2. Creating your Certificate

For VAL certificates, clicking the workflow link in your invitation email will take you directly to the Certificate Signing Request (CSR) step.

Auto Generate CSR method

Click AUTO GENERATE CSR.

MaxMD will generate and verify the CSR. Click CONTINUE to create the certificate.

      

Review and CREATE CERTIFICATE.

Congratulations! Your certificate is now created.

Proceed to section 3. Exporting or Downloading your Certificate

Upload CSR method

If you prefer to upload your own CSR, click the UPLOAD CSR tab and paste your PEM encoded CSR. 

If you have already generated your own CSR you can proceed to section '3. Exporting or Downloading your Certificate'

Generating a CSR is done with OpenSSL or Windows IIS. We recommend OpenSSL to make later steps easier. You can download OpenSSL at https://www.openssl.org/source/ or refer to Windows IIS instructions that match your environment. Example: https://www.ssl.com/how-to/generate-a-certificate-signing-request-csr-in-iis-10/

On a Windows machine, open Command Prompt and enter the following command with real values for domainname, organizationName, initiative, and organizationalUnit(optional) in the following order: 

openssl req -out domainname.csr -new -newkey rsa:2048 -nodes -keyout domainname.key -subj

"/CN=domain.org/C=US/O=organizationName/OU=initiative/OU=optionalOrganizationalUnit"

NOTE: MaxMD is validating your CSR against profiles and previously entered Organization Name and Domain Name. The C (country), O (Organization Name), CN (Domain) and OU (Organization Unit) in the CSR must match what is on file. If you need to make a change, please alert DirectTrust and a new certificate link will be created for you.

The OU initiative value will differ for eHealth Exchange Participants and Carequality Implementers.

For Validation certificates, the required OU values are as follows:

      eHealth Exchange: OU=NHIN-Test

      Carequality: OU = CAREQUALITY-TEST

Example OpenSSL command for a eHealth Exchange certificate for DirectTrust:

openssl req -out directtrust.org.csr -new -newkey rsa:2048 -nodes -keyout directtrust.org.key -subj "/CN=directtrust.org/C=US/O=DirectTrust.org, Inc./OU=NHIN-Test/OU=Health Department"

Open the CSR file and Copy the entire contents:

Click the UPLOAD CSR tab and paste your PEM encoded CSR.

After uploading your CSR, MaxMD will validate the details against the certificate profile. If the CSR is invalid, the next screen will tell you why.

If your uploaded CSR is valid, you can CONTINUE to create the certificate.

Review the certificate settings and click CREATE CERTIFICATE.

Congratulations! Your certificate is now created.

Exporting your Key (Auto Generated CSR method)

If MaxMD generated the CSR for you, the certificate, CA certificates (intermediate and root), and the private key can be exported together as a Keystore. On the certificate screen, you should see the certificate information and an option to export as keystore. Click EXPORT AS KEYSTORE.

When exporting your key, select the Keystore Type from the drop down (JKS or PKCS12). Use JKS for Java environments up to Java 8. Java 9+ and all other environments should choose PKCS12. Here you can add optional passwords to protect the keystore.

Clicking EXPORT will download domainname.pfx to your computer.

Proceed to section '4. Installing your Certificate'

Downloading your Certificate (Upload CSR method)

From the Certificates tab, click VIEW --> DOWNLOAD CERTIFICATE

You should see domainname.crt download to your computer.

Next, download the Intermediate CA certificate, and Root CA certificate files.

You should now have three .crt files:

1. domainname.crt
   
2. MaxMD TLS RSA EVAL CA.crt
   
3. MaxMD EVAL Root CA v1.0.crt
   

Next, we need to use an OpenSSL command to join our three .crt files with your private key to generate a PKCS12 file. From the same directory path with all four files below, open the Command Prompt and use the following command substituting real values for:

1. domainname.crt
   
2. privatekey.key
   
3. MaxMD TLS RSA EVAL CA.crt
   
4. MaxMD EVAL Root CA v1.0.crt
   

Example command:

openssl pkcs12 -export -in domainname.crt -inkey privatekey.key -out domainname.pfx -certfile "MaxMD TLS RSA EVAL CA.crt" -certfile "MaxMD EVAL Root CA.crt"

After creating the pkcs12 file, you will be asked to create an optional Export password (press enter to skip password creation):

You should now have a domainname.pfx file:

4. Installing your Certificate

Installation of your certificate will depend on your environment.

Windows

Installing a keystore (.pfx)

Ensure the domainname.pfx file is on the machine you intend to install the certificate. Double click the domainname.pfx file to start the Certificate Import Wizard. 

Select Local Machine and click Next.