Upload a third-party certificate and trust chain

Before you begin

After you obtain the CSRs, and submit them to your CA, your CA returns a signed certificate to you. CAs will allow you to submit one CSR and have a certificate issued from that CSR. Then most CAs will allow you to perform a "reissue" to upload the second CSR. This "reissue" process avoids having to purchase two separate certificates from the CA, and it avoids having to perform validation twice.
You must then upload the certificate and any other files that your CA sent you into CPS. The certificate and trust chain that your CA provides you with must be in PEM format before you can use it in CPS. A PEM certificate is a base64 encoded ASCII file and contains ----BEGIN CERTIFICATE-----and -----END CERTIFICATE----- statements. If your CA provides you with a certificate that is not in PEM format, you can convert it to PEM format using an SSL converter.

How to

To upload the signed certificate and trust chain:

  1. Choose Upload Certificate and Trust Chain from the Actions menu next to your certificate on the CPS landing page.

    The Upload Third-Party Certificate and Trust Chain screen appears.

  2. To upload an ECDSA (if applicable) or an RSA Certificate:

    1. Click Upload to navigate to Upload Your Certificate and Trust Chain information screen.

    2. Select one of the options:

      • Copy/Paste. Paste the certificate provided by CA in PEM format.

      • Upload. Click Browse to browse to the signed certificate that you received from your CA, or drag and drop the file onto the screen.

    3. The added certificate(s) appear as {number} Cert Uploaded in the upper right corner of the Add ECDSA Certificate/Add RSA Certificate section. Click it to view the Certificate(s) details.

  3. To upload an ECDSA/RSA Trust Chain (optional for existing certificates):

    1. Click Upload to navigate to Upload Your Certificate and Trust Chain information screen.

    2. Select one of the options:

      • Copy/Paste. Paste the certificate provided by CA in PEM format.

      • Upload. Click Browse to browse to the certificates that you received from your CA, or drag and drop the file onto the screen. You can select multiple files at the same time.

    3. The added trust chain(s) appear as {number} Trust Chain Uploaded in the upper right corner of the Add ECDSA Trust Chain/Add RSA Trust Chain section. Click it to view the Trust Chain(s) details.

    ūüďė

    Certificate or trust chain removal

    If you wish to remove an uploaded certificate and/or a trust chain, you can either remove specific ones in detail view windows (i.e. {...} Uploaded items), or remove all of them at once by clicking X in the upper right corners of Add ECDSA Certificate/Add RSA Certificate or Add ECDSA Trust Chain/Add RSA Trust Chain sections respectively.

    ūüďė

    Should I include the root certificate in the trust chain?

    Including the root certificate in the trust chain is not recommended. CPS will present to connecting browsers and TLS clients the leaf certificate and trust chain in their entirety. Browsers and TLS clients expect to receive only the necessary intermediates as the trust chain, and not any root certificates that are already present in their trust stores.

  4. Certificate(s) and/or trust chain(s) upload triggers validation and returns warnings in case any error is detected. If there are no warning messages, click Done in each section to confirm the uploads.

  5. Click Check and Add.

    • If an error is returned, upload the corrected certificate again.

    • If a success message is returned, you will be automatically redirected to the landing page.

Your certificate still shows the In Progress icon in the Receiving certificate column on the Landing Page. CPS uses the network settings you specified when you created the certificate to deploy the certificate to the network. This may take a few minutes.


Did this page help you?