Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Status

Note

This page hasn't been reviewed and updated with support for InCommon certificates in mind.

Included on this page:

Table of Contents

...

exclude

...

Status

Certificate Use Guidelines

Supported uses of UW Services CA certificates

The UW Services Certificate Authority (CA) issues certificates for various kinds of services, the two most typical being:

...

For this reason it is not advisable to use UW Services CA certificates on web applications with large numbers of users (10,000 or more), or where many users are not from the regular UW community. Web applications using UW Services CA certificates with more than a small number of users (over 100) should have support staff who can help users with any questions that may come up about certificate warnings and use.

A certificate issued by InCommon may be an appropriate alternative for securing applications whose scope exceeds that supported by the UW CA. The new UW Certificate Service website supports issuing InCommon certificates in addition to UW CA certificates. Please see the UW Certificate Services page for more information on the two certificate authorities.

Deploying on a web server

...

Users who haven't installed the root certificate into their browsers will see warning messages when your web server presents a certificate issued by the UW Services CA. If you don't help them install the root certificate beforehand, and link strategically to the root installation page from your website, visitors may think there is a problem with, or become frustrated by, your website.

Although pre-installing the root certificate on systems within your department that you manage can significantly reduce the support burden, it probably won't eliminate it. Therefore, if you plan to deploy a certificate issued by the UW Services CA you should be prepared to support your user community and answer some questions (see UW Services CA FAQ).

If the size and nature of your user community suggests that this support is going to be difficult, it might be better to purchase a certificate from a well-known public CA, such as Thawte, and wait until such a time that the UW Serivces Services CA root certificate is better deployed within your user community. An InCommon-issued certificate may also be a good option in some cases.

Getting the root certificate

The UW Services CA's root certificate can be obtained a couple of ways. Use the root installation page to install it directly into a web browser. Visit the certs.cac.washington.edu by visiting the UWCA site website to obtain it in PEM or DER format.

...

  1. Verify that you are registered as a contact for your DNS name. Your UW NetID may not have been added to the DNS record when the DNS name was established. If need be, update the contact information. For help with this step, refer to Managing DNS Names For Infrastructure Services Access
  2. Go to the UW Certificate Services CA website.
  3. Click "Request a new certificateNew Certificate"
  4. Read Click the notice and click "I understand"Enter a "Verify DNS Ownership" tab.
  5. Enter the fully qualified domain name (e.g. < hostname><hostname>.<subdomain>.washington.edu or <appname>.<subdomain>.washington.edu) and click "TestVerify ownership." If the response confirms your ownership, click "Continue" to go to the next step. Otherwise go back to step 1.
  6. Fill out the Purpose page:
    1. Choose the certificate purpose by checking the appropriate option
    2. Select the certificate lifetime from the drop down list
    3. Describe your application purpose and expected number of application users
  7. Click "Continue"
  8. Click the "PEM Method" under your platform (Windows or UNIX). The ActiveX method is no longer supported on recent version of Windows.
  9. Copy-and-paste the contents of the certificate request you generated in the earlier step into #2 on the UWCA form, removing any trailing spaces.
  10. Click on either the "New UWCA Certificate" or the "New InCommon Certificate" tab.
    1. Additional details specific to an InCommon certificate can be found here.
  11. Paste your certificate request into the CSR window. The request must be in PEM format. PEM is a text encoding (base-64) of the binary certificate request.
    1. A CSR includes information that is used to create a certificate. This includes but is not limited to:
      1. Attributes of the certificate like state and country where it will be used. These two values must be set to Washington and US respectively. These values are part of the Subject property of the certificate.
      2. The common name (CN) which for a web site or service is its DNS name.
      3. The certificate public key. The public/private key pair are generated as part of the CSR creation.
        Note: InCommon Certificates require 2048 bit public/private keys.
    2. There are a number of different tools that can be used to generate a CSR. One popular tool is openSSL. openSSL can be obtained (in source code form) from the openSSL.org website. It is also installed as part of a Shibboleth installation and with most Linux distributions.
  12. Choose the appropriate certificate type from the Type drop-down.
  13. Choose the type of web server you will be using along with the number of servers.
  14. Choose a certificate lifetime. Certificates used for testing should have a short lifetime. Production certificates are usually valid for 2 or 3 years.
  15. Click "Submit" to finish your request. You should receive a confirmationconfirmation within 10 min

Note: If your DNS name is not in a DNS subdomain managed by UW Technology, your subdomain contact will have to submit and manage the certificate request.

...

  1. If you do not already have a DNS name registered for your service, register one in a DNS subdomain for which you are allowed to register DNS names (e.g. <application name>.<subdomain>.washington.edu). Application developers working with web services will often request a DNS name of the form <uwnetid>.<subdomain>.washington.edu.
  2. Verify that you are registered as a contact for your DNS name. Your UW NetID may not have been added to the DNS record when the DNS name was established. If need be, update the contact information. For help with this step, refer to Managing DNS Names For Infrastructure Services Access
  3. Go to the UW Services CA website.
  4. Review the Distinguished Name policy.
  5. Submit your certificate request.
  6. step #2 under the section in this document titled "Requesting certificates for systems with a static IP address".
With keyUsage extensions

The UW Services CA asserts several keyUsage extensions if they are specified in a given certificate signing request: Digital Signature, Non Repudiation, Key Encipherment, and Data Encipherment. If you need a certificate with any of these keyUsage extensions, generate and submit a request including those extensions you need. (See Section 4.2.1.3 of RFC 3280 to learn more about keyUsage extensions.)

