A web server certificate allows encryption of web traffic and, to the extent that you trust the signer of the certificate, authentication of a web server's identity.
CMU has a site license for commercial certificates issued by Comodo. Under that license, SCS Facilities issues and renews Comodo certificates for SCS hosts. There is no charge for this service. Comodo certificates are trusted by all widely-used browsers and there is no need to install special CMU certificates when connecting to web servers that use Comodo certs.
Note: CMU and SCS Facilities no longer issue certificates signed by the CMU Certificate Authority. All previously-issued certificates signed by the CMU CA will become invalid at the end of May, 2010.
How to get a signed certificate for SCS hosts
- SCS Facilities can only provide certificates for SCS hosts.
- The CN (Common Name) on the certificate must be in the .cmu.edu or .cmu.local domains.
- Requests must be sponsored by a SCS Faculty or full-time staff member and must be for hosts over which they have administrative control.
- SCS Facilities will not issue certicates for CNs that may be misleading, could be used to impersonate another site, or are in violation of CMU or SCS policy.
To get a certificate:
- Generate a CSR (Certificate Signing Request) as per the instructions below.
- Because certificate requests need to be verified, when you generate the CSR, record some identifying information about it, such as a MD5 hash, and include a phone number where you can be reached.
- Send the CSR to email@example.com. If you are using the getwwwcert program on a Facilitized Linux/Unix host, it will automatically send e-mail after the CSR is generated.
- Someone from SCS Facilities will contact you to verify the request, and then e-mail the signed certificate to you.
CSR generation and certificate installation
Specific instructions for generating a CSR and installing a certificate depend on the type of Web server & platform involved. If you are using a Facilitized Linux/Unix host, it is strongly recommended that you use the Facilities-provided Apache 2 collection (or the httpd collection on older platforms).
- Choosing a Common Name (CN): The Common Name is the name that people will use to make web connections to your server. It must be resolvable in DNS, or you will get browser errors. For highly-visible public services, it is common for the CN to be a descriptive name (e.g. www.projectname.cs.cmu.edu) that is a DNS alias for some other host (e.g. foobar.projectname.cs.cmu.edu). For many other purposes, using the hostname of the machine that the web server will be running on is sufficient.
- Choosing an Organizational Unit (OU): The signed Comodo certificate will list one OU in the Subject field. When you generate the CSR, you should use "SCS - UnitOrProjectName" (e.g. "SCS - ISRI") as the OU.
- Private key size: You must use a 2048 bit private key when generating your CSR. Comodo no longer accepts CSRs generated with 1024 bit keys. The SCS Facilities getwwwcert program will generate 2048 bit private keys by default.
- Troubleshooting problems: If you are having problems generating or installing your certificate, see the documentation on troubleshooting certificate installation issues or contact firstname.lastname@example.org.
For your signed Comodo certificate to work, a file with intermediate certificates will need to be installed on your server.
If you are using the Facilities apache2 or httpd collection: Files with intermediate certificates are already installed and will automatically be configured to be used when you run getwwwcert. You should not need to install any additional intermediate certificates.
If you are not using a Facilities web server collection, you will need to download and install a file with the intermediate certificate chain. The particular intermediate chain file you should use depends on the type of Comodo certificate you have. When you received your certificate, you should also have received information about the certificate type. You can also use OpenSSL to determine the certificate type.
These are the Comodo certificate types that are currently distributed by SCS Facilities, along with the download locations for their intemediate certificate files:
- Comodo Multi-Domain SSL & PlatinumSSL
- Most certificates distributed after June 1, 2010 are one of these two types. They use the same intermediate certificates. The intermediate certificate file is:
- /afs/cs/help/downloads/web_publishing/addtrust-jun-2010-chain.crt (link - right click and download to a file)
- Comodo Unified Communications
- This type of certificate was distributed in May, 2010 as the replacement for old, SCS CA-issued certificates, and is also used for some Windows servers. The intermediate certificate file is:
- /afs/cs/help/downloads/web_publishing/entrust-legacy-chain.crt (link - right click and download to a file)
- Facilitized hosts using the Apache2 or httpd collection
- Windows hosts running IIS
- Using OpenSSL with other servers
On Facilitized Unix/Linux hosts, SCS Facilities provides a misc collection (Apache 2 on more recent OS's, httpd on older OS's) that makes it easy to set up a webserver and provides some tools to generate a CSR and install a certificate.
