Frequently Asked Questions

Process FAQ

To order EV certificates from DarkMatter CA, the requesting organisation and domains must be validated and approved according to the relevant policies and procedures. The following documents and information should be provided for DarkMatter to start the validation process:


  1. Complete Application Form - EV certificates Click Here
  2. Certificate Holder Agreement Click Here
  3. Trade License / Similar Legal Document
  4. Power of Attorney for the authorized signatories of the above documents.

After receiving all the relevant documents along with the application form, Darkmatter shall initiate the vetting process for complete verification of details provided by the applicant to ensure maximum security for users. The process includes the following steps:


  1. Verification of Application
    • • Application form must be sent by the authorized requester as mentioned in the Authorization Letter.

  2. Verification of Supporting Documents
    • • The content of all supporting documents shall be compared to Official records.

  3. Registration and Approval of Organisation
    • • Confirm the Legal, Physical and Operational Existence of the Organisation.

  4. Registration and Approval of Domain
    • • Confirm that the Organisation has complete ownership/control over the mentioned domain.
Once the above verifications are complete, Darkmatter shall commence issuance and delivery of the EV certificate.
Please note that this process is compliant with the guidelines specified by CA/B Forum.

To order OV certificates from DarkMatter CA, the requesting organisation and domains must be validated and approved according to the relevant policies and procedures. The following documents and information should be provided for DarkMatter to start the validation process:


  1. Complete Application Form - OV certificates Click Here
  2. Certificate Holder Agreement Click Here
  3. Trade License / Similar Legal Document

After receiving all the relevant documents along with the application form, Darkmatter shall initiate the vetting process for complete verification of details provided by the applicant to ensure maximum security for users. The process includes the following steps:


  1. Verification of Application
    • • Application form must be sent by the authorized requester as mentioned in the Authorization Letter.

  2. Verification of Supporting Documents
    • • The content of all supporting documents shall be compared to Official records.

  3. Registration and Approval of Organisation
    • • Confirm the Legal, Physical and Operational Existence of the Organisation.

  4. Registration and Approval of Domain
    • • Confirm that the Organisation has complete ownership/control over the mentioned domain.
Once the above verifications are complete, Darkmatter shall commence issuance and delivery of the OV certificate.
Please note that this process is compliant with the guidelines specified by CA/B Forum.

To order Individual Certificates from DarkMatter CA, the details (such as name, email, organisation name and domain) in the request must be validated and approved according to the relevant policies and procedures. The following documents and information should be provided for DarkMatter to start the validation process:


  1. Complete Application Form - EU certificates Click Here
  2. Certificate Holder Agreement Click Here

General FAQ

Wildcard certificates can be issued for OV certificates. According to the guidelines from CAB forum, the use of wildcard certificates are not allowed for EV certificates.

The CAB Forum specifies the maximum validity of an EV certificate to be 825 days. DarkMatter offers EV certificates with 1 or 2 years validity.

RSA key is a cryptosystem utilized in secure data transmission with large keys to provide strong encryption. RSA keys have been utilized by many organizations and have a strong and well established backing.

ECC (Elliptic Curve Cryptography) Key is a cryptosystem that is utilized in secure data transmission with small keys that provide equal strength to RSA. The benefit of the smaller keys is that they have lower CPU consumption and low memory usage so it caters to smaller devices which are becoming more readily available with the IoT.

How to Create a CSR

The following steps are for Apache utilizing OpenSSL


  1. Login to your server with ssh in your terminal. At the prompt enter the following command:
    openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
    server is the name of your particular server

  2. This will result in the creation of two files:
    private.key, which is for the decryption of your SSL Certificate.
    server.csr, your certificate signing request file used to apply for your SSL Certificate.

  3. A prompt will appear for you to enter the [Common Name] please enter the FQDN for the site you are securing.

  4. A prompt will appear for the [Organisation Information], enter this information and when you are finished this will create your openssl .csr file.

The following steps are for Microsoft Exchange 2010


  1. Launch your Exchange Management Console
    • [Start] --> [Programs] --> [Exchange Mangement Console]

  2. Select Manage Database

  3. From here Select [Server Configuration], then [New Exchange Certificate]
    • • A prompt will appear asking for a name for the certificate. Enter a name for identification purposes, this will not be the official CSR name

  4. Under [Domain Scope] hit [Next]
    • Please note that Wildcard Certificates are not allowed for EV Certificates

  5. In the [Configuration Menu] for Exchange please select the services that will be secured. Then Enter the names via which you connect to those services.

