Appboard/old/intermediate ca certs
Overview
An intermediate certificate is the certificate, or certificates, that go between a certificate (e.g. your personal CAC certificate) and a root certificate. The intermediate certificate, or certificates, along with the root certificate are needed to validate a personal CAC certificate using an OCSP server.
Intermediate Certificate file can be either in p7b (binary format) or crt (base 64 encoded format). The other popular certificate file extension is cer (base 64 encoded format).
The file extensions .CRT and .CER are interchangeable. You can change the extension by following the steps below:
Double-click on the yourwebsite.crt file to open it into the certificate display. Select the Details tab, then select the Copy to file button. Hit Next on the Certificate Wizard. Select Base-64 encoded X.509 (.CER), then Next. Select Browse (to locate a destination) and type in the filename yourwebsite. Hit Save. You now have the file yourwebsite.cer
For enPortal's PKI solution, both formats are required. A p7b format is read by edge provided PKI module to validate a personal CAC certificate using OCSP server. A crt format is used by web server (Apache) to validate a client certificate during the SSO handshaking process.
Instructions to generate a p7b format Intermediate Certificate file
- step 1 - Start Internet Explore, go to Tools > Internet Options > Content > Certificates > Intermediate Certification Authorities.
- step 2 - Select all DOD CA certificates except those with "root" in the name and click the Export button. Click Next.
- step 3 - Certificate Export Wizard begins. Choose "Cryptographic Message Syntax Standard - PKCS #7 Certficates" format. Click Next.
- step 4 - Enter a file name (e.g. IntermediateCACerts.p7b) and click Next. Click Finish to export, and click OK to close the "The export was successful." box.
- step 5 - Place this file in the directory specified by "cac.authentication.caChainCert" in pkg-cac.properties file. The implied root directory is where edge provided PKI module (edge-cac.jar) resides. It is by convention "${PortalHome}/classes-custom" directory. If the value of "cac.authentication.caChainCert" is "/certs/IntermediateCACerts.p7b", place the file in "${PortalHome}/classes-custom/certs" directory.
Instructions to generate a crt (base 64 encoded) format Intermediate Certificate file
- step 1 - Start Internet Explore, go to Tools > Internet Options > Content > Certificates > Intermediate Certification Authorities.
- step 2 - Select a DOD CA certificate and click the Export button. Click Next.
- step 3 - Certificate Export Wizard begins. Choose "Base-64 encoded X.509" format. Click Next.
- step 4 - Enter a file name (e.g. CA11.cer) and click Next. Click Finish to export, and click OK to close the "The export was successful." box.
- step 5 - Repeat step 2 to step 4 to export all the Intermediate CA individually.
- step 6 - Concatenate all the certificates into a one single file. For example, in Windows's command prompt run this command..
copy /b ca19.cer+ca20.cer+...+ca24.cer IntermediateCACerts.crt
In Unix, use the following command.
cat ca19.cer ca20.cer ... ca24.cer > IntermediateCACerts.crt
- step 7 - Place IntermediateCACerts.crt in "${PortalHome}/httpd/apache-integration/conf/ssl.crt" directory