A certificate chain is used to establish a chain of trust from a peer certificate to a trusted CA certificate. Each certificate is verified using another certificate, creating a chain of certificates that ends with the root certificate. The issuer of a certificate is called a certification authority (CA). The owner of the root certificate is the root certification authority. The last certificate in the chain is usually a self-signed certificate.
EFT Server supports full certificate chains, which is a single file with a combination of all certificates in the chain. Usually, you will receive this file from a signing authority. Otherwise, you can create the chain manually, as described below, or ask the GlobalSCAPE Technical Support team to create one for you.
To create the chain, the general steps include:
You must have the following certificates:
Client/server certificate signed with the intermediate CA certificate
One (or more) intermediate CA certificates
A root CA certificate
Download the OpenSSL command line utility, available free from http://www.openssl.org/related/binaries.html.
Run the x509 command on a certificate file, outputting the text version of that file. (Refer to the example below.)
Redirect the output into a combined file as a concatenated block of text.
For example, suppose you created a certificate in EFT Server called "mycert.crt" (and it has the associated private key "mycert.key"), then sent the CSR file ("mycert.csr") to Verisign, who sent you the following:
Signed certificate ("mycert_Signed.crt")
Intermediate certificate ("Verisign_Intermediate.crt")
Root certificate ("Verisign_Root.crt").
To combine these into a single file that EFT Server supports, use the following commands in OpenSSL:
c:\> openssl x509 -inform PEM -in "mycert_Signed.crt" -text > mycert_combined.crt
c:\> openssl x509 -inform PEM -in "Verisign_Intermediate.crt" -text >> mycert_combined.crt
c:\> openssl x509 -inform PEM -in "Verisign_Root.crt" -text >> mycert_combined.crt
You now have a certificate file that EFT Server can use to deploy the entire chain.
The way you access the intermediate and root certificates, as well as the format of those certificates, might differ between signing authorities. |