Users who haven't installed the root certificate into their browsers will see warning messages when your web server presents a certificate issued by the UW Services CA. If you don't help them install the root certificate beforehand, and link strategically to the root installation page from your website, visitors may think there is a problem with, or become frustrated by, your website.
Although pre-installing the root certificate on systems within your department that you manage can significantly reduce the support burden, it probably won't eliminate it. Therefore, if you plan to deploy a certificate issued by the UW Services CA you should be prepared to support your user community and answer some questions (see UW Services CA FAQ).
If the size and nature of your user community suggests that this support is going to be difficult, it might be better to purchase a certificate from a well-known public CA, such as Thawte, and wait until such a time that the UW Services CA root certificate is better deployed within your user community. An InCommon-issued certificate may also be a good option in some cases.
- If the certificate is for a DNS name that already has a static IP address assigned, refer to section 1.5.1."Requesting certificates for systems with a static IP address" below.
- If the certificate is for use by a DNS name that identifies a service, application, or process, rather than a physical host machine, and there is no associated static IP address, refer to section 1.5.2."Requesting certificates for systems without static IPs" below.
Requesting certificates for systems with a static IP address
- Verify your system has the UW Services CA root installed.
- Log on to your Windows server as Administrator.
- Start the IIS Internet Services Manager.
- Display your web site properties.
- Select Directory Security > Server Certificate to run the Web Server Certificate Wizard.
- Select "Create a new certificate", click Next.
- Select "Prepare the request now, but send later", click Next.
- Type in any simple name (e.g. "MyExampleUWSCAcert") for the certificate, 1024 is a good bit length, click Next.
- Type in Organization = "UW", Organization Unit = "" (actual text doesn't matter), click Next.
- Type your full DNS name for the Common Name, to conform to our DN policy.
- Select US for Country, type in "Washington" for state, and "Seattle" for city, click Next.
- Save the certificate request to a file (e.g. c:\certreq.txt).
- Finish the IIS Certificate Wizard.
- Open the certificate request file (e.g. in Notepad).
- Select the contents and copy it to the clipboard.
- Start a web browser, go to the UW Service CA web site (https://iam-tools.u.washington.edu/cs/), log in with your UW NetID, and select "New UWCA certificate".
- Choose the PEM method as you walk thru the request process.
- Paste the contents of your certificate request file (e.g. c:\certreq) into the "CSR" text field and submit your request.
- Wait for email acknowledging that your certificate has been issued.
- Go back to the UW Service CA web site, select the number corresponding with your current request from the list of Favorites, and click "Get PEM" or "Get PKCS 7" from the details display to the right.
- Copy, paste, and save the PEM certificate into a new file (e.g. c:\certfile.txt).
- Return to the Web Server Certificate Wizard.
- Process the pending request to install the new certificate (e.g. c:\certfile.txt).
Beginning with Windows Vista and Server 2008, the UW Services CA's Active X request method no longer works. It was retired October 2016.
Certificate requests on Windows without using IIS