Overview
For OIT to obtain or renew an SSL certificate, you need to include a couple of pieces of information in your request.
If you already have your certificate, see Web Server Certificate Request, Installation, and Renewal.
A 2048-bit Certificate Signing Request (CSR)
There are many ways of generating a CSR and most are application-specific, so we cannot provide a single generic way to create one that is guaranteed to work with your specific application. Your application should provide a way, either directly or indirectly, to generate it. If you are requesting a multi-domain certificate, provide a list of all requested Subject Alternative Names (SANs)
Generating the CSR
CSRs must be generated with at least a 2048-bit key. It should follow the pattern below exactly, unless indicated otherwise, for example:
- Common Name: example.utk.edu (or tennessee.edu)
- Organization: University of Tennessee
- Org. Unit: (your department name)
- Locality: Knoxville
- State: Tennessee
- Country: US
The Common Name (CN) of the certificate should usually be the fully qualified domain name that customers will use to access the service, so if you're doing any virtual hosting, the cn should probably be the virtual hostname, instead of the server's actual IP name. The Org Unit (OU) is an optional CSR attribute. it can be omitted, or you can substitute your department name. You do not have to include SANs in multi-domain CSRs. So long as we have the requested list, they can be manually added when submitting the request to the CA.
Important Notes:
- The CA isn't very forgiving of errors:
- (a) The CA will reject a malformed CSR (pay careful attention to abbreviations and capitalizations) and
- (b) if you misspell something (say the webserver name). Verify the contents before you submit your request.
- Don't lose the private key that is generated along with the CSR, and don't forget the private key password. Your certificate won't work without them. Your application may hide or take care of these things automatically for you. Take care to also secure your private key. Do not send it to OIT or transfer it via insecure media such as email. If you do, consider the CSR/Key pair compromised and start again.
- Certificates are NOT automatically renewed. Certificates expire after 1 year.
- Be sure to download and install the entire certificate chain, or at least verify that all root and intermediate certificates are already installed in your server or application certificate database. The chain should be included in the email you receive from the CA.