How to request a SWITCHpki DigiCert server certificate

Specific requirements may apply to the procedure at your own organization; please check with your registration authority (contact information) before submitting your first request.

1. Creating the key pair and the CSR (certificate signing request)

To create the key pair and the CSR, either use the respective option in your server software, or generate it with a tool of your choice, such as OpenSSL (available for many operating systems), certreq.exe (on Windows), keytool (for Java applications) etc. There are only two mandatory requirements applying to the CSR:

  • the CN (commonName) attribute must include a fully qualified domain name
  • it must include an RSA key with a size of at least 2048 bits

Creating a CSR with OpenSSL

2. Submitting the CSR

Submit the CSR through the channel provided by your Organization. This can be a Digicert Guest URL, or via a personal login to the Digicert CertCentral platform at https://www.digicert.com

An administrator of your Organization then needs to approve your certificate request.

The system then checks among other things, if the Organization and Domains included in the csr are validated and if the CAA records fit, if there are any. If any of the validations have not been done the certificate can't be issued and stays pending until that is fixed.

3. Installing the certificate

To install the certificate, please refer to the documentation of your server software. It's important that you also install the intermediate CA certificate so that your server sends both the server certificate and the intermediate CA certificate to a client.

We recommend to configure and enable OCSP Stapling.
(See this IAB Statement on OCSP Stapling for more information. The presentation OCSP Stapling gives an introduction to OCSP Stapling.)

  • If you use the Apache HTTP server, see Enabling OCSP Stapling in the Apache HTTP server.
  • If you use IIS on Windows Server 2008 or later, OCSP Stapling is enabled by default, you don't need to do anything.
  • For other products, please refer to the documentation of your server software.

4. Verifying the correct installation of the server certificate

To verify that your server is correctly configured (serving a proper chain, in particular), you can use the Digicert SSL Certificate Checker - as long as your server is reachable from the public Internet.

If your server is not reachable from the public Internet, you might wish to check with CheckSSL command line tool