SSL certificate installation guide
SSL/TLS certificates secure digital communication through encryption and authentication, requiring a Certificate Authority (CA) for issuance. Installation involves uploading certificate files and configuring servers, with specific instructions for platforms like Zimbra, Nginx, Tomcat, and more. Prior steps include generating a CSR and choosing the right SSL type, while post-installation actions focus on testing, monitoring, and renewal. Trusted CAs like Sectigo simplify the process with guidance and diverse SSL options.
Table of Contents
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) certificates, TLS being the modern protocol, secure digital communication through encryption and authentication. These certificates can be obtained through a certificate authority (CA), who is responsible for verifying identities and ultimately, issuing requested certificates.
Once issued by a CA, SSL/TLS certificates must be installed to become active. This installation process transitions the certificate from the enrollment stage to the provisioning stage of the certificate lifecycle, enabling it for active use. Once installed, certificates enable secure data encryption and move into the monitoring stage, ensuring ongoing security until renewal is needed.
While certificate installation is a technical process, it doesn’t have to be overwhelming. This guide provides a comprehensive breakdown of SSL certificate installation, including detailed instructions for various servers and platforms, along with insights into the roles of certificate signing requests (CSRs) and public keys in the installation process.
What’s needed prior to installation?
Certificate signing requests (CSRs) play a critical role in the early stages in the SSL certificate lifecycle, including request, enrollment, and issuance. These must be created and submitted at the beginning of the process and, without them, installation will not be possible. These encrypted messages contain crucial information about the individuals or organizations who seek SSL/TLS certificates.
Essentials for identifying the requester include:
One or more Subject Alternative Names (SANs), which reveals a specified location within the Domain Name System (DNS).
An organization name, such as an official company name, for OV and EV certificatesThe legal address in which the organization is located.
(optionally) The email address used by — or associated with — the requesting organization.
Creating a CSR automatically generates a public key, which functions as half of the key pair needed for SSL certificates. Once equipped with the CSR's information, the CA should be prepared to create the requested certificate.
Another key step prior to installation? Determining which type of SSL certificate will actually be installed. There are several options available, but this decision will ultimately come down to the level of validation needed. In addition to exploring extended validation (EV), which offers the highest level of validation, organization validation (OV), and domain validation (DV) certificates, you must also understand the additional options including single domain, wildcard, and multi-domain SSL certificates.
How to install an SSL certificate
Before you can install your SSL certificate, you must submit the CSR to the CA, which may provide specific instructions for completing domain validation.
Once validation is complete, the CA will send the SSL certificate files. These may include multiple files, such as the certificate itself and the intermediate certificate that links the root certificate to end-user certificates, establishing trust without exposing the root certificate directly. For most servers, the next step involves uploading the certificate files and then editing the configuration files as needed.
Instructions for SSL installation for different servers/platforms
The SSL installation process can play out differently with various services and platforms. To that end, you'll want to follow server-specific instructions to ensure that the certificate is installed correctly. We've highlighted a few examples of installation procedures below:
Zimbra. Access the Zimbra Admin Console before selecting Configure, followed by Certificate. Next, select Install Certificate. Use the Certificate Installation Wizard to select the target server and the option for installing the "commercial signed certificate." Upload the files before clicking Install.
Nginx Webserver. You will receive a 'ca-bundle' file via ZIP. Use the command cat domain_com.crt domain_com.ca-bundle > ssl-bundle.crt to concatenate the certificate file and the CAbundle. Next, store the bundle and the private key in the relevant nginx ssl folder. Consider using OCSP Stapling to boost the SSL handshake speed. Check for syntax errors and then restart the server.
Tomcat KeyStore. Begin with the command keytool -import -trustcacerts -alias server -file your_site_name.p7b -keystore your_site_name.jks. A confirmation should reveal that the certificate reply was installed. Confirm that you want to trust the certificate. To configure, open the Tomcat server.xml file in a text editor. Find the connector that the keystore will secure. Specify the keystore filename and password. Save changes in the server.xml file and restart Tomcat.
Outlook Web Access. Open Internet Services Manager followed by Properties. Select Directory Security and Server Certificates. In Pending Certificate Request, select the option to process the pending request. Find the previously received certificate in Process a Pending Request. View the certificate summary and click Next. Install the intermediate certificate and enable SSL for Outlook Web Access. This involves the Exchange directory, and specifically, the Directory Security tab. Click Edit in Secure Communication. Check the relevant box for Require Secure Channel (SSL).
This is just a small sample of the many different processes that may be followed when installing SSL/TLS certificates. Sectigo provides easy access to a wealth of server and platform-specific instructions, including the following:
Next steps
As you select your SSL certificates, be mindful of what happens after they are deployed: they will need to be tested and, eventually, renewed.
Various command-line tools (such as OpenSSL) can confirm that SSL/TLS certificates have been installed correctly. These tools may also check for vulnerabilities. Following a successful test, monitoring is recommended to ensure that any new vulnerabilities are promptly revealed and addressed.
The current SSL certificate lifespan typically extends 397 days; however, browsers and CAs are preparing for reduced validity periods, potentially down to 47 days by 2028, as proposed by Apple . As such, you will want to have a firm grasp of exactly how long your certificate will remain valid and what it will take to renew it.
If you encounter issues during or after installation, consult your certificate authority for support. In addition to providing the actual SSL certificate, the CA will ideally offer guidance, including not only detailed instructions for installing certificates, but also troubleshooting and other support services.
Trust Sectigo with your SSL certificate needs
Choosing the right CA is crucial for ensuring a seamless installation process and making the most of your SSL/TLS certificates once they are installed. Stick with a trusted CA that has a strong track record and a reputation for working closely with customers.
Sectigo offers digital certificates to suit every type of organization. We offer everything from single SSL certificates to wildcard and multi-domain options. What's more, we accommodate many levels of validation. Feel free to browse our products — or get in touch to discover how various types of SSL/TLS certificates can enhance your security strategy.
Related posts:
7 different types of SSL certificates explained
DV, OV, & EV SSL certificate validation levels explained
The evolving SSL/TLS certificate lifecycle & how to manage the changes