A web server certificate allows encryption of web traffic and, to the extent that you trust the signer of the certificate, authentication of a web server's identity.
CMU has a site license for commercial certificates issued by Comodo, a well-known Certificate Authority (CA). Under that license, SCS Facilities issues and renews Comodo certificates for SCS hosts. There is no charge for this service. Comodo certificates are trusted by all widely-used browsers.
Restrictions on certificates we can issue
- SCS Facilities can only provide certificates for hosts used for SCS research or educational purposes.
- Requests must be sponsored by a SCS Faculty or full-time staff member and must be for hosts over which they have administrative control.
- SCS Facilities will not issue certicates for CNs that may be misleading, could be used to impersonate another site, are in violation of CMU or SCS policy, or violate the terms of our Comodo site license.
To get a signed certificate for your host
- Decide on the name(s) you want on your cert
- Create a CSR (Certificate Signing Request).
- Submit the CSR to SCS Facilities using the authenticated form at https://helpdesk.scs.cmu.edu/certs/verify_csr. That form includes a comment field that you can use to specify any Subject Alternative Names (SANs) you want to have included in the signed certificate. If that site is unavailable, contact email@example.com.
Your CSR will be submitted to Comodo. You should receive your signed cert via email in 1-2 working days.
Deciding on the names on your cert
Before you begin you must:
- Chose a Common Name (CN): The Common Name is the name that people will use to make web connections to your server. It must be be a fully-qualified domain name (FQDN) resolvable in DNS, or browsers will complain that your server's identity cannot be verified. For highly-visible public services, it is common for the CN to be a descriptive name (e.g. www.projectname.cs.cmu.edu) that is a DNS alias for some other host (e.g. server-01.projectname.cs.cmu.edu). For many other purposes, using the hostname of the machine that the web server will be running on is sufficient. If needed, it is possible to have multiple names (Subject Alternative Names) and/or wildcards on a single certificate.
- Choose an Organizational Unit (OU): The signed Comodo certificate will list one OU in the Subject field. When you generate the CSR, you should use a descriptive name such as, "SCS - UnitOrProjectName" (e.g. SCS - ISRI) as the OU.
Creating a CSR
Overview: Creating a CSR involves generating a public/private key pair. The private key should be kept secret --- possession of the private key is how your web server verifies its identity to clients. The public key is embedded in the certificate and is sent to every client when it makes an SSL connection to your server. When Comodo signs a certificate, it creates a binding between the public key and other information on the cert, such as the FQDN of the web server.
Specific instructions for generating a CSR and installing a certificate depend on the type of Web server & platform involved. All CSRs must have a private key size of exactly 2048 bits.
On Windows IIS server:, follow Microsoft's instructions for the specific OS and IIS version you are using.
On platforms with OpenSSL installed: If you are using Apache on an Ubuntu host that is running the SCS Facilities environment, you may want to use the Facilities-provided getwwwcert package, which streamlines some parts of the process. If you do not want to use getwwwcert or are on a non-Facilitized Linux host, you can use OpenSSL to generate the CSR by following the steps below;
- Generate the private key with the command:
openssl genrsa -out key.pem 2048
- Generate the CSR, using the openssl configuration listed below, with appropriate edits for the cert you are generating, and then running:
openssl req -config OpensslConfigFileName -new -key key.pem -out req.pem
Sample configuration file:
# Sample OpenSSL configuration for to use for CSR generation # To use, copy this this configuration to a file on your host # and edit the placeholder values for '0.organizationalUnitName' # and 'commonName' located in the '[ req_distinguished_name ]' section below, # to reflect the actual Organization Unit and Common Name for your cert. # [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = self_extensions req_extensions = req_extensions string_mask = nombstr prompt = no [ req_distinguished_name ] countryName = US stateOrProvinceName = Pennsylvania localityName = Pittsburgh 0.organizationName = Carnegie Mellon University 0.organizationalUnitName = ***EDIT*** commonName = ***EDIT*** [ req_attributes ] [ req_extensions ] basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash [ self_extensions ] basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always # End of sample configuration file.
Installing your certificate
Installation instructions for a certificate depend on the OS and server software you are running. In most cases, you will also need to install a file containing intermediate certificates. The mail you receive containing your certificate will also contain instructions on how to get the intermediate certificates for your new cert. The directory, /afs/cs/help/downloads/web_publishing/, contains intermediate certificate files for all Comodo certificates that have been issued by SCS Facilities. Almost all recently-issued Comodo certificates use the intermediate certs in the file, comodo-rsa-sha2-chain.crt.
Troubleshooting certificate-related problems
The openssl program provides several commands that are extremely useful when debugging certificate problems.
- To view the contents of a CSR:
openssl req -noout -text -in FileName
- To view the contents of a certificate file:
openssl x509 -noout -text -in FileName
- To view the Subject of certificate file: If you wish to view just the Subject of a certificate file and not the rest of the contents.
openssl x509 -noout -subject -in FileName
- To calculate the md5 checksum of a file:
openssl md5 FileName
- To verify that the server's private key, CSR, and certificate match. Run openssl to find the modulus (which is a very long number) and compare to see if the values are equal. Using the md5 checksums instead of the modulus itself makes comparing the numbers much easier:
openssl rsa -noout -modulus -in PrivateKeyFile |openssl md5
openssl req -noout -modulus -in CSRFile |openssl md5
openssl x509 -noout -modulus -in CertificateFile |openssl md5
- To see the server certificate a web server is presenting to clients:
openssl s_client -connect ServerName:Port |openssl x509 -text
The usual web server SSL port is 443, though other ports may be used (e.g. Java usually uses port 8443).
- To verify a certificate against a certificate chain
openssl verify -CAfile ChainFile CertificateFile
Where "ChainFile" is the path to your certificate chain file and "CertificateFile" is the path to the file containing the certificate you wish to verify.