Introduction to Secure Sockets Layer Certificates
An SSL Certificate is the digital certificate used with the most popular security protocol on the Internet (SSL). When you make a purchase, or access other protected content on the internet, and notice the closed lock icon at the top or bottom of your browser or the https:// prefix in the URL, it means you have established a secure SSL connection. This means that your browser has examined the signed certificate received from the web site, determined it to be authentic and encrypted keys have been computed at both ends of the connection. During the connection all the information you enter will be encrypted before being sent to the server.
If you run a web server and need an SSL certificate then here's how to obtain one:
Obtaining a certificate
- Essentially you need to generate a Certificate Signing Request (CSR, see below) and then contact firstname.lastname@example.org
- To obtain a University security certificate you must be University staff.
- If you are planning to use the Single Sign On (SSO) service please contact the ITS Web Team at email@example.com, so that the SSO service can be set up at the same time.
- The process generally takes about a day, but there are factors that may delay this, e.g. staff availability / workload, mistakes in the application, unusual requirements. If the request is urgent, please let us know, and make sure we have a reliable means of contacting you.
- We recommend that you use a role-based rather than a personal email address are used for certificate requests, because email reminders are sent out when certificates are about to expire, and role-based email addresses are more likely to be seen by more than one person, so reminders are less likely to get lost.
When installing the new certificate the service will need to reference/import a chain of intermediate certificates. The chain refers to the issuer of the previous certificate in turn until reaching the root certificate that the client will trust. You should receive the appropriate chain file along with the certificate from Janet, via an email link or other download mechanism.
Dependant on the server software it may matter in which order the certificates are imported. Please make sure you know exactly what you are doing before you start.
Generate a CSR
Current recommendations are to use at least a 2048 bit key, any less will be rejected by the issuing authority.
For an Apache server:
> openssl req -newkey rsa:2048 -nodes -keyout servicename.warwick.ac.uk.key -out servicename.warwick.ac.uk.csr
Notes on responses to openssl, everything else it is recommended you leave blank:
Country Name= GB
State or Province name= West Midlands
Locality Name= Coventry
Organization Name= The University of Warwick
Organizational Unit Name: Your department (if ITS please use Information Technology Services)
Common Name: yourservicename.warwick.ac.uk
- The Common Name should be the fully qualified service or host name for your application. It wll be matched against URL requests, and web browsers usually show a warning if they are different.
- Make sure the
.keyfile is not readable by anyone but root - this is the private key that no one except the server process should see.
- If a PEM passphrase was given when creating the key then this password will have to be entered every time the service is loaded. Consider carefully if and how your service environment will support this - if you change your mind you will have to request a new certificate without one.
Some excellent notes for other types of servers:
If you have any comments, suggestions or notes you wish to have added here please contact us: firstname.lastname@example.org
The main contact for this service is: Neal Welland
This FAQ is intended for technical staff who administer servers.
Alternatively see our FAQ if you want to know about setting up an online payment system.