To order EV certificates from DigitalTrust CA, the requesting organization and domains must be validated and approved according to the relevant policies and procedures. The following documents and information should be provided for DigitalTrust to start the validation process:  

1. Complete Application Form - EV certificates Click Here
2. Certificate Holder Agreement Click Here
3. Trade License / Similar Legal Document
4. Power of Attorney for the authorized signatories of the above documents. 

After receiving all the relevant documents along with the application form, DigitalTrust shall initiate the vetting process for complete verification of details provided by the applicant to ensure maximum security for users. The process includes the following steps:

1. Verification of Application: Application form must be sent by the authorized requester as mentioned in the Authorization Letter.
2. Verification of Supporting Documents: The content of all supporting documents shall be compared to Official records.
3. Registration and Approval of Organisation: Confirm the Legal, Physical and Operational Existence of the Organisation.
4. Registration and Approval of Domain: Confirm that the Organisation has complete ownership/control over the mentioned domain.

Once the above verifications are complete, DigitalTrust shall commence issuance and delivery of the EV certificate. Please note that this process is compliant with the guidelines specified by CA/B Forum.

To order OV certificates from DigitalTrust CA, the requesting organisation and domains must be validated and approved according to the relevant policies and procedures. The following documents and information should be provided for DigitalTrust to start the validation process:

1. Complete Application Form - OV certificates Click Here
2. Certificate Holder Agreement Click Here
3. Trade License / Similar Legal Document 

After receiving all the relevant documents along with the application form, DigitalTrust shall initiate the vetting process for complete verification of details provided by the applicant to ensure maximum security for users. The process includes the following steps:

1. Verification of Application: Application form must be sent by the authorized requester as mentioned in the Authorization Letter.
2. Verification of Supporting Documents: The content of all supporting documents shall be compared to Official records.
3. Registration and Approval of Organisation: Confirm the Legal, Physical and Operational Existence of the Organisation.
4. Registration and Approval of Domain: Confirm that the Organisation has complete ownership/control over the mentioned domain.

Once the above verifications are complete, DigitalTrust shall commence issuance and delivery of the OV certificate.  Please note that this process is compliant with the guidelines specified by CA/B Forum.

To order Individual Certificates from DigitalTrust CA, the details (such as name, email, organisation name and domain) in the request must be validated and approved according to the relevant policies and procedures. 

Wildcard certificates can be issued for OV certificates. According to the guidelines from CAB forum, the use of wildcard certificates are not allowed for EV certificates.

As of September 1st 2020, DigitalTrust offers publicly-trusted TLS certificates with 1-year validity only. 

RSA key is a cryptosystem utilized in secure data transmission with large keys to provide strong encryption. RSA keys have been utilized by many organizations and have a strong and well established backing.       

ECC (Elliptic Curve Cryptography) Key is a cryptosystem that is utilized in secure data transmission with small keys that provide equal strength to RSA. The benefit of the smaller keys is that they have lower CPU consumption and low memory usage so it caters to smaller devices which are becoming more readily available with the IoT.      

Verify Installation

Before creating a certificate request it is a good idea to verify that your apache website is working as expected.

Try accessing your site locally using http in a web browser. 

It is also a good idea to make sure that you can access your website remotely. If there are any problems they will be easier to diagnose to fix before configuring certificates.

Create CSR

1. Login to your server with ssh in your terminal. At the prompt enter the following command:
   
   openssl req -new -newkey rsa:2048 -nodes -keyout <server>.key -out <server>.csr
   Replace <server> with the FQDN of your website.
   
   
2. When a prompt appears for you to enter the [Country Name], just press [Enter]. Keep pressing [Enter] Until you are prompted for [Common Name] 
   
   
   
   
3. When prompted for [Common Name], enter the FQDN for the site you are securing
   
   
4. The rest of the fields will be ignored and can be left empty.
   
   
5. This will result in the creation of two files: <server>.key, which is for encryption using your SSL Certificate, and <server>.csr which is your certificate signing request file used to apply for your SSL Certificate.

IMPORTANT: The private key needs to be stored securely at all times after creation. Make sure the private key does not leave the server and has appropriate access rights.

Two files will be created: private key and CSR file. User the CSR file to issue a certificate from CA authority.

