SSL certificate management on Systems Engineering managed servers
Background
While SE can provide assistance to customers with the installation of SSL certificates for web and/or application servers, it is the responsibility of the customer to purchase, request, install, and renew their SSL certificates. SE considers SSL certificate management to be within the realm of application administration not operating system maintenance. Customers that want assistance from SE with the installation of SSL certificates for web and/or application servers should email their primary system administrator and copy the associated OS support team.
SSL certificate installation instructions
Complete documentation regarding purchasing and using certificates can be found at https://it.wisc.edu/about/division-of-information-technology/enterprise-information-security-services/cybersecurity/security-tools-software/server-certificates/. Below is a summary of the process:
NOTE: Items in bold are done from the application/web server, other items are done from the application administrator's workstation.
- 1. Generate a CSR (Certificate Signing Request)
- https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/19/csr-generation
- You can validate your CSR using Symantec's 'Check your CSR' tool at https://ssltools.digicert.com/checker/views/csrCheck.jsp
- https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/19/csr-generation
- 2. Complete the OCIS certificate signing request form
- 3. Install [InstantSSL] certificate
- https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/37/certificate-installation
- Depending on your platform, you may also be required to install Comodo's Root and Intermediate CA Certificates in order for browsers and devices to trust your certificate. Consult your platform's certificate installation documentation for more details.
- https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/37/certificate-installation
- 4. Contact the SEO Monitoring Team to setup an application monitor that includes SSL certificate expiration checking
Notes
Help and Documentation
- If you need assistance with requesting an SSL Certificate, contact the Server Certificates Team at servercertificates@doit.wisc.edu
- SSL Certificate FAQs
General
- While there isn't an official turnaround time for certificate requests, budget a few business days between a certificate request and the issuing of a certificate.
- When filling out the certificate request form, it is recommended that you use a service-specific mailing list as the email address of the technical contact.
- Creating meetings in your calendar is one way of notifying yourself about certificate expiration dates.
- A web server that serves pages using HTTPS must be hosted on a web server with a dedicated IP address. At present, most web browsers and web servers do not support virtual hosting with SSL protected web sites.
UNIX, OpenSSL-based applications (e.g., Apache httpd, Apache Tomcat)
- When using Apache httpd (or any OpenSSL-based application), you have the option to protect your private key with a passphrase. Protecting your key with a passphrase is not recommended. If you do this, your application will not start automatically - a person will need to enter this passphrase every time an application using the certificate is started. SE can show you other ways of protecting a key without the need for a passphrase.
Windows (IIS, Microsoft SQL Server)
- When installing a certificate in Windows, marking the private key as exportable allows you to copy the SSL certificate to another server in the future.
- Error message when you try to install a certificate by using IIS 7.0 Manager: "Cannot find the certificate request associated with this certificate file"
http://support.microsoft.com/kb/959216 - Windows users not using IIS may find the DigiCert Certificate Utility for Windows useful for CSR creation and certificate installation:
https://www.digicert.com/util/