Entering the certificate and private key into the server

To be able to use your new server certificate, you must make it known to the server service. This is done in the configuration file of the service.

Since the certificate is a server certificate that can be used by several services, it should be stored in a central directory (e.g.: /etc/ssl/certs/).
The private key can be stored in /etc/ssl/private/. Please make sure that only root has read access to the private key.

Certificate chain

Certificates from »Sectigo«

As soon as a certificate you have requested is issued, you will receive an e-mail with download links. Under  »Available formats«, select a format that already contains the certificate chain.
For Apache / nginx »Certificate (w/ issuer after)« is offered, for Microsoft IIS »PKCS#7«.

After you have saved your private key and your certificate, you should install theroot certificate of the DFN-PKI and the CA certificate of the Bauhaus-Universität Weimar

Check the fingerprint of the CA certificates. To display the fingerprint, you can call OpenSSL as follows:

openssl x509 -in <CA-Zertifikat.pem> -fingerprint -sha256 -noout

To make the existing chain of CA certificates available to the server, you can either specify each individual certificate in the configuration file or use the UNIX command cat to create a file containing all the necessary CA certificates.

Example for the Apache web server:

server # cat dfn-root-ca-cert.pem  top-cacert.pem cacert.pem >> ca-bundle.crt

In order for the configuration file to be read in again, the service must be restarted after installing the certificates.