Prerequisites -
Certificates¶
Certificates are needed to establish secure communication links via HTTPS.
Certificates are used to verify the communication partner and to encrypt the data during transfer over a network.
Request all the necessary certificates first.
You receive certificates from certification authorities. Your company might even have its own certification authority.
For security reasons, please do not use any self-signed certificates.
You must have at least a root certificate in format X.509 (∗.CRT / ∗.CERT) on the server and all clients.
If your company uses intermediate certificates for certain departments, you will also need all corresponding intermediate certificates in the chain of trust for the server in each of these departments.
For the Internet Information Services (IIS) on the server, you will also need a server certificate in the format PKCS#12 (∗.PFX / ∗.P12), which contains the certificates of the entire chain of trust and the private key of the server.
The fully qualified domain name (FQDN) must be specified as the Common Name (CN) in the server certificate.
Therefore, if the server is part of a domain, the domain must also be contained in the host name of the certificate.
Example: Chain of trust
A chain of trust is a dependently derived series of certificates.
A full chain of trust has the following structure:
- Your root CA certificate) (X.509 certificate (∗.CER, ∗.CRT))
- (Your intermediate CA certificate) (X.509 certificate (∗.CER, ∗.CRT)))
- (Your further intermediate CA certificate) (X.509 certificate (∗.CER, ∗.CRT)))
- (...)
- Your server certificate (Personal Information Exchange (PKCS#12 Certificate (∗.PFX, ∗.P12)))
- (...)
- (Your further intermediate CA certificate) (X.509 certificate (∗.CER, ∗.CRT)))
- (Your intermediate CA certificate) (X.509 certificate (∗.CER, ∗.CRT)))
The derived certificates must be verifiable up to the root certificate through the chain of trust.