SSL Certificates | University of Oregon: Information Security
Information Security Information Services home

About SSL Certificates

A Brief Overview

  • An SSL Certificate has two parts: a private key and a public certificate. The private key sits on your server and is used to decode the SSL encrypted network traffic, (KEEP THIS KEY IN A SAFE PLACE, and DO NOT SHARE IT WITH ANYONE), the public certificate is presented to the client machine during the initialization of the SSL connection.
  • The process of creating a SSL Certificate is started by creating a Certificate Signing Request (CSR). Commonly OpenSSL is used to generate the CSR.
  • Once you generate your SSL certificate you need to get it signed. At this point you have two options, you may sign the certificate yourself (NOT ADIVSED), or you may send the CSR to a Certificate Authority (CA) to sign.

Pricing

  • Class-1 (IPSCA): Free, not recommended for applications used off-campus.
  • Class-2 (GlobalSign): $120 for one year, $200 for two.
  • Class-3 (GlobalSign): $800 for one year, $1300 for two.

Self-Signed Certificates

    Using self-signed certificates is not advisable. Using self-signed certificates is insecure. SSL is built on trust between certificate authority and the SSL clients, if your certificate is self-signed, it gives the client machines no reason to trust that the proceeding connection is authentic. Furthermore, SSL is a very finicky protocol, using a self-signed certificate introduces a undesirable layer of complexity to implementing SSL. Fortunately, as a higher-ed customer you are eligable for a FREE Class-1 certificate from IPSCA.

Generating a CSR with OpenSSL

    Step 1: Install OpenSSL (http://www.openssl.org/)
    Step 2: Create an SSL key

      openssl genrsa -out server.key 1024

    Step 3: Create a Certificate Signing Request (CSR)

      openssl req -new -key server.key -out server.csr

      IMPORTANT! The following information will be requested of you, make sure to fill this out correctly!

        Country Name:US
        State or Province Name (full name) [Some-State]:Oregon
        Locality Name (eg, city) []:Eugene
        Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Oregon
        Organizational Unit Name (eg, section) []:Your Department's Name
        Common Name (eg, YOUR name) []:Your fully qualified hostname. Example: shell.uoregon.edu
        Email Address []:Your uoregon.edu e-mail address. Example: blah@uoregon.edu

Choosing a Certificate Authority (CA)

Depending on the level of security you wish to provide for service you can choose either a Class-1 certificate from IPSCA or a Class-2/3 certificate from GlobalSign.

Recommended CAs

    IPSCA: a CA that offers free Class-1 certificate signing for .edu domains.
    GlobalSign: A CA that offers Class-2 and Class-3 certificates.

Certificate Classes Explained

  • Class-1 certificates require much less identity verification of the sender than Class-2. We have tested Class-1 certificates from IPSCA, these certificates work well with both Microsoft and Linux servers and clients. However, they are not recommended for sites used off campus.
  • Class-2 certificates are recommended when the data being exchanged over SSL is financial, medical or otherwise extremely sensitive in nature. These certificates require a greater amount of verification of the requesters identity, and are more greatly trusted by the SSL protocol.
  • Class-3 certificates are used when security is critical, and involves a greater degree of trust between with the CA. Class-3 certificates are used by most banks and e-commerce sites. Sites which use a Class-3 certificate include Ebay.com and Amazon.com.

Submitting a CSR to GlogalSign

Step 1: Send an email to certificates@ithelp.uoregon.edu with the following information:

  • A UO index to charge.
  • How long the certificate should be valid for ($120 for 1 year, $200 for 2).
  • A CSR which you have generated for this certificate.

Step 2: You will automatically be made the point of contact for this certificate. When the request is completed, GlobalSign will contact you with your new signed certificate.

Submitting a CSR to IPSCA

NOTE: Using IPSCA is not recommended for any site used outside of the university.

Step 1: Go to: http://certs.ipsca.com/srvc/Buy.asp

  • Fill out the information in the form.

  • Under the heading "type of certificate", select "Education (2 years $0)"
  • Fill out the "Customer Contact Information"
    IMPORTANT: Be sure to type "University of Oregon" in the "Company" field
    Skip the field "CIF\VAT Number"

  • Fill out the "Technical Contact" field with the following information:

  • Select what type of server you are requesting the certificate for in the "Server type" menu
  • Open your CSR in you favorite text editor, and copy ALL of it's contents, including "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----"
  • Paste your certificate request in the provided field.
  • Click the "Submit" button.

Step 2: Contact the Security group

  • Send an e-mail to: certificates@ithelp.uoregon.edu saying that you submitted a certificate request to IPSCA. This is important because certificate requests are sometimes lost. If we don't know a request was submitted we cannot contact IPSCA to check on the status of your certificate.

Step 3: Get your certificate

  • After this process is complete, you should recieve your certificate in between one and five business days.

Installing an SSL Certificate Under Apache

Please see http://www.globalsign.com/support/install/install_apache.html for instructions.

Installing an SSL Certificate Under Microsoft IIS 7

Please see http://www.globalsign.com/support/install/install_iis7.html for instructions.

Installing an SSL Certificate Under Tomcat

Please see http://www.globalsign.com/support/install/install_tomcat.html for instructions.

Installing an SSL Certificate Under Some Other Platform

Please see http://www.globalsign.com/support/installcert.html for instructions.

Posted October 8th, 2007