  6. The next screen you can review a list of suggested names to include in your certificate request. Those suggestions are as follows:
    • The Organisation should be the full legal name of your company as officially registered
    • The Organisation Unit is your department within the organisation responsible for SSL
    • If you are in an area that does not have a State/Province, enter the city information again

  7. Click [Browse] to save your CSR locally to your computer as a [.req] file
    • • Click [Save]
    • • Click [Next]
    • • Click [New]
    • • Click [Finish]

The following steps are for Internet Information Services Versions 5 & 6


  1. Open Internet Information Services

  2. Select the site that you wish to enable secure communications for.

  3. Right click on the site and select [Properties] from the menu.

  4. Navigate to the [Directory Security Tab] and click [Server Certificate] under [Secure Communications].

  5. This will start the Web Server Certificate Wizard.
    • • Click [Next]
    • • Select [Create a new certificate] and click [Next]
    • • Select [Prepare the request now, but send it later] and click [Next]
    • • Enter the certificate name
    • • Select the [Key Length (2048)] and indicate if you want to use SGC (Server Gated Cryptography), then click [Next]
    • • Enter the [Organisation] and [Organisational Unit] fields, then click [Next]
    • • Enter the [Common Name] (Fully Qualified Domain Name). It is imperative that this reflects the web server DNS Name.
    • • Enter the [Country/Region] as well as the [City and State]. Please note that Abbreviations will not be accepted by the system.
    • • Choose your save location for the file and name the file. Then click [Next]
    • • Verify the information on the [Request File Summary Screen]. Then click [Next]
    • • Click [Finish]

The following steps are for Internet Information Services Versions 7 & 8


  1. Open Internet Information Services

  2. Click on the Server that you wish to edit from the [Connections] menu on the left.

  3. From the center menu double click on [Server Certificates] in the [Security] Section

  4. Select the [Actions] menu from the right and click on [Create Certificate Requests]

  5. The [Request Certificate Wizard] will pop up. Enter the required information in the [Distinguished Name Properties] menu. Then click [Next]

  6. On the [Cryptographic Services Provider Properties] menu leave the default settings as follows:
    • Crypto. Service Provider: Microsoft RSA SChannel Cryptographic Provider
    • Bit length: 2048

  7. Click [Next]

  8. Enter a name for your file and specify a save location for your CSR.

The following steps are for JBOSS

Note: for the following commands the fields inside the [ ] must be changed, excluding the [ ], to match your situation. Example: -keystore [Common Name].jks can be -keystore www.darkmatter.ae.jks


  1. Utilize the following command to create a new Java Keystore file with a private key:
    keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore [Common Name].jks -dname "CN=[Common Name], OU=[OrganisationUnit], O=[Organisation], L=[Town/City], ST=[State/Province], C=[Country Code - example:AE]"

  2. The second command will create your CSR utilizing the same private key:
    keytool -certreq -alias server -file [Common Name].csr -keystore [Common Name].jks

The following steps are for NGINX utilizing Open SSL


  1. Run the following command:
    openssl req -new -nodes -keyout private.key -out server.csr

  2. This will result in the creation of two files:
    private.key, which is your private key needed during certificate installation. Store this on your server in a secure location
    server.csr, this is your Certificate Signing Request.
    This information will be submitted to DarkMatter for the certificate creation

The following steps are for Tomcat

This will be split into two processes, the first will be the creation of a New Keystore while the second will be generating a CSR from that keystore.


Creating a New Keystore


  1. You may need to add [java /bin/ directory] to your PATH before utilizing the keytool command. When you are ready enter the following command:
    keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore your_site_name.jks

  2. A prompt will appear, please enter a password for your keystore. You will then be prompted for the Organisation information.
    Please note First and Last name is the FQDN (www.exampledomain.com) for the site, not your individual First and Last Name.

  3. Please Confirm that your information is correct then enter [y] or [yes] when prompted to. You will then be asked for your password to confirm.

  4. Your keystore file named your_site_name.jks is now created in the current working directory

Generating a CSR from a Keystore


  1. You will now utilize the keytool to create your CSR from your Keystore. Enter the following command:
    keytool -certreq -alias server -file csr.txt -keystore your_site_name.jks

  2. Enter your keystore password from earlier, then press [Enter]

  3. Your CSR file named csr.txt is now generated in the current directory.

How to Install a Certificate

The following steps are for your Intermediate Certificate supplied by the CA


  1. Save the file to your desktop as [Intermediate.cer]

  2. Open Microsoft Management Console (MMC)

  3. Press [File] then [Add/Remove Snap In]

  4. Click [Add]

  5. Select Certificates then click [Add]

  6. Select Computer Account then click [Next]

  7. Select your Local Computer then click [Finish]. Click [Close] then [OK]

  8. Select [Certificates] then [Intermediate Certification Authorities]. Then [Certificates]

  9. Right click on [Certificates] then select [All-Tasks]. Finally click [Import]

  10. An Import Wizard will launch, navigate through by following the instructions to import the intermediate certificate then close MMC.

