SSL Certificate: Request a Certificate for a Web Server

Overview

For OIT to purchase or renew an SSL certificate, you need to include several pieces of information in your request.

Once you have gathered the necessary information, Request an SSL Certificate

A 2048-bit Certificate Signing Request (CSR)

There are many ways of generating a CSR and most are application-specific, so we cannot provide a single generic way to create one that is guaranteed to work with your specific application. Your application should provide a way, either directly or indirectly, to generate it. If you are requesting a multi-domain certificate, provide a list of all requested Subject Alternative Names (SANs)

Generating the CSR

CSRs must be generated with at least a 2048-bit key. It should follow the pattern below exactly, unless indicated otherwise, for example:

  • Common Name: example.utk.edu (or tennessee.edu)
  • Organization: University of Tennessee
  • Org. Unit: (your department name)
  • Locality: Knoxville
  • State: Tennessee
  • Country: US

The Common Name (CN) of the certificate should usually be the fully qualified domain name that customers will use to access the service, so if you're doing any virtual hosting, the cn should probably be the virtual hostname, instead of the server's actual IP name. The Org Unit (OU) is an optional CSR attribute. it can be omitted, or you can substitute your department name. You do not have to include SANs in multi-domain CSRs. So long as we have the requested list, they can be manually added when submitting the request to the CA.

Important Notes:

  • The CA isn't very forgiving of errors:
    • (a) The CA will reject a malformed CSR (pay careful attention to abbreviations and capitalizations) and
    • (b) if you misspell something (say the webserver name). Verify the contents before you submit your request.
  • Don't lose the private key that is generated along with the CSR, and don't forget the private key password. Your certificate won't work without them. Your application may hide or take care of these things automatically for you. Take care to also secure your private key. Do not send it to OIT or transfer it via insecure media such as email. If you do, consider the CSR/Key pair compromised and start again.
  • Certificates are NOT automatically renewed. Certificates expire after 1 year.
  • Be sure to download and install the entire certificate chain, or at least verify that all root and intermediate certificates are already installed in your server or application certificate database. The chain should be included in the email you receive from the CA.

Installing the Certificate

  • It is assumed that you know how to properly generate a CSR (Certificate Signing Request) and how to install and use the resulting certificate in your application. We can request the certificate for you, and we may be able to offer suggestions based on familiar environments (Apache, iPlanet, IIS, Lotus Notes), but we will not be responsible for making the certificate work in your environment.
  • Many applications come with their own tool for working with certificates. If yours does not, we have found that OpenSSL works if your system comes with that product.
  • The Comodo support site has instructions for generating certificate requests for a large number of software packages. You might check out their site for hints:
  • Be sure to download and install the entire certificate chain, or at least verify that all root and intermediate certificates are already installed in your server or application certificate database.
  • Don't lose the private key that is generated along with the CSR, and don't forget the private key password. Your certificate won't work without them. Your application may hide or take care of these things automatically for you.

Renewing the Certificate

  • Certificates are NOT automatically renewed. Certificates generally expire after one or two years. You may receive a renewal notification, but you may not. Regardless, you are responsible for requesting a renewing your certificate.
  • Renewal consists of submitting a new CSR in most cases, but not all; check with OIT first.

Details

Article ID: 123255
Created
Thu 12/24/20 12:46 AM
Modified
Thu 1/13/22 4:01 PM
Environment
Volweb