How to request a SWITCHpki QuoVadis server certificate

Specific requirements may apply to the procedure at your own organization; please check with your registration authority (contact information) before submitting your first request.

1. Creating the key pair and the CSR (certificate signing request)

To create the key pair and the CSR, either use the respective option in your server software, or generate it with a tool of your choice, such as OpenSSL (available for many operating systems), certreq.exe (on Windows), keytool (for Java applications) etc. There are only two mandatory requirements applying to the CSR:

  • the CN (commonName) attribute must include a fully qualified domain name
  • it must include an RSA key with a size of at least 2048 bits

Creating a CSR with OpenSSL

2. Submitting the CSR

Submit the CSR through the SWITCHpki QuoVadis certificate request form. In step 1, paste your CSR into the text box, select the type, signature algorithm, desired validity, and fill in the information about the technical contact. Finally, click the Check my input button.

Step 1
(click to enlarge)

The system then validates your input. It may issue warnings, but as long as no major errors are found, step 2 is shown, which asks you to confirm the submission of your request:

Step 2
(click to enlarge)

Complete the submission of your CSR by clicking the Accept agreement and submit my request button.

2b. First-time submissions only: registering your Trust/Link account

The QuoVadis Trust/Link system assigns an account to every subscriber (i.e., technical contact) who submits a request. Subscriber accounts are identified by their e-mail address, so when you submit a request with a tech contact address not yet known by the system, an account will automatically be created for you. At the same time you receive an e-mail message asking you to set the password for your Trust/Link subscriber account. The URL in that mail expires after two weeks, so we recommend that you set your password at your earliest convencience.

3. Confirmation and verification of your request

After every successful submission of your CSR, you receive a confirmation by e-mail. Your request then needs to be confirmed by one of the SWITCHpki contact persons at your organization (the "certificate approvers"). They will automatically receive a challenge e-mail from QuoVadis, which they have to reply to.

4. Issuance of the certificate

An operator of the SWITCH RA will issue your certificate as soon as the confirmation by an authorized certificate approver of your organisation has been received (usually, this happens within one business day). When the certificate is ready, an e-mail with a URL for retrieving the certificate is sent to the subscriber (technical contact).

5. Installation/configuration of the certificate

To install the certificate, please refer to the documentation of your server software. It's important that you also install the intermediate CA certificate (QuoVadis Global SSL ICA G2 for Business SSL certificates or EV SSL certificates without the CT extension, QuoVadis EV SSL ICA G1 for EV SSL certificates with the CT extension, or the legacy QuoVadis Global SSL ICA for SHA-1 based SSL certificates), so that your server sends both the server certificate and the intermediate CA certificate to a client.

For the Apache HTTP server, see How to install a SWITCHpki QuoVadis certificate in the Apache HTTP server

For Microsoft IIS 6 (Windows Server 2003), it's recommended to use the PKCS#7 format when using the IIS wizard - this makes sure that the intermediate CA certificate is automatically added to the proper Windows certificate store. For Microsoft IIS 7 or later, the PEM format should be used (PKCS#7 does not really work in this case - but IIS 7 or later will automatically fetch the missing CA certificates from the network and place them into the correct store).

We recommend to configure and enable OCSP Stapling.
(See this IAB Statement on OCSP Stapling for more information. The presentation OCSP Stapling gives an introduction to OCSP Stapling.)

  • If you use the Apache HTTP server, see Enabling OCSP Stapling in the Apache HTTP server.
  • If you use IIS on Windows Server 2008 or later, OCSP Stapling is enabled by default, you don't need to do anything.
  • For other products, please refer to the documentation of your server software.

6. Verifying the correct installation of the server certificate

To verify that your server is correctly configured (serving a proper chain, in particular), you can use the "Certificate chain test" utility - as long as your server is reachable from the public Internet (or SWITCHlan, at least).

Otherwise, OpenSSL's s_client command can be used. To properly validate the certificate, you should first download a file with the PEM formatted versions of the QuoVadis Root CA 1 and the QuoVadis Root CA 2. Then, execute the following OpenSSL command in a shell (replace your.server.example.com and the port number accordingly):

openssl s_client -CAfile qvroots.pem -quiet -connect your.server.example.com:443

which should produce output such as

depth=2 /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
verify return:1
depth=1 /C=BM/O=QuoVadis Limited/CN=QuoVadis Global SSL ICA G2
verify return:1
depth=0 /C=CH/ST=Your canton/L=Your city/O=Your organization/CN=your.server.example.com
verify return:1

I.e., there must be no verify errors, and either entries from depth=3 to depth=0 (for the Root CA 1, with the cross-signed Root CA 2) or from depth=2 to depth=0 are shown (self-signed Root CA 2). To close the OpenSSL connection, use Ctrl-C.