Carnegie Mellon University School of Computer Science

Web Server Certificates

A web server certificate allows encryption of web traffic and, to the extent that you trust the signer of the certificate, authentication of a web server's identity. CMU has a site license for commercial certificates issued by Comodo, a well-known Certificate Authority (CA). Under that license, CMU issues and renews Comodo certificates for CMU hosts. There is no charge for this service. Comodo certificates are trusted by all widely-used browsers.  

Restrictions on certificates we can issue

  • Certificates can only be provided for hosts used for CMU research or educational purposes.
  • Requests for certs used by SCS hosts must be sponsored by a SCS Faculty or full-time staff member and must be for hosts over which they have administrative control.
  • Certificates will not be issued for host names that may be misleading, could be used to impersonate another site, are in violation of CMU or SCS policy, or violate the terms of CMU's Comodo site license.

To get a signed certificate for your host

  1. Decide on the name(s) you want on your cert.
  2. Create a CSR (Certificate Signing Request).
  3. Email the CSR to certificate-authority@andrew.cmu.edu with the following information :
  • Departmental e-mail address
  • CSR (Certificate Signing Request)
  • List of Subject Alternative Names, if needed

Your CSR will be submitted to Comodo.  You should receive your signed cert via email in a few working days.

Deciding on the names on your cert

Before you begin you must:

  • Chose a Common Name (CN): The Common Name is the name that people will use to make web connections to your server.  It must be be a fully-qualified domain name (FQDN) resolvable in DNS, or browsers will complain that your server's identity cannot be verified.  For highly-visible public services, it is common for the CN to be a descriptive name (e.g.  www.projectname.cs.cmu.edu) that is a DNS alias for some other host (e.g.  server-01.projectname.cs.cmu.edu).  For many other purposes, using the hostname of the machine that the server will be running on is sufficient.  If needed, it is possible to have multiple names (Subject Alternative Names) and/or wildcards on a single certificate.
  • Choose an Organizational Unit (OU): The signed Comodo certificate will list one OU in the Subject field.  When you generate the CSR, you should use a descriptive name such as, "SCS - UnitOrProjectName" (e.g.  SCS - ISRI) as the OU.

Creating a CSR

Creating a CSR involves generating a public/private key pair.  The private key should be kept secret - possession of the private key is how your web server verifies its identity to clients.  The public key is embedded in the certificate and is sent to every client when it makes an SSL connection to your server.  When Comodo signs a certificate, it creates a binding between the public key and other information on the cert, such as the FQDN of the web server.

Specific instructions for generating a CSR and installing a certificate depend on the type of Web server and platform involved.  All CSRs must have a private key size of exactly 2048 bits.

On Windows IIS server: follow Microsoft's instructions for the specific OS and IIS version you are using.

On platforms with OpenSSL installed: Use OpenSSL to generate a CSR by following the steps below:

Generate the private key with the command:

openssl genrsa -out key.pem 2048

Generate the CSR, using the openssl configuration listed below, with appropriate edits for the cert you are generating, and then running:

openssl req -config OpensslConfigFileName -new -key key.pem -out req.pem

Sample configuration file:

#  Sample OpenSSL configuration for to use for CSR generation

#  To use, copy this this configuration to a file on your host

#  and edit the placeholder values for '0.organizationalUnitName'

#  and 'commonName' located in the  '[ req_distinguished_name ]' section below,

#  to reflect the actual Organization Unit and Common Name for your cert.

#

 

[ req ]

default_bits                    = 2048

default_keyfile                 = privkey.pem

distinguished_name              = req_distinguished_name

attributes                      = req_attributes

x509_extensions                 = self_extensions

req_extensions                  = req_extensions

string_mask                     = nombstr

prompt                          = no

 

[ req_distinguished_name ]

countryName                     = US

stateOrProvinceName             = Pennsylvania

localityName                    = Pittsburgh

0.organizationName              = Carnegie Mellon University

0.organizationalUnitName        = ***EDIT***

commonName                      = ***EDIT***

 

[ req_attributes ]

 

[ req_extensions ]

basicConstraints                = CA:FALSE

nsCertType                      = server

nsComment                       = "OpenSSL Generated Certificate"

subjectKeyIdentifier            = hash

 

[ self_extensions ]

basicConstraints                = CA:FALSE

nsCertType                      = server

nsComment                       = "OpenSSL Generated Certificate"

subjectKeyIdentifier            = hash

authorityKeyIdentifier          = keyid,issuer:always

# End of sample configuration file.

 

Installing your certificate

Installation instructions for a certificate depend on the OS and server software you are running.  In most cases, you will also need to install a file containing intermediate certificates.  The mail you receive containing your certificate may also contain instructions on how to get the intermediate certificates for your new cert.  The directory, /afs/cs/help/downloads/web_publishing/, contains intermediate certificate files for all Comodo certificates that have been issued by SCS Facilities.  Almost all recently-issued Comodo certificates use the intermediate certs in the file, incommon-with-root-chain.crt.