A CSR should look like this:

The following steps are for Microsoft Exchange 2010

1. Launch your Exchange Management Console
• [Start] --> [Programs] --> [Exchange Management Console]


2. Select Manage Database


3. From here Select [Server Configuration], then [New Exchange Certificate]
• A prompt will appear asking for a name for the certificate. Enter a name for identification purposes, this will not be the official CSR name


4. Under [Domain Scope] hit [Next]
• Please note that Wildcard Certificates are not allowed for EV Certificates


5. In the [Configuration Menu] for Exchange please select the services that will be secured. Then Enter the names via which you connect to those services.


6. The next screen you can review a list of suggested names to include in your certificate request. Those suggestions are as follows:
• The Organisation should be the full legal name of your company as officially registered
• The Organisation Unit is your department within the organisation responsible for SSL
•  If you are in an area that does not have a State/Province, enter the city information again


7. Click [Browse] to save your CSR locally to your computer as a [.req] file
• Click [Save]
• Click [Next]
• Click [New]
• Click [Finish]

The following steps are for Internet Information Services Versions 5 & 6

1. Open Internet Information Services


2. Select the site that you wish to enable secure communications for.


3. Right click on the site and select [Properties] from the menu.


4. Navigate to the [Directory Security Tab] and click [Server Certificate] under [Secure Communications].


5. This will start the Web Server Certificate Wizard.
•  Click [Next]
•  Select [Create a new certificate] and click [Next]
•  Select [Prepare the request now, but send it later] and click [Next]
•  Enter the certificate name
•  Select the [Key Length (2048)] and indicate if you want to use SGC (Server Gated Cryptography), then click [Next]
•  Enter the [Organisation] and [Organisational Unit] fields, then click [Next]
•  Enter the [Common Name] (Fully Qualified Domain Name). It is imperative that this reflects the web server DNS Name.
•  Enter the [Country/Region] as well as the [City and State]. Please note that Abbreviations will not be accepted by the system.
•  Choose your save location for the file and name the file. Then click [Next]
•  Verify the information on the [Request File Summary Screen]. Then click [Next]
•  Click [Finish]

The following steps are for Internet Information Services Versions 7 & 8

1. Open Internet Information Services


2. Click on the Server that you wish to edit from the [Connections] menu on the left.


3. From the center menu double click on [Server Certificates] in the [Security] Section


4. Select the [Actions] menu from the right and click on [Create Certificate Requests]


5. The [Request Certificate Wizard] will pop up. Enter the required information in the [Distinguished Name Properties] menu. Then click [Next]


6. On the [Cryptographic Services Provider Properties] menu leave the default settings as follows:
• Crypto. Service Provider: Microsoft RSA SChannel Cryptographic Provider
• Bit length: 2048


7. Click [Next]


8. Enter a name for your file and specify a save location for your CSR. 

The following steps are for JBOSS

Note: for the following commands the fields inside the [ ] must be changed, excluding the [ ], to match your situation. Example: -keystore [Common Name].jks can be -keystore www.digitaltrust.ae.jks

1. Utilize the following command to create a new Java Keystore file with a private key:
   keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore [Common Name].jks -dname "CN=[Common Name], OU=[OrganisationUnit], O=[Organisation], L=[Town/City], ST=[State/Province], C=[Country Code - example:AE]"


2. The second command will create your CSR utilizing the same private key:
   keytool -certreq -alias server -file [Common Name].csr -keystore [Common Name].jks 

The following steps are for NGINX utilizing Open SSL

1. Run the following command:
   openssl req -new -nodes -keyout private.key -out server.csr


2. This will result in the creation of two files:
   private.key, which is your private key needed during certificate installation. Store this on your server in a secure location
   server.csr, this is your Certificate Signing Request.
   This information will be submitted to DigitalTrust for the certificate creation

The following steps are for Tomcat

This will be split into two processes, the first will be the creation of a New Keystore while the second will be generating a CSR from that keystore.

Creating a New Keystore

1. You may need to add [java /bin/ directory] to your PATH before utilizing the keytool command. When you are ready enter the following command:
   keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore your_site_name.jks
   Before pressing Enter make sure to replace your_site_name with the fqdn of your website.
2. When requested, enter a secure password for your keystore.
   
3. You will be asked to fill out a number of fields.
   You can skip the fields by pressing Enter for all values except country code. These values will be replaced before you receive your certificate.

