If you are renewing your certificates please redirect to:

Approved Certificate Authorities (CA's) to Obtain a New SSL certificate or Renew/Replace an existing SSL Certificate

Keep in mind that you do not have to use the same private key upon renewal of your certificates. A new private key can be generated. 

If you already have your private key and server.crt generated, you should scroll down the page to "CREATING THE ISSUER.CRT".



1. Download the OpenSSL binary for Windows at the URL below and install OpenSSL at the default location on a computer running Microsoft Windows 7 64 bit, Server 2003, Server 2008, or Server 2012. 

2. Generate 2048-bit RSA key pair using the CLI command: 

Windows 7+, Server 2008, Server 2012: "c:\program files (x86)\gnuwin32\bin\openssl" genrsa -f4 -out host.key 2048 

3. Start generation of the CSR (Certificate Signing Request) using this CLI command:

Windows 7+, Server 2008, Server 2012: "c:\program files (x86)\gnuwin32\bin\openssl" req -config "c:\program files (x86)\gnuwin32\share\openssl.cnf" -new -nodes -key host.key -out host.csr 

Follow the CLI prompts and enter the information as requested. 

IMPORTANT: You must use the sitename, as the SSL Certificate’s Common Name. You should enter the Organization Name (your company name). Your Certificate Authority provider may require you to enter information in other fields to process the CSR. 

4. Send the host.csr file to an approved certificate authority. 

NOTE: Make sure you ask the Certificate Authority to provide the certificate file in PEM format, which is supported by Apache. The approved certificate authority will send a certificate file to you in return. 

5. Open your private key file (host.key) and copy its contents. Open your certificate file and paste the contents of the private key file to the end of the certificate file. Save this file as server.crt. Create a backup of this file and the original certificate file by copying them to a secure location.



1. Double Click the Server Certificate (server.crt) to open with Windows CryptoShell Extensions.

2. Navigate to the Certification Path tab.

3. Open the Root Certificate by Double Clicking

Please note: You can also check the Details tab to determine if the Certificate is SHA1 or SHA2. Legacy Devices like the S100 and X200 only support SHA1 roots. 

4. Search for the Root Certificate name on your certificate authorities' website and download it in PEM format.

5. Paste the PEM format to a text file editor.


1. Open up Intermediate Certificate as you did with the Root Certificate.

2. Search for the Intermediate Certificate name on your certificate authorities' website and download it in PEM format.

3. Paste the Intermediate Certificate in the same text file (above the Root Cert).

4. Please ensure Root Certificate is located at the bottom of the issuer.crt.

5. Save the text file as issuer.crt - MAKE SURE there are no spaces inside of the document. 

Compare the Certificates to assure that the Issued by on the server.crt matches the Issued to on issuer.crt. See Image.