Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
 Documentation
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » E-mail & netnews 
 » Networking 
 » Printing 
 » Purchasing 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Your health 
 » Macintosh support 
 » Unix/Linux support 
 » Windows PC support 

Webserver certificates

A web server certificate allows both encryption of web traffic and authentication, to the extent that you trust the signer of the certificate, of a web server's identity. To get a signed certificate for a web server in SCS, you can either:
  • Contact SCS Facilities, as per the instructions below, to get a certificate signed by the SCS CA (Certificate Authority). This service is free, but requires that people connecting to your server have installed the Carnegie Mellon web certificates in their browser.
  • Contact CMU Computing Services, as per the instructions below, to get a certificate signed by Thawte Consulting, a well-known commercial CA. This service is not free, but Thawte certificates come pre-installed in most browsers.

How to get a signed web server certificate from the SCS Certificate Authority

SCS Facilities runs a certificate authority (CA) that issues digital certificates for webservers within SCS. These certificates take advantage of CMU's public-key infrastructure and the widespread deployment of Carnegie Mellon server-certificates in client browsers. To obtain a certificate signed by the SCS certificate authority, email a certificate-signing request (CSR) to <certificates@cs.cmu.edu> . Specific instructions for generating a CSR depend on the type of Web server & platform involved.

How to get a signed web server certificate from Thawte

To get a signed certificate from Thawte for a web server within the School of Computer Science, send mail to <certificate-authority@andrew.cmu.edu> . with the following information:
  • An Oracle string that the cost of the certificate will be charged to.
  • The name, e-mail, and phone number of the financial person who administers that Oracle string
  • The server software (operating system and web server software) that the server will be running. For example: Fedora 7, Apache 1.3.27.
  • The organizational unit of the host, which should be "School of Computer Science" for web servers within SCS.
  • The common name of the machine, which is the full hostname that you expect users to connect to the web server with. For example: foo.cs.cmu.edu
  • A Certificate Signing Request (CSR). Note: For a Thawte certificate request, there should only be one Organizational Unit (OU) specified in the CSR.

How to generate a certificate-signing request (CSR)

If you are using the Facilities httpd collection

On Facilitized Unix/Linux hosts, SCS Facilities provides a httpd misc collection that makes it easy to set up a Webserver and provides some tools to generate a CSR.

For a Thawte certificate request: If you will be using the CSR to get a for a Thawte-signed certificate, contact <certificates@cs.cmu.edu> for assistance in generating it.

For a SCS-signed certificate request: If you'll be requesting a certificate signed by the SCS CA, you can run:
  /usr/local/sbin/getwwwcert
which will ask you some questions, generate a secret key and CSR, and mail the CSR to SCS Facilities in order to be signed.

When generating a CSR using getwwwcert, a MD5 hash for the CSR will be calculated and displayed. You should write down this hash, since SCS Facilities may contact you by phone in order to verify your request.

Once you have received your certificate, save the contents of the e-mail containing the certificate to a file and run:
  /usr/local/sbin/getwwwcert -I /path/to/email.txt
in order to install the certificate.

After installing the certificate, you will need to restart the Webserver by running:
  /usr/local/etc/nanny -restart httpd

If you are using a Windows host running IIS

To generate a CSR on a Windows host running IIS, see the Facilities page on configuring IIS SSL .

If you are using OpenSSL on a non-Facilitized host

Note: If you are generating a CSR for a Thawte certificate request, remove the following two lines from the listed OpenSSL config file:

  1.organizationalUnitName        = *YOUR DEPARTMENT HERE*
  2.organizationalUnitName        = *YOUR GROUP HERE*
so that there is only one OU listed.

If you are using OpenSSL to generate the CSR, your config file should contain:

  # OpenSSL config file for getwwwcert

  [ req ]
  default_bits                    = 1024
  default_keyfile                 = privkey.pem
  distinguished_name              = req_distinguished_name
  attributes                      = req_attributes
  x509_extensions                 = self_extensions
  req_extensions                  = req_extensions
  string_mask                     = nombstr
  prompt                          = no

  [ req_distinguished_name ]
  countryName                     = US
  stateOrProvinceName             = Pennsylvania
  localityName                    = Pittsburgh
  0.organizationName              = Carnegie Mellon University
  0.organizationalUnitName        = School of Computer Science
  1.organizationalUnitName        = *YOUR DEPARTMENT HERE*
  2.organizationalUnitName        = *YOUR GROUP HERE*
  commonName                      = *HOSTNAME OF WEB SERVER*

  [ req_attributes ]
  
  [ req_extensions ]
  basicConstraints                = CA:FALSE
  nsCertType                      = server
  nsComment                       = "OpenSSL Generated Certificate"
  subjectKeyIdentifier            = hash
  keyUsage                        = critical,digitalSignature,keyEncipherment

  [ self_extensions ]
  basicConstraints                = CA:FALSE
  nsCertType                      = server
  nsComment                       = "OpenSSL Generated Certificate"
  subjectKeyIdentifier            = hash
  authorityKeyIdentifier          = keyid,issuer:always
  keyUsage                        = critical,digitalSignature,keyEncipherment

Note: Be sure to insert correct values for the organizationalUnitName and commonName attributes.

To generate the CSR:

  1. Generate the private key with the command:
      openssl genrsa -rand /etc/egd-pool -out key.pem 1024
    This step can be skipped if you've already generated a key and simply want to renew an expired or expiring certificate.
  2. Generate the CSR, using the openssl configuration mentioned above in the file openssl.conf:
      openssl req -config openssl.conf -new -key key.pem -out req.pem
  3. If the CSR is for a SCS-signed certificate: take note of the md5 hash of req.pem, since it will be used to verify the certificate you've sent. You can get the md5sum of the CSR by running:
      openssl md5 req.pem
  4. For a SCS-signed certificate, send the contents of the CSR, req.pem, to <certificates@cs.cmu.edu>, along with your name and contact phone number. Be sure to mention that you are running your own Webserver and not the facilities-provided one. Once the request has been verified and signed, you will recieve an email that contains the signed certificate and the intermediate CA certificate.
If you want to use a self-signed certificate until you get a response, generate one by running:
  openssl x509 -req -days 30 -extfile openssl.conf -extensions self_extensions -in req.pem -out self.pem -signkey key.pem
This certificate will generate a warning on most Web browsers and will expire in 30 days.