After approval and generation, receive/download the certificate files from the CA. There should be two or more files:

• The signed identity certificate which needs to be in PEM format.

• Zero, one or more intermediate certificates which need to be in PEM format.

If there are download options, selecting 'Other' or 'Apache' should provide the correct format.

Copy all to the original CSR directory. Rename the identity certificate to the domain name with a .crt extension.

The root certificate should be downloaded in PEM and DER format and put aside for later distribution to IP Office systems.

If there is more than one intermediate certificate file: In the original CSR directory , combine all the intermediate certificate files into one file using the single command line:

• cat intermediate1.crt intermediate2.crt intermediate3.crt > intermediates.crt

In the original CSR directory , join the files into a single PKCS#12 file along with the intermediate certificate file using the single command line:

• openssl pkcs12 -export -in example.crt -certfile intermediates.crt -inkey example.key -out example.p12

When prompted 'Enter pass phrase for example.key', enter the password used to secure the private key file when creating the CSR.

When prompted 'Enter Export Password', a strong password should be used to secure the output PKCS#12 file. This password is requested when later importing into IP Office.

Review the PKCS#12 with the command line: openssl pkcs12 -info -in example.p12

The identity certificate, private key and all intermediates should be present.

The ID certificate file example.p12 and intermediates.crt can now be imported into the IP Office deployment using IP Office or IP Office Web Manager. See the relevant documentation and Implementing IP Office PKI for more information.

The example.key, example.p12, root and intermediate certificate files should be retained and used for recovery purposes.

• Note: A password is always required to open the PKCS#12 and key file.