Santronics Software, Inc., Wildcat! SSL CA Intermediate Certificate Installation Instructions How do I know if I need a CA intermediate certificate? Easy! Simply test your installed signed SSL certificate using your Web Browser on your Wildcat! SSL Web Server. If the web browser indicates your certificate was signed by an "unknown" and/or "untrusted" vendor, then your Wildcat! CA Intermediate Certificate Database CA-BUNDLE.TXT files needs to be updated. Also, as was the case with VeriSign on January 7, 2004, the CA intermediate certificate might have expired on the user's PC, thus requiring a new installation of the VeriSign's new intermediate certificate. Since it is more troublesome to have each of your user's to install a new CA intermediate certificates on their machines, it is easy to update the CA-BUNDLE.TXT database file on your server. See item #2 in "What is a CA Intermediate Certificate?" What is a CA Intermediate Certificate? The CA (Certificate Authority) Intermediate Certificate is a trusted vendor certificate used to verify and validate your signed certificate when the user connects to your SSL Server. When the user connects to your web server, your signed certificate is sent to their browser which is then checked against trusted CA vendor intermediate certificates already installed on the user's machine by Microsoft Internet Explorer, Netscape or other browsers. In most cases, the CA intermediate certificate is usually already installed on the user's PC which is true for the more popular CA vendors such as VeriSign, Thawte and others. If the user's PC does not have the CA's intermediate installed, then you need to provide it using the the Wildcat! SSL CA Certificate database file CA-BUNDLE.TXT. It is rare for you to even consider installing a CA intermediate certificate, however, there might exist the possibility for the following reasons: 1) You purchased a SSL certificate from a CA vendor who is not (yet) popular such as Instant SSL (Comodo) and do not have a wide distribution of intermediate certificates on user's PCs. In this case, the CA vendor will provide you with the intermediate certificate you will need to install in Wildcat!. If you have purchased a InstantSSL certificate, you will need to perform this task. 2) The CA Vendor intermediate certificate expired on the user's PC as was the case with VeriSign on January 7, 2004 when their intermediate certificate expired required you to install a new intermediate certificate. See: Expiration of VeriSign Global Server ID Intermediate Root CA on 1/7/2004 Installation of CA Intermediate Certificate: If your CA vendor requires the installation of an intermediate certificate, please follow these steps: Step 1: Stop WCONLINE: Stop WCONLINE Step 2: Obtaining the new CA Intermediate Certificate: In most cases, if the vendor requires the installation of an intermediate certificate, Santronics may have already updated a new CA-BUNDLE.TXT file containing the vendor's new intermediate certificate and made it available at the Santronics FTP site: You should first check this ftp site for the availability of a new CA-BUNDLE.TXT. You should read the history information at the top of this file to see if your specific CA intermediate certificate was recently added. NOTE: As of February 2003, the CA-BUNDLE.TXT at this ftp location included the InstantSSL intermediate certificate required for all Instant SSL (Comodo) customers. As of January 12, 2004, a file was updated with the new VeriSign intermediate certificate which had expired on January 7, 2004. Download this text file and place it in your \wc5\SSL\CACERT folder. The default expected file name is CA-BUNDLE.TXT. If Santronics has not updated the CA-BUNDLE.TXT, obtain the vendor's CA intermediate file following their instructions for the Wildcat! SSL Server and save it in the \wc5\SSL\CACERT folder with the file extension *.PEM, for example:
If the vendor does have instructions specific for the Wildcat! SSL Server, then obtain the Intermediate Certificate for the Apache SSL Server. HOWEVER, DO NOT FOLLOW ANY MORE INSTRUCTIONS OTHER THAN TO OBTAIN THE CERTIFICATE FILE ITSELF. Now, depending on your version of Wildcat!, you can follow step 2.1 or step 2.2 Step 2.1: Installing new CA Intermediate Certificate (Wildcat! SSL v5.6 or below) If you the new CA-BUNDLE.TXT containing your CA intermediate certificate, you may proceed to step 3. If the CA-BUNDLE.TXT file does not have your CA intermediate certificate, then manually edit the file \wc5\ssl\cacert\ca-bundle.txt and copy the *.PEM file saved in step 2.0 to the bottom of the list. How do you know if the CA-BUNDLE.TXT has your intermediate certificate? Easy, by testing your operation. If the user's web browser indicates your certificate was signed by an unknown trusted vendor, then your CA-BUNDLE.TXT needs to be updated. Step 2.2: Installing new CA Intermediate Certificate (Wildcat! SSL v6.0 or better) If you using Wildcat! SSL v6.0, then you may proceed to step 3. This version of Wildcat! understands individual *.PEM files stored in the SSL\CACERT folder. It will read the CA-BUNDLE.TXT containing multiple CA intermediate certificates and it will also look for individual *.PEM files. Step 3: Using NotePad edit the file: SSL\SSL.INI Make sure the SSL.INI file [GENERAL] section contains the following lines:
If any of the above lines are missing, add them. If any are missing, we only expect the last two lines to be missing (VerifyPath and ConfigFile). Step 4: Start WCSSLCONFIG.EXE Start WCSSLCONFIG and change the verify level to "FAIL IF NO PEER CERTIFICATE" Save and Exit WCSSLCONFIG.EXE Step 5: Restart WCONLINE and Test your SSL operations Start WCONLINE and bring your browser to test your HTTPS connections to your Wildcat! WEB Server. You should not see any popup errors by the browser. If you do, make sure you follow all the steps, especially step 4.
|
||