...

How to revoke a certificate

To revoke a UW Services CA certificate:

...

Email help@uw.edu with the CN (DNS Name) and expiration date of the certificate.  

When to use multiple certificates

...

The UW Services CA supports wildcard certificates. To request a wildcard certificate you must be a registered contact for the UW DNS subdomain specified in the request's Common Name field. For example, to request a certificate for *.<subdomain>.washington.edu you must be a subdomin contact for <subdomain>.washington.edu.

Requesting a SHA-1 Certificate

SHA-1 certificates for legacy applications can be requested by sending email to help@uw.edu.  SHA-1 Support will be reduced over the next few years–see UW CA SHA-1 Sunset for details.  

Application Development Guidelines

...

  1. Verify your system has the UW Services CA root installed.
  2. Log on to your Windows server as Administrator.
  3. Start the IIS Internet Services Manager.
  4. Display your web site properties.
  5. Select Directory Security > Server Certificate to run the Web Server Certificate Wizard.
  6. Select "Create a new certificate", click Next.
  7. Select "Prepare the request now, but send later", click Next.
  8. Type in any simple name (e.g. "MyExampleUWSCAcert") for the certificate, 1024 is a good bit length, click Next.
  9. Type in Organization = "UW", Organization Unit = "" (actual text doesn't matter), click Next.
  10. Type your full DNS name for the Common Name, to conform to our DN policy.
  11. Select US for Country, type in "Washington" for state, and "Seattle" for city, click Next.
  12. Save the certificate request to a file (e.g. c:\certreq.txt).
  13. Finish the IIS Certificate Wizard.
  14. Open the certificate request file (e.g. in Notepad).
  15. Select the contents and copy it to the clipboard.
  16. Start a web browser, go to the UW Service CA web site (certs.cachttps://iam-tools.u.washington.edu) and select the link for requesting a certificate; you'll have to /cs/), log in with your UW NetID, and select "New UWCA certificate".
  17. Choose the PEM method as you walk thru the request process.
  18. Paste the contents of your certificate request file (e.g. c:\certreq) into the textarea "CSR" text field and submit your request.
  19. Wait for email acknowledging that your certificate has been issued.
  20. Go back to the UW Services Service CA web site, manage your requests, select the sequence number corresponding with your current request from the list of Favorites, and retrieve the certificate.click "Get PEM" or "Get PKCS 7" from the details display to the right.  
  21. Copy, paste, and save the PEM certificate into a new file (e.g. c:\certfile.txt).
  22. Return to the Web Server Certificate Wizard.
  23. Process the pending request to install the new certificate (e.g. c:\certfile.txt).

Certificate requests

...

To request a certificate for use with IIS using the Active X method:

Windows Vista Compatibility Warning: The UW Services CA's Active X request method and the Windows Vista® operating system are not compatible with each other.

Note: the following instructions were tested on a Windows 2000 Server SP4, with Internet Explorer 6.0.2800.1106, and all critical updates as of 29 Apr 2004. Be sure your system has all critical Windows updates and IE updates installed by visiting Windows Update.

  1. Verify your system has the UW Services CA root installed.
  2. Log on, as Administrator, to the Windows Server you want to install the certificate on.
  3. Start Internet Explorer, go to the UW Services CA web site (certs.cac.washington.edu), and select the link for requesting a certificate; you'll have to log in with your UW NetID.
  4. Choose the Active X method as you walk thru the request process.
  5. Enter your DNS name, say what the cert is for, leave all other settings on page as is, then click the "Generate the request" button.
  6. Answer a dialog box that you want to accept the certificate.
  7. Answer OK you want to create a new key (security=medium), and a certificate request will be generated and sent to the UW Services CA.
  8. Wait until you receive email confirmation saying your certificate request has been approved.
  9. Start Internet Explorer, go to the UW Services CA web site and select the link for managing your requests. Note: you must be running IE on the same machine you performed the Active X certificate request.
  10. Click on the request number of the certificate to retrieve.
  11. Verify the info matches the certificate you requested.
  12. Click on the "Retrieve this certificate" link at the bottom of the page.
  13. Click on the "Get the certificate using ActiveX" link on the page.
  14. You will see a popup dialog that the site is adding a certificate to your computer. Click Yes.
  15. You will see a dialog indicating "your certificate is installed". Click OK
  16. Run the Web Server Certificate Wizard for the same web site you requested the certificate for.
  17. Select "Assign an existing certificate". Click Next.
  18. Choose the certificate you just retrieved from the UW Services CA. Click Next. Click Next. Click Finish.

on Windows without using IIS