Requesting Other Certificates
This section will outline the steps involved in requesting a certificate. It contains the following main sections:
- Certificate credentials (X.509 DN)
- Making a certificate-signing request (CSR)
- Installing Your Certificate
Certificate Credentials (X.509DN)
The digital certificate issued by the CA will contain two sets of information:
- Distinguished name credentials. Known collectively as your distinguished name (DN), the digital certificate carries a set of X.509 values describing your hostname, organization, organizational unit, etc. These values can be viewed by looking at a digital certificate in your browser, illustrated in the screenshot below.
- Public key. This is used to validate these credentials and to couple with your private key to secure your network traffic.
Making a certificate-signing request (CSR)
The CMU Certificate Authority (CA) obtains and verifies this information from a Certificate Signing Request (CSR) that you fill out using the guidelines below.
Your web server software will contain the necessary code to generate public keys and the CSR--you just need to specify what Distinguished Name attributes you want in the certificate.
Step One: Prepare X.509 DN Credentials
You must use the following values as presented below:
- CN: [your server's fully-qualified domain name] Examples: www.cmu.edu, netreg.net.cmu.edu
- O: Carnegie Mellon University
- OU: [your division or department] Examples: Biological Sciences, Computing Services
- L: Pittsburgh
- S: Pennsylvania
- C: US
Note: You will be prompted to enter an email address during the generation of your CSR. The CA will reject your certificate request if it contains this attribute. Press enter or return to pass on this prompt.
Step Two: Generate the Certificate-Signing Request
Using the X.509 DN, create the signing request using your web server software. We have detailed documentation for Andrew Apache + mod_ssl (see the Andrew Apache + mod_ssl section), the web server supported by Computing Services. Links for other popular web servers are provided below--simply apply our X.509 DN guidelines in lieu of what these documents advise.
Step Three: Send CSR to the Certificate Authority
Compose an e-mail message to firstname.lastname@example.org. This message must contain:
- Your name and affiliation with the university.
- The purpose of your web service.
- Your X.509 DN values.
- Your CSR
Installing Your Certificate
Once you have submitted your CSR, the CA replies with the following certificates:
- The certificate for your web server
- The intermediate certificate which the CA used to sign your certificate
This is known as a "certificate chain", and it must be replicated on your web server to reliably communicate the trustworthiness of your web service. In other words, you will need to have the second certificate presented to the client browser to permit the certificate chain to be completed by the client.
Accomplishing this on your web server is usually a straightforward process. This document provides steps for certificate installation on the supported Andrew Apache and top-notch third-party documentation for all other major web servers (see the Certificate Installation with Apache 2 section).
If you have a server inside PSC.EDU, CS.CMU.EDU, or ECE.CMU.EDU and would like a certificate for your server, please use the contact information below:
Your representative will have directions for requesting a certificate for your domain. Once it is issued, you may want to use the documentation found on this site to install the certificate on your server.
Computing Services provides full support for generating certificate requests with Andrew Apache. If you experience problems, please e-mail email@example.com for assistance.
Note: Portions of this document were adopted from the VeriSign, Thawte and Comodo.
Last Updated: 3/30/11