The following steps are for your SSL certificate supplied by the CA

Note: You need to be able to sudo as root / have root access to your server to be able to preform the commands below. Our guide will utilize the sudo command so if you are able to login as root, disregard the sudo portion of the commands below.


  1. Extract your certificate files and then copy them to your server using the [Terminal]
    • sudo cp [file from the certificate download directory] /etc/apache2/ssl
    • ○ the [/etc/apache2/ssl] is where the Apache server is storing the certificates

  2. Locate the Apache configuration file in order to configure it to point towards these certificates
    • • The location for the file should be located in:
      /etc/apache2/sites-enabled/your-website-goes-here

    • • Open the file in your terminal windows utilizing the following command:
      sudo nano [directory where config file is located]
    • ○ for example it should be by default:
      sudo nano /etc/apache2/sites-enabled/mytestsite.ae

  3. Configure the [VirtualHost] block for your ssl-enabled site
    • • In the [VirtualHost] section of your file add the following directives IF they are not already included. If they are included just modify your files so that each directive points towards the most recent server certificate, chain, and private key files.

      <VirtualHost mytestsite.ae:443>
      DocumentRoot /var/www/
      SSLEngine on
      SSLCertificateFile /path/to/your-server-certificate.crt
      SSLCertificateKeyFile /path/to/your-private-key.crt
      SSLCertificateChainFile /path/to/chain-bundle-file.crt
      <\VirtualHost>

      SSLCertificate file is your server certificate file
      SSLCertificateKeyFile is your server’s private key previously generated
      SSLCertificateChainFile is the Chain bundle file

    • • Exit nano and save changes
    • [CTRL] + [X] to save and then type [Y] to confirm your changes

  4. Test your Apache configuration with the following command:
    sudo apachect1 configtest

  5. Restart your server with the following command:
    sudo apachectl restart

The following steps are for your SSL certificate supplied by the CA


  1. Open Internet Information Services
    • [Start] --> [Programs] --> [Microsoft Exchange 2010] --> [Exchange Mangement Console]

  2. Select [Manage Database] then [Server Configuration]

  3. Next select your certificate from the center menu and select [Complete Pending Request] from the [Actions] menu

  4. Browse to the certificate file then press [Open] and click [Complete]

  5. Press [F5] to refresh the page and verify your certificate
    • [False] should be displayed under [Self Signed]
    • ○ If [True] is showed, the wrong certificate is selected or you have installed to the wrong server. Please recreate the CSR on the server and reissue the certificate

  6. If the installation was successful, you need to enable your new certificate. Navigate back to the Exchange Management Console and click [Assign Services to Certificate]

  7. Select your server from the list of servers and click [Next]

  8. Select the services for your certificate that you want enabled and click [Next]
    • • Click [Assign] then click [Finish]

  9. Your new Certificate is now installed and enabled for Exchange 2010

The following steps are for your SSL certificate supplied by the CA


  1. Start the Exchange Mangement Console

  2. Expand IIS and browse to the website you have a certificate request pending for.

  3. Right click on your site and select [Properties]

  4. Select the [Directory Security] tab

  5. Launch the [Web Server Certificate Wizard] by clicking on [Server Certificate] under the [Secure Communications] menu.
    • • When the wizard launches, click [Next]
    • • Select [Pending Request and Install the Certificate] then click [Next]
    • • Browse for the location of your certificate response file then click [Next]
    • • Verify the information on the summary screen and click [Next]
    • • A completion screen will popup, click [Finish] to close this

  6. You have now successfully installed your secure server certificate.
    • • To test the website, go to https://“yourdomain.ae”

The following steps are for your SSL certificate supplied by the CA


  1. After receiving the SSL certificate save it to your server utilizing a [.crt] extension

  2. Open Internet Information Services (IIS) 7

  3. Click on the server you wish to edit

  4. From the center menu double click [Server Certificates] in the [Security] Section

  5. Choose the [Actions] menu on the right then click [Complete Certificate Request] this will launch the [Complete Certificate Request Wizard]
    • • Browse for your SSL certificate you previously saved, then enter a name for it and click [OK]

  6. Navigate to the [Connections] menu in the main IIS Manager window and select the server you want the certificate to be installed on

