Howto: Registering-Renewing SSL certificates

Print Friendly, PDF & Email

Although some of this information can be useful it is now out of date. Please, consult central wiki guides at https://wikis.bris.ac.uk/display/itsupportstaff/SSL+Certificate+Request

This HowTo displays the procedures for registering and renewing x509 SSL certificates for use on ILRT servers. SSL certificates are primarily used on HTTPS web sites but can also be used in Stunnel connections, SMTP/IMAP mail services, software signing, etc. The first thing to note is that in many cases I am the primary contact for most things SSL. In most instances you should contact me first before attempting to register or renew a SSL certificate. If I am unavailable you should follow this procedure.

Registering new certificates

It is possible to split the tasks in to four parts. The client negotiation, the technical key creation, the purchasing and the technical installation.

  1. Anyone can do this task. Ask the client (or yourself) these initial questions before buying a certificate:
    • What strength does the certificate need to be? Remember the UoB doesn’t allow for the transmission of credit card information through any University equipment.
    • Does the institution have it’s on Certificate Authority for signing certificates? Should they use that instead of a commercial CA.
    • Is the Institution a member of the JANET/GLobalsign free certificate program? They should use this as the preferable method.
    • If they need to get a commercial certificate advise that we recommend GoDaddy.
    • Ask them to register it themselves with a supplied CSR from us. If they have trouble we can do it for them, but be aware there is an admin overhead and we don’t actually gain much financially from doing this.
    • If we are to register the certificate through a commercial CA then with GoDaddy we need to ensure that we have access to a predetermined email account or that the client can respond to emails sent to this account. It is mandatory that the email address be the one listed as the registrant contact on the domain whois lookup.
    • Finally if we are registering the certificate through a commercial CA we need the following details from the client:
      • First name
      • Last name
      • Job Title
      • Work phone number
      • Office address (street name and number, city, county, post code, country).
      • Fax number
      • Organisation type (e.g. PLC, Charity, University)
  2. If the certificate is to be used on our servers in all cases we should generate the CSR for the certificate, therefore, the client needs to supply the following information:
    • Country Name (2 letter code)
    • State or Province Name (full name)
    • Locality Name (eg, city)
    • Organization Name (eg, company)
    • Organizational Unit Name (eg, section)
    • Common Name (eg, the server/hostname name)
    • Email Address

    If you are creating a JANET/Globalsign certificate for the UoB (under the domain bris.ac.uk) then you need to use the following subject format:

    • Country Name: GB
    • State or Province Name: Bristol
    • Locality Name: Bristol
    • Organization Name: University of Bristol
    • Organizational Unit Name: ILRT
    • Common Name: hostname.ilrt.bris.ac.uk
    • Note there is NO email address given for this type of certficate.
  3. This step should be completed by someone with knowledge of UNIX shell commands. Always create the initial Certificate Request Form on our network where secure transmission of the key file can be ensured. Once you have the information from step 2 create the CSR and private key files. Do this on a secure machine and keep the key file safe! I recommend using a USB pen drive or use an encrypted loopback device or eCryptfs to store the files. Use this new-ssl-certscript to generate the CSR and key as follows:
    • mkdir ~/sslcerts
    • <do some cryptoloop stuff to secure that folder>
    • cd sslcerts
    • <download the script>
    • ./new-ssl-cert.sh www.example.com
    • <answer the questions with the answers from above>
    • send the CSR block to the client or use it in a new registration.
  4. This step needs to be completed by the individual responsible for purchasing the certificate. There are number of possibilities here and can get quite confusing and stressful for involved parties if a deadline is looming.
    1. If the client is registering the certificate via their own CA, JANET or by a commercial CA you need to send them the CSR. ONLY send the CSR and NOT the private RSA key file. I recommend that you always send the CSR in clear text instead of as an attachment as you will avoid it being dumped by spam/virus scanners. You might want to use fluff if you want to be totally sure it gets through.
    2. If we are registering the certificate via JANET then the CSR will need to be sent to me primarily. If I am away for a while then you can try Richard Hopkins or George Gooding if it is urgent.
    3. If we are registering the certificate via a commercial CA then you will need to grab someone from finance (Tam Lewis normally) with access to the GoDaddy account to purchase the certificate. They will put a “credit” on the GoDaddy account so the certificate can be registered by me. Again if I am not around the finance person should be able to complete the registration. A confirmation email from GoDaddy is sent to the client at the stage which they must respond to.

    Once the CSR is sent/purchased correspondance will either come direct to you (in 1 or 2) or from GoDaddy to the ilrt-hostmaster@bris.ac.uk shared mailbox. Myself and a few people in finance have access to this mailbox. It normally takes 2-3 days for a certificate to be issued. It can sometimes take over a week so make plenty of time and be patient, but do not hesitate to follow up if your not sure if people are waiting on you or visa versa.

  5. Once the certificate has been issued pass the email or the link (with account id and password) to an administrator or someone who has the privileges to write to the files on the web server in question and to restart it. There may also be a question of allocating network addresses and configuring new network interface aliases on the server. In which case it’s probably best to send an email to ilrt-helpdesk@bris.ac.uk with the details of the new SSL site. The certificate must be installed on the server by a Systems Administrator. The steps to add a SSL certificate to a server may vary greatly and requires it’s own page! Remember to ask for a Nagios monitor check for the certificate so we get reminded of it’s immanent expiry.

Renewing a certificate

The process is much the same as above.

You will probably want to ask the same questions in step 1 as processes or policies may have changed in the organisation.

Allow for plenty of time before the renewal date as it can take longer to renew a cert than to register one.

The Certificate itself should remain the same in most cases and the CSR can be extracted from the active cert like this:

openssl x509 -x509toreq -in www.example.com.crt -signkey www.example.com.key

The same rules apply for getting the certificate to the client or to an administrator to renew the cert. One exception to this process is that a renewal at Thawte can be done without steps 1-4. Log straight into the renewal page with a credit card handy and you can renew straight away. However, we are trying to migrate all Thawte certificates to GoDaddy to save some money so please treat these as new registrations.

Installing the cert should just be a matter of replacing the relevant file on the server and restarting the application or demonised service. However, it is wise to ask an administrator to install it as it’s tricky to recover from a broken or mismatched key file. You may render a lot of websites inoperable if you don’t know what you are doing! :-O

Remember, if in doubt come and see me or just create a ticket and I’ll do it all for you. :-D