Generating a CSR:
which will ask you some questions, generate a secret key and CSR, and e-mail the CSR to SCS Facilities in order to be signed.
- When generating a CSR using getwwwcert, a MD5 hash for the CSR will be calculated and displayed. You should write down this hash, so it can be used to verify your request.
Installing the certificate
- Once you have received your certificate, save the contents of the e-mail containing the certificate to a file and run:
/usr/local/sbin/getwwwcert -I path-to-email.txt
in order to install the certificate.
- After installing the certificate, restart the Webserver by running either:
/usr/local/etc/nanny -restart apache2
if you are running the apache2 collection, or:
/usr/local/etc/nanny -restart httpd
if you are running the httpd collection.
If you want to use WebISO/Pubcookie authentication to control who can access the pages served by your web server, and haven't previously enabled Pubcookie, run:
/usr/local/sbin/keyclient after installing your certificate. Note:You do not need to run keyclient again if you are just renewing a currently-working certificate on a host that already has Pubcookie enabled.
Windows hosts running IISSee the SCS Facilities documentation on how to configure IIS SSL.
Using OpenSSL on a non-Facilitized host
Generating a CSR:If you are using OpenSSL to generate the CSR, your config file should look like the OpenSSL config file listed below. In that file, the lines:
0.organizationalUnitName = *THE ORGANIZATIONAL UNIT FOR THE WEB SERVER* commonName = *THE COMMON NAME FOR THE WEB SERVER*
must be changed to reflect the actual Organizational Unit and Common Name for your server. See the guidelines section above for tips on choosing values for these fields.
# OpenSSL config file for getwwwcert [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = self_extensions req_extensions = req_extensions string_mask = nombstr prompt = no [ req_distinguished_name ] countryName = US stateOrProvinceName = Pennsylvania localityName = Pittsburgh 0.organizationName = Carnegie Mellon University 0.organizationalUnitName = *THE ORGANIZATIONAL UNIT FOR THE WEB SERVER* commonName = *THE COMMON NAME FOR THE WEB SERVER* [ req_attributes ] [ req_extensions ] basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash keyUsage = critical,digitalSignature,keyEncipherment [ self_extensions ] basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical,digitalSignature,keyEncipherment
To generate the CSR:
- Generate the private key with the command:
openssl genrsa -rand /etc/egd-pool -out key.pem 2048
This step can be skipped if you've already generated a key and simply want to renew an expired or expiring certificate.
- Generate the CSR, using the openssl configuration mentioned above in the file openssl.conf:
openssl req -config openssl.conf -new -key key.pem -out req.pem
- Take note of the md5 hash of req.pem, since it will be used to verify the certificate you've sent. You can get the md5sum of the CSR by running:
openssl md5 req.pem
- E-mail the contents of the CSR, req.pem, to <email@example.com>, along with your name and contact phone number. Be sure to mention that you are running your own Webserver and not the facilities-provided one. Once the request has been verified and signed, you will receive an email that contains the signed certificate.
openssl x509 -req -days 30 -extfile openssl.conf -extensions self_extensions -in req.pem -out self.pem -signkey key.pem
This certificate will generate a warning on most Web browsers and will expire in 30 days.
Installing the certificate
The exact method of installation depends on the the web server you are using. You will need to install the Comodo intermediate certificates. If you're running Apache, SSLCertificateChainFile should point to the file containing these certificates.