An SSL certificate is a signed electronic guarantee that verifies the authenticity of a particular server. It's primarily used for providing web pages through an encrypted connection. Any service accessible by SSL must have a certificate, including any web server with encrypted or “secure” content.
Sometimes a self-signed certificate is sufficient for test and development servers, and it works with SSL encryption. See the instructions for creating a self-signed certificate for more information. However self-signed certificates don't help confirm the authenticity of the server and they could be open to some attacks. Most clients display a warning when they connect to a server with a self-signed certificate before proceeding (and some won't work at all).
On servers that require an encrypted connection, you should use an SSL certificate signed by a trusted certificate authority. Stanford users previously had to purchase such certificates with their university account numbers from Comodo's InstantSSL offering. Starting in mid-2011, there is no cost to Stanford users. Stanford contracted with InCommon (in partnership with Comodo) to provision an unlimited number of certificates at a flat fee with no additional cost passed on to you.
To obtain an SSL certificate, you must first generate a CSR (Certificate Signing Request). This file contains the required technical information to generate an SSL certificate.
To request a certificate, follow these steps:
- Generate a CSR. You can generate a CSR in multiple ways. Your server software may have a built-in function that creates the private key and CSR for you, but in most cases, you should use the openssl command-line utility to create them (see instructions). For more information, read the InstantSSL instructions and choose your server from the links on their page for specific guides. Note that all the hosts listed in your CSR must be registered in the NetDB system.
Note: The service only supports 2048-bit keys. CSRs signed with 1024-bit keys will not be accepted.
- Store your key in a safe and secure location.
- Complete the online request form.
After InCommon issues your certificate, you'll receive a confirmation email through an Administrative Systems administrator. The message contains several links to the certificate in different file formats (the first link contains the most common format) along with a link to a file that contains the root and chaining certificates (combined in one file) used to sign your certificate.
The process for certificate renewal is exactly the same as for ordering a new certificate. You must create a CSR and submit the request form.