Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
Documentation Index
Web & Portal
Certificate Authority
Overview
Request Certificates: Apache
Request Other Certificates
Accounts
Network, Phone & TV
Software
Email & Calendar
Secure Your Computer
Clusters & Printing
Web Services
Classroom & Event Support
Education & Outreach
Support & Repair
Information Security Office (ISO)

Requesting Other Certificates

This section will outline the steps involved in requesting a certificate. It contains the following main sections:

  • Certificate credentials (X.509 DN)
  • Making a certificate-signing request (CSR)
  • Installing Your Certificate

Certificate Credentials (X.509DN)

The digital certificate issued by the CMU CA will contain two sets of information:

  1. Distinguished name credentials. Known collectively as your distinguished name (DN), the digital certificate carries a set of X.509 values describing your hostname, organization, organizational unit, etc. These values can be viewed by looking at a digital certificate in your browser, illustrated in the screenshot below.
  2. Public key. This is used to validate these credentials and to couple with your private key to secure your network traffic. Check the "Further Reading" section of the main CMU CA page for more information.

Making a certificate-signing request (CSR)

The CMU Certificate Authority (CA) obtains and verifies this information from a Certificate Signing Request (CSR) that you fill out using the guidelines below.

Your web server software will contain the necessary code to generate public keys and the CSR - you just need to specify what Distinguished Name attributes you want in the certificate.

Step One: Prepare X.509 DN Credentials

  1. You must use the following values as they are presented below:
    • CN: [your server's fully-qualified domain name]
      examples: www.cmu.edu, netreg.net.cmu.edu
    • O: Carnegie Mellon University
    • OU: [your division or department]
      examples: Biological Sciences, Computing Services
    • L: Pittsburgh
    • S: Pennsylvania
    • C: US

      Note: You will be prompted to enter an email address during the generation of your CSR. The CA will reject your certificate request if it contains this attribute. Hit enter or return to pass on this prompt.

Step Two: Generate the Certificate-Signing Request

  1. Using the X.509 DN, create the signing request using your web server software. We have detailed documentation for Andrew Apache + mod_ssl (see the Andrew Apache + mod_ssl section), the web server supported by Computing Services. Links for other popular web servers are provided below - simply apply our X.509 DN guidelines in lieu of what these documents advise.

Step Three: Send CSR to the Certificate Authority

  1. Compose an e-mail message to certificate-authority@andrew.cmu.edu. This message must contain:
    • Your name and affiliation with the university.
    • The purpose of your web service.
    • Your X.509 DN values.
    • Your CSR

Installing Your Certificate

Once you have submitted your CSR, the CMU CA replies with the following three certificates:

  • The certificate for your web server
  • The intermediate certificate (web 1), which the CA used to sign your certificate
  • The server certificate, which the CA used to sign the intermediate certificate (also available)

This is known as a "certificate chain", and it must be replicated on your web server to reliably communicate the trustworthiness of your web service. In other words, you will need to have the second certificate presented to the client browser to permit the certificate chain to be completed by the client.

Accomplishing this on your web server is usually a straightforward process. This document provides full documentation of certificate installation on the supported Andrew Apache and top-notch third-party documentation for all other major web servers (see the Certificate Installation with Andrew Apache section).

If you are not using Andrew Apache, simply follow the 3rd-party documentation with the understanding that you will want to install the intermediate CA certificate as well.

For example, if you are using IIS 4/5, make sure you have installed both the server certificate and the intermediate certificate you received in email into your browser cache (simply double-click and run with the defaults). If you have questions, e-mail the CMU CA at certificate-authority@andrew.cmu.edu.

Intermediate Signing Certificates

Computing Services has issued signing certificates to departmental administrators in the PSC.EDU, CS.CMU.EDU, and ECE.CMU.EDU domains. These "signing certificates" are signed by the CMU server certificate so that selected administrators can sign certificates for servers inside their domain.

If you have a server inside PSC.EDU, CS.CMU.EDU, or ECE.CMU.EDU and would like a certificate for your server, you are invited to use the contact information below:

ECE: Lou Anschuetz <lou@ece.cmu.edu>
SCS: SCS Help Desk <gripe@cs.cmu.edu>
PSC: Kevin Sullivan <ksulliva@psc.edu>

Your representative will have directions for requesting a certificate for your domain. Once it is issued, you may want to use the documentation found on this site to install the certificate on your server.

Need Help?

Computing Services provides full support for generating certificate requests with Andrew Apache. If you experience problems, please e-mail certificate-authority@andrew.cmu.edu for assistance.

Note: Portions of this document were adopted from the VeriSign.

Last Updated: 5/22/07