If you have any questions about the following, please contact us.
SHA2 Certificates: The SHA2 certificates being issued by ITS Secure Certificates service since mid-October 2014 are supported by WebAccess. Be sure to install the new Intermediate CA certificates (two) that accompany them. Note that one new one, “InCommon RSA Server CA”, has a name very similar to a previous Intermediate CA, “InCommon Server CA”. (The other is “USERTrust RSA Certification Authority”) Copies are available, see below.
The hash values listed below are for OpenSSL versions prior to version 1.x. See WebAccess: certificate hash values and OpenSSL 1.x for details about newer versions.
Many Public Key Infrastructure (PKI) certificates are signed by an Intermediate Certificate Authority (CA); the functions of PKI software like Cosign require that a copy of the Intermediate CA certificate be available to the software which is using that signed certificate.
The certificates available for purchase via the ITS Secure Certificates service use at least one Intermediate CA.
Additionally, you still need a copy of the root CA certificate (which signed the webaccess.psu.edu certificate) on your web server, to verify the validity of the webaccess.psu.edu certificate.
Instructions for Cosign Filters
IIS 5/6 (IISCosign), Apache (mod_cosign)
The directory (folder) listed as
- IIS: The value of <CAFilePath> (Default:
- Apache: 3rd parameter of the CosignCrypto directive.
needs a readable copy (check permissions) of that Intermediate CA certificate in X.509 (PEM — BASE64) format, similar to the root CA certificate. Also, the file needs to be named (or symlinked on Unix-type systems) with its OpenSSL hashed value with a “.0” (dot-zero) appended. That hashed file name value is
84df5188.0 for the Comodo Intermediate CA certificate named “InCommon Server CA”, used by the ITS Secure Certificates service. A copy of that file is linked at the bottom of this web page.
The Intermediate certificate should be the only one in the file, bundles of certificates may not work.
IIS 7 (CosignModule)
A copy of the Intermediate CA certificate needs to be imported into the Windows Certificate Store, under Certificates -> Intermediate Certificate Authorities -> Certificates.
The Microsoft Management Console (mmc.exe) with the Certificate add-on can perform the import of a separately packaged Intermediate CA file. However, the ITS Service (above) provides download links which package both your newly signed certificate and a copy of the Intermediate CA, which allows easy installation of both.
The mmc certificate add-on can import the certificate file in either PKCS #7 format, or in PEM format (see the copies below, however the file’s extension must be “.crt” for mmc to find it).
Where to obtain the Intermediate CA
You should, for security reasons, only download a copy of the Intermediate CA from the entity that created it (e.g., Thawte or Comodo). However, copies of Intermediate CA certificates, in X.509 format, are available locally: