ACCC Home Page ACADEMIC COMPUTING and COMMUNICATIONS CENTER
Accounts / Passwords Email Labs / Classrooms Telecom Network Security Software Computing and Network Services Education / Teaching Getting Help
 

(SSL) Server Certificates at UIC

   
 
     
Introduction
 

A server certificate is needed to enable SSL operation on your server. To avoid alarming warning dialogues issued by Netscape and Microsoft browsers, the certificate must be digitally signed by a trusted third party, a Certificate Authority (CA) such as VeriSign or Thawte, whose signatures are recognized by the browser. Certificate authorities will only issue a certificate after taking steps to verify that the requesting party is authorized to use the name that appears in the Organization field of the certificate.

ACCC has enrolled on behalf of the campus in the Thawte SPKI program. Under this program, senior ACCC employees are authorized to approve certificate requests for servers in the uic.edu DNS domain. Certificates requested under this program are processed faster (normally 2 business days or less rather than 3-5), and cost less ($190 rather than $249 fees.) It is usually less hassle as well, since ACCC has already gone through the pains of certifying UIC as a legitimate organization, one step that you do not have to go through with Thawte.

  
     
Requesting a Thawte Server Certificate Through ACCC
  Requesting a certificate requires following the steps below:
  1. Login to E-Sales: http://e-sales.accc.uic.edu and place an order for 'Thawte SSL Server Certificates'. You will be required to enter a CFOP account number. You CFOP account will automatically be charged within 1 week. You no longer need to submit a voucher for payment.

  2. Email certmgr@uic.edu with the following information:
    • Fully qualified domain name of the server (eg. www-s.department.uic.edu)

    • Secure HTTP server vendor and version (eg. Apache modssl 1.3.20Microsoft IIS 4.0)

    • Certificate signing request (CSR) generated by your secure server. A CSR is an ASCII text file that includes something that looks like this: 
      -----BEGIN NEW CERTIFICATE REQUEST-----
MIIBuzCCASQCAQAwezELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMQ8w
...[etc]
+fj2LwNBrBaZo+ZFYput
-----END NEW CERTIFICATE REQUEST-----
    See below for instructions on generating a CSR.
If you haven't received a response after three full business days since emailing your request, email a query to certmgr@uic.edu. 		 
     
Generating a Certificate Signing Request (CSR)
 
  • See your secure server's documentation for detailed instructions on how to generate a certificate request.

    Also, carefully review Thawte's instructions for key and CSR generation for your secure server. (Ignore Thawte's final instruction about pasting the CSR into their form. Instead you will email the CSR to certmgr@uic.edu.)

  • At some point during the process, you will be prompted to enter values for six fields that will be encoded in your certificate. Here is a template for the fields: 
            *Common-name : www-s.department.uic.edu
        Organization : University of Illinois at Chicago
*Organizational Unit : Department of Redundancy Department
            Locality : Chicago
               State : Illinois
             Country : US
    For fields marked with an asterisk, enter appropriate values for your server and department. All other fields should be entered exactly as shown (no abbreviations, punctuation, capitalization changes, extra spaces, etc.)


  • If you are prompted for webmaster email address, phone number, or challenge phrase, enter any reasonable values. These three items are not used in processing your request.


  • If during the process your server prompts you for a Certificate Authority, enter certmgr@uic.edu.


  • Your server will either store the certificate request in a file or email it to certmgr@uic.edu. (It should tell you which of these things it did.) If it stored the request in a file, email the contents of that file to certmgr@uic.edu.
 
     
Cautions and Tips
 
  • A defect in Microsoft IIS 5 prevents the key management software from being able to request a certificate with a new FQDN while another certificate with a different FQDN exists. Attempting to reload a backup of the old certificate while waiting for the new certificate to arrive has destroyed private key information for the new certificate and rendered it unusable. If you need to change the FQDN in the certificate of an existing server, you will need to delete the current certificate and run without a certificate until the new certificate is received.


  • To correctly generate a CSR for a renewal of a Microsoft IIS 5 server certificate, Windows 2000 must be updated to Service Pack 2 or later.


  • Defects in Microsoft Visual InterDev 1 and 6 and FrontPage 97/98 prevent recognition of Thawte certificates. See KnowledgeBase article Q238662. If you require a certificate recognized by these Microsoft products, you will need to order a certificate directly from VeriSign rather than ordering a Thawte certificate through ACCC.


  • Part of an initial request for a certificate involves generating a public/private keypair that is stored on your server. Since the public key from this keypair is encoded in your certificate, loss of the keypair on your server will render your certificate worthless.

    Care should be taken to backup your keypair data on another computer, a floppy disk, or perhaps both. Information on keypair backup can be found in Thawte's instuctions for key and CSR generation.

    Also, part of generating a keypair is specifying a password used to encrypt it. (This prevents someone with access to the keypair data from extracting the private key and using it to decrypt SSL traffic to and from your server.) Forgetting this password could also render your certificate worthless, so pains should be taken to remember it, perhaps writing it down in some hidden place, or sharing it with one or two other people in your department.

    Note that Thawte, unlike VeriSign, does not have a liberal 30 day no-cost no questions asked certificate reissue policy to cover key or password loss.

  • Your server's fully qualified domain name (FQDN) is encoded in your certificate. This means if you need or want to move your server to a different machine (one with a different FQDN), you will need to request (and pay for) another certificate. You might consider setting up a special DNS alias (CNAME) to use for your secure server and its certificate, for example www.department.uic.edu. This would allowing moving your secure server and its certificate to another machine with only a DNS change (provided the same vendor's HTTP server is used on the new machine.) See your REACH member to arrange for such an alias.
 

2008-2-27  certmgr@uic
UIC Home Page Search UIC Pages Contact UIC