  7. Under [Sites] select the site that is to be secured with SSL

  8. Choose the [Bindings] option from the [Actions] menu on the right hand side

  9. Click [Add] in the [Site Bindings] window

  10. On the [Add Site Bindings] window choose the follow options:
    • [Type] should be “https”
    • [IP address] should be “your site’s IP Address” or “All Unassigned”
    • [Port] should be “443”
    • [SSL Certificate] should be your previously installed certificate
    • • Click [OK]

  11. Restart Internet Information Services(IIS) to complete your certificate installation

The following steps are for your SSL certificate supplied by the CA


  1. After receiving the SSL certificate save it to your server utilizing a [.cer] extension

  2. Open Internet Information Services (IIS) 8(.5)

  3. Click on the server you wish to edit

  4. From the center menu double click [Server Certificates]

  5. Choose the [Actions] menu on the right then click [Complete Certificate Request] this will launch the [Complete Certificate Request Wizard]
    • • Browse for the save location of your [.cer] file, specify a name for it, then in the drop-down menu select [Personal]
    • • Click [OK] to install your new certificate

      • Navigate to the [Connections] menu in the main IIS Manager window and select the server you want the certificate to be installed on

      • Under [Sites] select the site that is to be secured with SSL

      • Choose the [Bindings] option from the [Actions] menu on the right hand side

      • Click [Add] in the [Site Bindings] window

      • On the [Add Site Bindings] window choose the follow options:
        • [Type] should be “https”
        • [IP address] should be “your site’s IP Address” or “All Unassigned”
        • [Port] should be “443”
        • [SSL Certificate] should be your previously installed certificate
        • • Click [OK]

The following steps are for your SSL certificate supplied by the CA


  1. Download your SSL Certificate and Intermediate CA Certificate and save these to your server where you plan to install the certificate.

Import the SSL Certificate into the keystore


  1. In the command prompt enter the following command:
    keytool -import -alias your_alias_name -trustcacerts -file ssl_certificate.p7b -keystore your_keystore_filename
    Note: The alias name and keystore name in the command must be the same as the ones used during the creation of the private key and certificate signing request (CSR)

Configure Web Container


  1. If you are utilizing Tomcat please locate the section in the Tomcat server.xml configuration file that starts with, "Uncomment this for SSL support". Uncomment the following code, and enter the location of your server key.

    value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
    value="8443"/>
    value="org.apache.tomcat.net.SSLSocketFactory" />



  2. Copy the JSSE jars to the $TOMCAT_HOME/lib directory

  1. If you are utilizing Jetty please locate the section in the $JBOSS_JETTY_HOME/conf/jetty/jetty.xml configuration file that starts with, "Uncomment this to add an SSL listener". Uncomment the following code, and enter the location of your server key.



    8443
    5
    255
    50000
    /etc/server.keystore
    changeit
    changeit



  2. Start JBoss

  1. Start JBoss and go to https://your-server-name.your-domain:8443 to test your SSL configuration

The following steps are for your SSL certificate supplied by the CA


  1. Download and copy your [CertificateBundle.pem] to your server.

  2. You need to edit the NGINX Virtual host file to point to your new certificate and private key.
    Please edit the following to fit your situation:
    Your ssl_certificate from step 1
    Your ssl_certificate_key from your previously generated CSR

    server
    {
    listen 443;
    server_name www.mywebsite.com;
    ssl on;
    ssl_certificate /path/to/SSL/CertificateBundle.pem;
    ssl_certificate_key /path/to/SSL/private.key;
    }

  3. Restart your NGINX server by entering the following command:
    sudo /etc/init.d/nginx restart

The following steps are for your SSL certificate supplied by the CA


  1. After you have your downloaded Certificate Bundle, which comes as a [.pem] file continue through the following steps

  2. Type and execute the following command utilizing your keystore file name and alias name from your keystore and Certificate Signing Request

    keytool -import -trustcacerts -alias server -file CertificateBundle.pem -keystore yoursite.jks

    • It is recommended you manually type this into your terminal and not copy and paste it as the formatting could change
    • • A prompt will appear asking for a keystore password.
    • • A prompt may appear asking if you want to trust the certificate, enter [yes]
    • • Upon successful installation, you will see [Certificate reply was installed in keystore]

  3. Now you need to configure your Tomcat Server to utilize TLS protocol in unison with Java Keystore.
    • • Please save a copy of your original server.xml file in the event that a restore is needed
    • • Open your server.xml file located in the conf folder of the home directory
    • • You will see a section that looks like the following:

      keyAlias="server" keystoreFile="yourkeystore.jks" keystorePass="your_keystore_password" />

      You will need to enter your specific information into the underlined fields that are bolded.
    • • Restart your Tomcat Server to complete the installation process for your Certificate