Skip to main content
To KTH's start page To KTH's start page

Installation of certificate

Here you can find information about installation of certificate at KTH.

Approval of a certificate is sent by e-mail, with links to download the certificate. Example:

Click the following link to download your SSL certificate

  • Format(s) most suitable for your server software:
    • as Certificate only, PEM encoded:
    • as Root/Intermediate(s) only, PEM encoded:
    • as Intermediate(s)/Root only, PEM encoded:
  • Other available formats:
    • as Certificate (w/ chain), PEM encoded:
    • as PKCS#7, PEM encoded:
    • as PKCS#7:

Choosing the correct format

The certificate chain consists of a root certificate, one or more intermediate certificates and finally the server certificate. How these are split into files, and in what order they should be provided to the server software configuration, may vary.

Apache httpd

As of Apache httpd version 2.4.8, you can place the entire chain in one file, selected by SSLCertificateFile. It should contain the server certificate as the first entry, and the root certificate as the last. This can be obtained using the URL that ends with format=x509.

For older httpd versions, the server certificate (with format=x509CO in the URL) should be in a file selected by SSLCertificateFile. The rest of the chain, with the root certificate as the last entry (format=x509IOR in the URL) should be in a file selected by SSLCertificateChainFile.

SSLCertificateKeyFile should select the key file used for the CSR.

See also


For Nginx, the entire certificate chain (using format=x509 in the URL) should be in a file selected by ssl_certificate.

ssl_certificate_key should select the key file used for the CSR.

See also:


See Sectigo's instructions for IIS .


You may find it easiest to place Tomcat behind an Apache, Nginx or other proxy. Otherwise, see Sectigo's instructions for importing certificates into Java KeyStore (JKS)  and installing certificates in Tomcat's KeyStore  .

How do I verify that the certificate configuration is correct?

If the certificate site is accessible on the Internet, there are several websites that can help:

If the server is not  accessible from the Internet, OpenSSL can be used. Example:

       openssl s_client -connect