Generating a CSR from the Keystore

1. You will now utilize the keytool to create your CSR from your Keystore. Enter the following command:
   keytool -certreq -alias server -file your_site_name.csr.txt -keystore your_site_name.jks
   Enter your keystore password from earlier, then press[Enter]
   

The following steps are for your Intermediate Certificate supplied by the CA

1. Save the file to your desktop as [Intermediate.cer]


2. Open Microsoft Management Console (MMC)


3. Press [File] then [Add/Remove Snap In]


4. Click [Add]


5. Select Certificates then click [Add]


6. Select Computer Account then click [Next]


7. Select your Local Computer then click [Finish]. Click [Close] then [OK]


8. Select [Certificates] then [Intermediate Certification Authorities]. Then [Certificates]


9. Right click on [Certificates] then select [All-Tasks]. Finally click [Import]


10. An Import Wizard will launch, navigate through by following the instructions to import the intermediate certificate then close MMC.  

The following steps are for your SSL certificate supplied by the CA

Note: You need to be able to sudo as root / have root access to your server to be able to preform the commands below. Our guide will utilize the sudo command so if you are able to login as root, disregard the sudo portion of the commands below

• • • sudo cp [file from the certificate download directory]
      By default [/etc/apache2/ssl] is where the Apache server is storing the certificates

• • •  The location for the file should be located in:
      /etc/apache2/sites-enabled/your-website-goes-here
    •  Open the file in your terminal windows utilizing the following command: 
      sudo nano [directory where config file is located]
      For example it should be by default: 
      sudo nano /etc/apache2/sites-enabled/mytestsite.ae

• Check owner of /etc/apache2/sites-enabled/
  ls -la /etc/apache2/sites-enabled/
• Make sure your edited file has the same owner as the directory:
  sudo chown <owner>:<owner> /etc/apache2/sites-enabled/
  Replace <owner> with the owner in your file system, i.e. www-data.

• • •  In the [VirtualHost] section of your file add the following directives IF they are not already included. If they are included just modify your files so that each directive points towards the most recent server certificate, chain, and private key files.
      
      <VirtualHost mytestsite.ae:443>
      DocumentRoot /var/www/
      SSLEngine on
      SSLCertificateFile /path/to/your-server-certificate.crt
      SSLCertificateKeyFile /path/to/your-private-key.crt
      SSLCertificateChainFile /path/to/chain-bundle-file.crt
      <\VirtualHost>
      
      SSLCertificate file is your server certificate file
      SSLCertificateKeyFile is your server’s private key previously generated
      SSLCertificateChainFile is the Chain bundle file

•  Exit nano and save changes
• [CTRL] + [X] to save and then type [Y] to confirm your changes

• sudo apachect1 configtest
  Report Any problems captured in the test to support.

The following steps are for your SSL certificate supplied by the CA

1. Open Internet Information Services
• [Start] --> [Programs] --> [Microsoft Exchange 2010] --> [Exchange Mangement Console]


2. Select [Manage Database] then [Server Configuration]


3. Next select your certificate from the center menu and select [Complete Pending Request] from the [Actions] menu


4. Browse to the certificate file then press [Open] and click [Complete]


5. Press [F5] to refresh the page and verify your certificate
• [False] should be displayed under [Self Signed]
•  If [True] is showed, the wrong certificate is selected or you have installed to the wrong server. Please recreate the CSR on the server and reissue the certificate


6. If the installation was successful, you need to enable your new certificate. Navigate back to the Exchange Management Console and click [Assign Services to Certificate]


7. Select your server from the list of servers and click [Next]


8. Select the services for your certificate that you want enabled and click [Next]
•  Click [Assign] then click [Finish]


9. Your new Certificate is now installed and enabled for Exchange 2010

The following steps are for your SSL certificate supplied by the CA

1. Start the Exchange Mangement Console


2. Expand IIS and browse to the website you have a certificate request pending for.


3. Right click on your site and select [Properties]


4. Select the [Directory Security] tab


5. Launch the [Web Server Certificate Wizard] by clicking on [Server Certificate] under the [Secure Communications] menu.
•  When the wizard launches, click [Next]
•  Select [Pending Request and Install the Certificate] then click [Next]
•  Browse for the location of your certificate response file then click [Next]
•  Verify the information on the summary screen and click [Next]
•  A completion screen will popup, click [Finish] to close this


6. You have now successfully installed your secure server certificate.
• • To test the website, go to https://“yourdomain.ae”

4.Select the [Directory Security] tab

5.Launch the [Web Server Certificate Wizard] by clicking on [Server Certificate] under the [Secure Communications] menu.

• When the wizard launches, click [Next]
• Select [Pending Request and Install the Certificate] then click [Next]
• Browse for the location of your certificate response file then click [Next]
• Verify the information on the summary screen and click [Next]
• A completion screen will popup, click [Finish] to close this

6.You have now successfully installed your secure server certificate.

