 60 months provided that the CA documents that the Certificate is for a system or
		software that:
		(a) was in use prior to the Effective Date;
		(b) is currently in use by either the Applicant or a substantial number of Relying Parties;
		(c) fails to operate if the Validity Period is shorter than 60 months;
		(d) does not contain known security risks to Relying Parties; and
		(e) is difficult to patch or replace without substantial economic outlay.