How to request a certificate for a web server

For OIT to purchase or renew an SSL certificate, you need to include several pieces of information in your request. Send the request via the OIT ticketing system, or email to certmgr@utk.edu.

2048-bit Certificate Signing Request (CSR):

There are many ways of generating a CSR and most are application-specific. There is no single generic way to create one that is guaranteed to work with your specific application. Your application should provide a way, either directly or indirectly, to generate a CSR.

You will need the following information:

  • A UT account code to bill for the certificate. Standard certificate prices are:
    • 1 year, $30
    • 2 year, $50
  • The type of application that will use the certificate (e.g., Oracle, JBoss, Apache, iPlanet, IIS5, IIS6, etc.).
  • Your business office's FAX number.

Generating the CSR:

  • It must be generated with at least a 2048-bit key.
  • It should follow the pattern below exactly, unless indicated otherwise:
    • Common Name*: servername.utk.edu (or tennessee.edu)
    • Organization: University of Tennessee
    • Org. Unit**: your department name)
    • Locality: Knoxville
    • State: Tennessee
    • Country: US

* The Common Name (CN) of the certificate should usually be the fully qualified domain name that customers will use to access the service. If you're doing any virtual hosting, the CN should probably be the virtual host name, instead of the server's actual IP name.

** The Org Unit (OU) is an optional CSR attribute. It can be omitted, or you can substitute your department name.

  • There are generally no vendor refunds or cancellations. Once a request has been submitted to a CA for processing, it's final.
  • The CA isn't very forgiving of errors:
    • The CA will reject a malformed CSR (pay careful attention to abbreviations and capitalizations).
    • If you misspell something (say the webserver name) you've just bought a worthless certificate. A typo isn't going to be forgiven... so don't ask. Verify the contents before you submit your request.

Installing the certificate:

  • It is assumed that you know how to properly generate a CSR (Certificate Signing Request) and how to install and use the resulting certificate in your application. We can request the certificate for you, and we may be able to offer suggestions based on familiar environments (Apache, iPlanet, IIS, Lotus Notes), but we will not be responsible for making the certificate work in your environment.
  • Many applications come with their own tool for working with certificates. If yours does not, we have found that OpenSSL works if your system comes with that product.
  • The Comodo support site has instructions for generating certificate requests for a large number of software packages. You might check out their site for hints:
  • Be sure to download and install the entire certificate chain, or at least verify that all root and intermediate certificates are already installed in your server or application certificate database.
  • Don't lose the private key that is generated along with the CSR, and don't forget the private key password. Your certificate won't work without them. Your application may hide or take care of these things automatically for you.

Renewing the certificate:

  • Certificates are NOT automatically renewed. Certificates generally expire after one or two years. You may receive a renewal notification, but you may not. Regardless, you are responsible for requesting a renewing your certificate.
  • Renewal consists of submitting a new CSR in most cases, but not all; check with OIT first.

If you have questions, email certmgr@utk.edu.

Details

Article ID: 123255
Created
Thu 12/24/20 12:46 AM
Modified
Wed 1/6/21 9:23 AM
Environment
Volweb