Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Users who haven't installed the root certificate into their browsers will see warning messages when your web server presents a certificate issued by the UW Services CA. If you don't help them install the root certificate beforehand, and link strategically to the root installation page from your website, visitors may think there is a problem with, or become frustrated by, your website.

Although pre-installing the root certificate on systems within your department that you manage can significantly reduce the support burden, it probably won't eliminate it. Therefore, if you plan to deploy a certificate issued by the UW Services CA you should be prepared to support your user community and answer some questions (see UW Services CA FAQ).

If the size and nature of your user community suggests that this support is going to be difficult, it might be better to purchase a certificate from a well-known public CA, such as Thawte, and wait until such a time that the UW Serivces Services CA root certificate is better deployed within your user community. An InCommon-issued certificate may also be a good option in some cases.

...

The UW Services CA's root certificate can be obtained a couple of ways. Use the root installation page to install it directly into a web browser. Visit the by visiting the UWCA site website to obtain it in PEM or DER format.

...

  1. Verify that you are registered as a contact for your DNS name. Your UW NetID may not have been added to the DNS record when the DNS name was established. If need be, update the contact information. For help with this step, refer to Managing DNS Names For Infrastructure Services Access
  2. Go to the UW Certificate Services website.
  3. The UW Services CA website is obsolete and the ActiveX method is no longer supported on recent version of Windows.
  4. Click "New Certificate"
  5. Click the "Verify DNS Ownership" tab.
  6. Enter the fully qualified domain name (e.g. <hostname>.<subdomain>.washington.edu or <appname>.<subdomain>.washington.edu) and click "Verify ownership." If the response confirms your ownership, go to the next step. Otherwise go back to step 1.
  7. Click on either the "New UWCA Certificate" or the "New InCommon Certificate" tab.
    1. Additional details specific to an InCommon certificate can be found here.
  8. Paste your certificate request into the CSR window. The request must be in PEM format. PEM is a text encoding (base-64) of the binary certificate request.
    1. A CSR includes information that is used to create a certificate. This includes but is not limited to:
      1. Attributes of the certificate like state and country where it will be used. These two values must be set to Washington and US respectively. These values are part of the Subject property of the certificate.
      2. The common name (CN) which for a web site or service is its DNS name.
      3. The certificate public key. The public/private key pair are generated as part of the CSR creation.
        Note: InCommon Certificates require 2048 bit public/private keys.
    2. There are a number of different tools that can be used to generate a CSR. One popular tool is openSSL. openSSL can be obtained (in source code form) from the openSSL.org website. It is also installed as part of a Shibboleth installation and with most Linux distributions.
  9. Choose the appropriate certificate type from the Type drop-down.
  10. Choose the type of web server you will be using along with the number of servers.
  11. Choose a certificate lifetime. Certificates used for testing should have a short lifetime. Production certificates are usually valid for 2 or 3 years.
  12. Click "Submit" to finish your request. You should receive a confirmation within 10 min. 

...

  1. If you do not already have a DNS name registered for your service, register one in a DNS subdomain for which you are allowed to register DNS names (e.g. <application name>.<subdomain>.washington.edu). Application developers working with web services will often request a DNS name of the form <uwnetid>.<subdomain>.washington.edu.
  2. Verify that you are registered as a contact for your DNS name. Your UW NetID may not have been added to the DNS record when the DNS name was established. If need be, update the contact information. For help with this step, refer to Managing DNS Names For Infrastructure Services Access
  3. Go to step #2 under the section in this document titled "Requesting certificates for systems with a static IP address".

...

How to revoke a certificate

To revoke a UW Services CA certificate:

...

Email help@uw.edu with the CN (DNS Name) and expiration date of the certificate.  

When to use multiple certificates

...

  1. Verify your system has the UW Services CA root installed.
  2. Log on to your Windows server as Administrator.
  3. Start the IIS Internet Services Manager.
  4. Display your web site properties.
  5. Select Directory Security > Server Certificate to run the Web Server Certificate Wizard.
  6. Select "Create a new certificate", click Next.
  7. Select "Prepare the request now, but send later", click Next.
  8. Type in any simple name (e.g. "MyExampleUWSCAcert") for the certificate, 1024 is a good bit length, click Next.
  9. Type in Organization = "UW", Organization Unit = "" (actual text doesn't matter), click Next.
  10. Type your full DNS name for the Common Name, to conform to our DN policy.
  11. Select US for Country, type in "Washington" for state, and "Seattle" for city, click Next.
  12. Save the certificate request to a file (e.g. c:\certreq.txt).
  13. Finish the IIS Certificate Wizard.
  14. Open the certificate request file (e.g. in Notepad).
  15. Select the contents and copy it to the clipboard.
  16. Start a web browser, go to the UW Service CA web site (https://iam-tools.u.washington.edu/cs/), log in with your UW NetID, and select "New UWCA certificate".
  17. Choose the PEM method as you walk thru the request process.
  18. Paste the contents of your certificate request file (e.g. c:\certreq) into the "CSR" text field and submit your request.
  19. Wait for email acknowledging that your certificate has been issued.
  20. Go back to the UW Service CA web site, select the number corresponding with your current request from the list of Favorites, and click "Get PEM" or "Get PKCS 7" from the details display to the right.  
  21. Copy, paste, and save the PEM certificate into a new file (e.g. c:\certfile.txt).
  22. Return to the Web Server Certificate Wizard.
  23. Process the pending request to install the new certificate (e.g. c:\certfile.txt).

Certificate requests

...

Beginning with Windows Vista and Server 2008,  the UW Services CA's Active X request method no longer works.  It was retired October 2016.

Certificate requests on Windows without using IIS

...