How to request a SWITCHpki QuoVadis server certificate
Specific requirements may apply to the procedure at your own organization; please check with your registration authority (contact information) before submitting your first request.
1. Creating the key pair and the CSR (certificate signing request)
To create the key pair and the CSR, either use the respective option
in your server software, or generate it with a tool of your choice,
such as OpenSSL (available for many operating systems),
keytool (for Java applications) etc. There are only
two mandatory requirements applying to the CSR:
- the CN (commonName) attribute must include a fully qualified domain name
- it must include an RSA key with a size of at least 2048 bits
2. Submitting the CSR
Submit the CSR through the SWITCHpki QuoVadis certificate request form. In step 1, paste your CSR into the text box, select the type, desired validity, and fill in the information about the technical contact. Finally, click the Check my input button.
The system then validates your input. It may issue warnings, but as long as no major errors are found, step 2 is shown, which asks you to confirm the submission of your request:
Complete the submission of your CSR by clicking the Accept agreement and submit my request button.
2b. First-time submissions only: registering your Trust/Link account
The QuoVadis Trust/Link system assigns an account to every subscriber (i.e., technical contact) who submits a request. Subscriber accounts are identified by their e-mail address, so when you submit a request with a tech contact address not yet known by the system, an account will automatically be created for you. At the same time you receive an e-mail message asking you to set the password for your Trust/Link subscriber account. The URL in that mail expires after two weeks, so we recommend that you set your password at your earliest convencience.
3. Confirmation and verification of your request
After every successful submission of your CSR, you receive a confirmation by e-mail. Your request then needs to be confirmed by one of the SWITCHpki contact persons at your organization (the "certificate approvers"). They will automatically receive a challenge e-mail from QuoVadis, which they have to reply to.
4. Issuance of the certificate
An operator of the SWITCH RA will issue your certificate as soon as the confirmation by an authorized certificate approver of your organisation has been received (usually, this happens within one business day). When the certificate is ready, an e-mail with a URL for retrieving the certificate is sent to the subscriber (technical contact).
5. Download/installation/configuration of the certificate
To install the certificate, please refer to the documentation of your server software. It's important that you also install the intermediate CA certificate so that your server sends both the server certificate and the intermediate CA certificate to a client.
To download the certificate, open the URL received in the e-mail to get to the download page. Download the certificate in the appropriate format. See below for further instructions for specific software.
For the Apache HTTP server, see How to install a SWITCHpki QuoVadis certificate in the Apache HTTP server
For Microsoft IIS 6 (Windows Server 2003), it's recommended to use the PKCS#7 format when using the IIS wizard - this makes sure that the intermediate CA certificate is automatically added to the proper Windows certificate store. For Microsoft IIS 7 or later, the PEM format should be used (PKCS#7 does not really work in this case - but IIS 7 or later will automatically fetch the missing CA certificates from the network and place them into the correct store).
- If you use the Apache HTTP server, see Enabling OCSP Stapling in the Apache HTTP server.
- If you use IIS on Windows Server 2008 or later, OCSP Stapling is enabled by default, you don't need to do anything.
- For other products, please refer to the documentation of your server software.
6. Verifying the correct installation of the server certificate
To verify that your server is correctly configured (serving a proper chain, in particular), you can use the "Certificate chain test" utility - as long as your server is reachable from the public Internet (or SWITCHlan, at least).
s_client command can be used.
To properly validate the certificate, you should first download a file
with the PEM formatted versions of the
QuoVadis Root CA 1 and the QuoVadis Root CA 2.
Then, execute the following OpenSSL command in a shell (replace
your.server.example.com and the port number accordingly):
openssl s_client -CAfile qvroots.pem -quiet -connect your.server.example.com:443
which should produce output such as
depth=2 /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 verify return:1 depth=1 /C=BM/O=QuoVadis Limited/CN=QuoVadis Global SSL ICA G2 verify return:1 depth=0 /C=CH/ST=Your canton/L=Your city/O=Your organization/CN=your.server.example.com verify return:1
I.e., there must be no
verify errors, and either entries
depth=0 (for the Root CA 1, with
the cross-signed Root CA 2) or from
are shown (self-signed Root CA 2). To close the OpenSSL connection,