4. Certificate Checkout#

Checking out a certificate, can also be seen as simply exporting the certificate in the specified format and with some other options available, depending on the certificate itself.

TrustView has a specific set of checkout formats, which may differ depending on whether it is a SSL, OCES or some other type of certificate that is being checked-out. SSL certificates generally has more checkout formats available in TrustView, because a wider range of formats is often required, compared to OCES or other types of certificates.

Important

To be able to checkout a certificate from TrustView with the private key, TrustView must have it stored (and if stored, the private key will always be stored encrypted in the database). If the certificate is ordered with a Certificate Signing Request (CSR), the private key can be manually added later.

Note

If you are in need of other checkout formats, contact our Support, and we may be able to add them, but it would also be possible to convert the format on your own, with a tool such as OpenSSL.

4.1. Checkout formats (with private key)#

4.1.1. PFX and PKCS12#

PKCS12 is also known as PFX and can be used interchangeably. This format contains private keys, public keys and X.509 certificates. It stores them in a binary format. The standard extension for this format is .pfx or .p12.

For more details about this format, see: RFC 7292.

4.1.2. PEM#

This format contains private keys, public keys and X.509 certificates. It is the default format for OpenSSL. It stores the data in either ASN.1 or DER format, surrounded by ASCII headers, so it is suitable for sending files as text between systems. A file can contain multiple certificates. The standard extension is .pem.

4.1.3. JKS#

A JKS file is an encrypted security file used to store a set of cryptographic keys or certificates in the binary Java KeyStore format. The standard extension is .jks.

4.1.4. DER#

This format contains private keys, public keys and X.509 certificates. It is headerless and is the default format for most browsers. A file can contain only one certificate. Optionally, the certificate can be encrypted. The standard extension is .cer or .der.

4.2. Checkout formats (without private key)#

4.2.1. PEM#

Same as above, but does not contain any private keys.

4.2.2. DER#

Same as above, but does not contain any private keys.

4.2.3. PKCS7#

This is the Cryptographic Message Syntax Standard. A file can contain multiple certificates. Optionally, they can be hashed. This format does not contain a private key. As well as the original PKCS #7, there are three revisions: a, b, and c. The standard extensions for these four versions are .spc, .p7a, .p7b and .p7c respectively.

4.3. Download certificate parts individually#

In the bottom of the Certificate details section, it is possible to download individual parts of the certificate:

  • SSL certificate

  • Intermediate certificate

  • Root certificate

Each part can be downloaded in either PEM or DER format.

Note

When downloading a certificate part in .der format, the file extension is shown as .cer. It can be changed by renaming the file to end on .der, which is the same format, but .cer stands for Certificate, but still contains DER encoded data.

4.4. Certificate checkout - Without private key#

A general option for the checkout methods without private key, is Include certificate chain, which allows the full certificate chain (Root, Intermediate and SSL) to be exported. If the option is not checked, only the SSL certificate part of the certificate will be included.

4.4.1. Download certificate file#

Using this method allows the certificate to be downloaded as a separate file, in the specified format and handled accordingly.

Select this option to download and manually distribute the certificate

4.4.2. Send certificate by mail#

This method allows the certificate to be send in an e-mail to a designated receiver. Under the Advanced options, there are several options available to circumvent file format blockage, that some e-mail clients provide for security purposes (for more details, take a look here). These options include changing the file extension (which can then just be changed back, after the certificate has been sent and received) and packaging the certificate in a zip file, which can optionally be password protected.

4.5. Certificate checkout - With private key#

4.5.1. Download and manual distribution of password#

If you want to download the certificate (in your preferred format) and manually distribute the password (for the private key) and certificate, choose this checkout option.

Important

Before pressing Perform checkout, it is recommended to save the password somewhere, since it will not be available in a separate file, after the checkout has been completed.

4.5.2. Download and send password in an email#

Choose this checkout method to download the certificate and handle distribution and deployment manually. The password for the associated private key, will be sent as an e-mail to the designated receiver.

4.5.3. Download and send password via SMS#

This checkout method will download the certificate and send the private key password via SMS.

Note

If you experience an error or issue with this checkout method, it may be because the backend connection or SMS system is down. Check under Systemstatus in the left menu of TrustView, if in doubt.

4.5.4. Send certificate using e-mail and manual distribution of password#

This checkout method allows the certificate to be sent by e-mail and for the distribution of the password for the associated private key, to be handled manually.

4.5.5. Send certificate using e-mail and password in a separate e-mail#

This checkout method can be used to distribute the certificate and password of the associated private key by e-mail.

Select this option to send the certificate via e-mail and the password in a separate e-mail

4.5.6. Send certificate using e-mail and password using SMS#

If you want to send the certificate via e-mail and send the password for the associated private key via SMS, choose this checkout option.

4.5.7. Get certificate via self-service page#

This checkout method allows for a URL to be generated, that can be distributed to specific contacts and limited to a set number of times, that the certificate can be downloaded from the URL.

This allows for the receiving party to access the certificate, without having access to TrustView.

It is also possible to specify an expiration date, for the download link, so it becomes invalid after the set date.

4.6. History#

The history provides an overview of each certificate checkout, with details such as the timestamp, file type and comment of each checkout.