Verify by Email

To verify domain by email, select the applicable email address and generate a one-time password (OTP).

           

Enter OTP and SUBMIT OTP.

The domain is verified. Click NEXT.

Verify by DNS

To verify domain with DNS, start by clicking the VERIFY BY DNS tab.

Next:

• Copy the generated token (including “MaxMD-Verification=”)
  
• Go to your DNS management portal and create a new TXT record
  
• In the Host field, enter the domain name
  
• In the Time-to-Live (TTL) field, enter the TTL value or use the default value
  
• In the Type field, select TXT
  
• In the Value field, paste the token that you copied from the MaxMD Certificate portal
  

 

 

 

After the TXT record is created, wait for about 30 seconds to allow the DNS servers to synchronize the new change. Then click VERIFY DNS RECORD.

Auto Generate CSR method

Click AUTO GENERATE CSR.

MaxMD will generate and verify the CSR. Click CONTINUE to create the certificate.

      

Review and CREATE CERTIFICATE.

Congratulations! Your certificate is now created.

Proceed to section 3. Exporting or Downloading your Certificate

Upload CSR method

If you prefer to upload your own CSR, click the UPLOAD CSR tab and paste your PEM encoded CSR. 

If you have already generated your own CSR you can proceed to section 3. Exporting or Downloading your Certificate

Generating a CSR is done with OpenSSL or Windows IIS. We recommend OpenSSL to make later steps easier. You can download OpenSSL at https://www.openssl.org/source/ or refer to Windows IIS instructions that match your environment. Example: https://www.ssl.com/how-to/generate-a-certificate-signing-request-csr-in-iis-10/

On a Windows machine, open Command Prompt and enter the following command with real values for domainname, organizationName, initiative, and organizationalUnit(optional) in the following order: 

openssl req -out domainname.csr -new -newkey rsa:2048 -nodes -keyout domainname.key -subj

"/CN=domain.org/C=US/O=organizationName/OU=initiative/OU=optionalOrganizationalUnit"

NOTE: Because MaxMD is validating your CSR against previously validated Organizational information; City, State are not required. If you add them to your CSR, it must match what is on file. If you need to make a change, please alert DirectTrust and a new certificate link will be created for you. 

The OU initiative value will differ for eHealth Exchange Participants and Carequality Implementers.

For Production certificates, the required OU values are as follows:

      eHealth Exchange: OU=NHIN

      Carequality: OU = CAREQUALITY

Example OpenSSL command for a eHealth Exchange certificate for DirectTrust:

openssl req -out directtrust.org.csr -new -newkey rsa:2048 -nodes -keyout directtrust.org.key -subj "/CN=directtrust.org/C=US/O=DirectTrust.org, Inc./OU=NHIN/OU=Health Department"

Open the CSR file and Copy the entire contents:

Click the UPLOAD CSR tab and paste your PEM encoded CSR.

NOTE: If your CSR has the words "NEW" in it, delete them.

After uploading your CSR, MaxMD will validate the details against the certificate profile. If the CSR is invalid, the next screen will tell you why.

If your uploaded CSR is valid, you can CONTINUE to create the certificate.

Review the certificate settings and click CREATE CERTIFICATE.

Congratulations! Your certificate is now created.

Exporting your Key (Auto Generated CSR method)

If MaxMD generated the CSR for you, the certificate, CA certificates (intermediate and root), and the private key can be exported together as a Keystore. On the certificate screen, you should see the certificate information and an option to export as keystore. Click EXPORT AS KEYSTORE.

When exporting your key, select the Keystore Type from the drop down (JKS or PKCS12). Use JKS for Java environments up to Java 8. Java 9+ and all other environments should choose PKCS12. Here you can add optional passwords to protect the keystore.

Clicking EXPORT will download domainname.pfx to your computer.

Proceed to section 4. Installing your Certificate

Downloading your Certificate (Upload CSR method)

From the Certificates tab, click VIEW --> DOWNLOAD CERTIFICATE

You should see domainname.crt download to your computer.

Next, download the Intermediate CA certificate, and Root CA certificate files.

You should now have three .crt files:

1. domainname.crt
   
2. MaxMD TLS RSA CA.crt
   
3. MaxMD Root CA v1.0.crt
   

Next, we need to use an OpenSSL command to join our three .crt files with your private key to generate a PKCS12 file. From the same directory path with all four files, open the command prompt, with OpenSSL installed, use the following command with real values for:

1. domainname.crt
   
2. privatekey.key
   
3. MaxMD TLS RSA CA.crt
   
4. MaxMD Root CA v1.0.crt
   

openssl pkcs12 -export -in domainname.crt -inkey privatekey.key -out domainname.pfx -certfile "MaxMD TLS RSA CA.crt" -certfile "MaxMD Root CA v1.0.crt"

After creating the pkcs12 file, you will be asked to create an optional Export password (press enter to skip password creation):

You should now have a domainname.pfx file:

4. Installing your Certificate

Installation of your certificate will depend on your environment.

Windows

Installing a keystore (.pfx)

Ensure the domainname.pfx file is on the machine you intend to install the certificate. Double click the domainname.pfx file to start the Certificate Import Wizard. 

Select Local Machine and click Next.

Certificate Self-Service Management

In the left navigation bar, you will find your organization name, Home, Sponsors, Certificates.

Users that are Sponsors for more than one organization will be able to choose which organization they want to view by clicking on the organization name.

Home

From your MaxMD account homepage, you will see your User and Organization information along with any certificates that are nearing expiration.

Sponsors

The Sponsors tab shows all users for your Organization.

Certificates

The Certificates tab shows all certificates for your organization.

Renewing Certificates