• To test the website, go to https://“yourdomain.ae”

The following steps are for your SSL certificate supplied by the CA

1. After receiving the SSL certificate save it to your server utilizing a [.crt] extension


2. Open Internet Information Services (IIS) 7


3. Click on the server you wish to edit


4. From the center menu double click [Server Certificates] in the [Security] Section


5. Choose the [Actions] menu on the right then click [Complete Certificate Request] this will launch the [Complete Certificate Request Wizard]
• Browse for your SSL certificate you previously saved, then enter a name for it and click [OK]


6. Navigate to the [Connections] menu in the main IIS Manager window and select the server you want the certificate to be installed on


7. Under [Sites] select the site that is to be secured with SSL


8. Choose the [Bindings] option from the [Actions] menu on the right hand side


9. Click [Add] in the [Site Bindings] window


10. On the [Add Site Bindings] window choose the follow options:
• [Type] should be “https”
• [IP address] should be “your site’s IP Address” or “All Unassigned”
• [Port] should be “443”
• [SSL Certificate] should be your previously installed certificate
•  Click [OK]


11. Restart Internet Information Services(IIS) to complete your certificate installation

8.Choose the [Bindings] option from the [Actions] menu on the right hand side

9.Click [Add] in the [Site Bindings] window

10.On the [Add Site Bindings] window choose the follow options:

•  [Type] should be “https”
•  [IP address] should be “your site’s IP Address” or “All Unassigned”
•  [Port] should be “443”
•  [SSL Certificate] should be your previously installed certificate
•  Click [OK]

11.Restart Internet Information Services(IIS) to complete your certificate installation

The following steps are for your SSL certificate supplied by the CA

1. Download your SSL Certificate and Intermediate CA Certificate and save these to your server where you plan to install the certificate.

Import the SSL Certificate into the keystore

1. In the command prompt enter the following command:
   keytool -import -alias your_alias_name -trustcacerts -file ssl_certificate.p7b -keystore your_keystore_filename
   Note: The alias name and keystore name in the command must be the same as the ones used during the creation of the private key and certificate signing request (CSR)

Configure Web Container

1. If you are utilizing Tomcat please locate the section in the Tomcat server.xml configuration file that starts with, "Uncomment this for SSL support". Uncomment the following code, and enter the location of your server key.
   
   value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
   value="8443"/>
   value="org.apache.tomcat.net.SSLSocketFactory" />
   
   
   


2. Copy the JSSE jars to the $TOMCAT_HOME/lib directory

1. If you are utilizing Jetty please locate the section in the $JBOSS_JETTY_HOME/conf/jetty/jetty.xml configuration file that starts with, "Uncomment this to add an SSL listener". Uncomment the following code, and enter the location of your server key.
   
   
   
   8443
   5
   255
   50000
   /etc/server.keystore
   changeit
   changeit
   
   
   


2. Start JBoss

1. Start JBoss and go to https://your-server-name.your-domain:8443 to test your SSL configuration

The following steps are for your SSL certificate supplied by the CA

1. Download and copy your [CertificateBundle.pem] to your server.


2. You need to edit the NGINX Virtual host file to point to your new certificate and private key.
   Please edit the following to fit your situation:
   Your ssl_certificate from step 1
   Your ssl_certificate_key from your previously generated CSR
   
   server
   {
   listen 443;
   server_name www.mywebsite.com;
   ssl on;
   ssl_certificate /path/to/SSL/CertificateBundle.pem;
   ssl_certificate_key /path/to/SSL/private.key;
   }


3. Restart your NGINX server by entering the following command:
   sudo /etc/init.d/nginx restart

After you have your downloaded Certificate Bundle, which comes as a [.pem] file continue through the following steps

• It is recommended you manually type this into your terminal and not copy and paste it as the formatting could change
•  A prompt will appear asking for a keystore password.
•  A prompt may appear asking if you want to trust the certificate, enter [yes]
•  Upon successful installation, you will see [Certificate reply was installed in keystore]

1. Save a copy of your original server.xml file in the event that a restore is needed
2. Open your server.xml file located in the conf folder of the home directory
   You will see a section that looks like the following: 
   keyAlias="server" keystoreFile="yourkeystore.jks" keystorePass="your_keystore_password" />
   You will need to enter your specific information into the underlined fields that are bolded.
3. Restart your Tomcat Server to complete the installation process for your Certificate