SCS Computing
 Services and Solutions
  links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
 
 
 » How to… 
 » Accounts & passwords 
 » AFS 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Support lifecycle 
 » Web publishing 
 » Mac support 
 » Linux support 
 » Windows PC support 

Webserver certificates

A web server certificate allows encryption of web traffic and, to the extent that you trust the signer of the certificate, authentication of a web server's identity.

CMU has a site license for commercial certificates issued by Comodo, a well-known Certificate Authority (CA). Under that license, CMU issues and renews Comodo certificates for CMU hosts. There is no charge for this service. Comodo certificates are trusted by all widely-used browsers.

Restrictions on certificates we can issue

  • Certificates can only be provided for hosts used for CMU research or educational purposes.
  • Requests for certs used by SCS hostsmust be sponsored by a SCS Faculty or full-time staff member and must be for hosts over which they have administrative control.
  • Certificates will not be issued for host names that may be misleading, could be used to impersonate another site, are in violation of CMU or SCS policy, or violate the terms of CMU's Comodo site license.

To get a signed certificate for your host

  1. Decide on the name(s) you want on your cert
  2. Create a CSR (Certificate Signing Request).
  3. Mail the CSR to certificate-authority@andrew.cmu.edu. If you have special requests, such as having your certificate contain subject alternative names (SANs), include those requests in your mail.

Your CSR will be submitted to Comodo. You should receive your signed cert via email in a few working days.

Deciding on the names on your cert

Before you begin you must:

  • Chose a Common Name (CN): The Common Name is the name that people will use to make web connections to your server. It must be be a fully-qualified domain name (FQDN) resolvable in DNS, or browsers will complain that your server's identity cannot be verified. For highly-visible public services, it is common for the CN to be a descriptive name (e.g. www.projectname.cs.cmu.edu) that is a DNS alias for some other host (e.g. server-01.projectname.cs.cmu.edu). For many other purposes, using the hostname of the machine that the server will be running on is sufficient. If needed, it is possible to have multiple names (Subject Alternative Names) and/or wildcards on a single certificate.
  • Choose an Organizational Unit (OU): The signed Comodo certificate will list one OU in the Subject field. When you generate the CSR, you should use a descriptive name such as, "SCS - UnitOrProjectName" (e.g. SCS - ISRI) as the OU.

Creating a CSR

Overview: Creating a CSR involves generating a public/private key pair. The private key should be kept secret --- possession of the private key is how your web server verifies its identity to clients. The public key is embedded in the certificate and is sent to every client when it makes an SSL connection to your server. When Comodo signs a certificate, it creates a binding between the public key and other information on the cert, such as the FQDN of the web server.

Specific instructions for generating a CSR and installing a certificate depend on the type of Web server & platform involved. All CSRs must have a private key size of exactly 2048 bits.

On Windows IIS server:, follow Microsoft's instructions for the specific OS and IIS version you are using.

On platforms with OpenSSL installed: Use OpenSSL to generate a CSR by following the steps below;

  1. Generate the private key with the command:
    openssl genrsa -out key.pem 2048
    
  2. Generate the CSR, using the openssl configuration listed below, with appropriate edits for the cert you are generating, and then running:
    openssl req -config OpensslConfigFileName -new -key key.pem -out req.pem
    

Sample configuration file:

#  Sample OpenSSL configuration for to use for CSR generation
#  To use, copy this this configuration to a file on your host
#  and edit the placeholder values for '0.organizationalUnitName'
#  and 'commonName' located in the  '[ req_distinguished_name ]' section below,
#  to reflect the actual Organization Unit and Common Name for your cert.
#

[ req ]
default_bits                    = 2048
default_keyfile                 = privkey.pem
distinguished_name              = req_distinguished_name
attributes                      = req_attributes
x509_extensions                 = self_extensions
req_extensions                  = req_extensions
string_mask                     = nombstr
prompt                          = no

[ req_distinguished_name ]
countryName                     = US
stateOrProvinceName             = Pennsylvania
localityName                    = Pittsburgh
0.organizationName              = Carnegie Mellon University 
0.organizationalUnitName        = ***EDIT***
commonName                      = ***EDIT***

[ req_attributes ]

[ req_extensions ]
basicConstraints                = CA:FALSE
nsCertType                      = server
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier            = hash

[ self_extensions ]
basicConstraints                = CA:FALSE
nsCertType                      = server
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always


# End of sample configuration file.

Installing your certificate

Installation instructions for a certificate depend on the OS and server software you are running. In most cases, you will also need to install a file containing intermediate certificates. The mail you receive containing your certificate may also contain instructions on how to get the intermediate certificates for your new cert. The directory, /afs/cs/help/downloads/web_publishing/, contains intermediate certificate files for all Comodo certificates that have been issued by SCS Facilities. Almost all recently-issued Comodo certificates use the intermediate certs in the file, incommon-with-root-chain.crt.

Troubleshooting certificate-related problems

The openssl program provides several commands that are extremely useful when debugging certificate problems.

  • To view the contents of a CSR:
      openssl req -noout -text -in FileName
  • To view the contents of a certificate file:
      openssl x509 -noout -text -in FileName
  • To view the Subject of certificate file: If you wish to view just the Subject of a certificate file and not the rest of the contents.
      openssl x509 -noout -subject -in FileName
  • To calculate the md5 checksum of a file:
      openssl md5 FileName
  • To verify that the server's private key, CSR, and certificate match. Run openssl to find the modulus (which is a very long number) and compare to see if the values are equal. Using the md5 checksums instead of the modulus itself makes comparing the numbers much easier:
      openssl rsa -noout -modulus -in PrivateKeyFile |openssl md5
      openssl req -noout -modulus -in CSRFile |openssl md5
      openssl x509 -noout -modulus -in CertificateFile |openssl md5
  • To see the server certificate a web server is presenting to clients:
      openssl s_client -connect ServerName:Port |openssl x509 -text
    The usual web server SSL port is 443, though other ports may be used (e.g. Java usually uses port 8443).
  • To verify a certificate against a certificate chain
      openssl verify -CAfile ChainFile CertificateFile
    Where "ChainFile" is the path to your certificate chain file and "CertificateFile" is the path to the file containing the certificate you wish to verify.