Carnegie Mellon University

Certificate Authority

The Carnegie Mellon University Certificate Authority (CA) issues and manages Secure Sockets Layer (SSL), personal, and code signing certificates for the encryption of Internet network traffic and identification of servers, people, and applications.

Why Use CMU CA-Signed Digital Certificates

There are typically two reasons that motivate a campus web developer to deploy our CA-signed digital certificates. The first reason is to provide encrypted transactions via HTTPS (SSL/TLS over HTTP).  It is unwise and potentially irresponsible to host a web service inviting the transmission of confidential information unencrypted across a network. Unencrypted (plaintext) traffic is easily snooped by anyone on the campus network with the desire and basic knowledge about computer networking.  Use of a digital certificate and the SSL/TLS protocol provides a convenient way to contain this threat using a protocol and cryptosystem that is native to nearly every browser and platform.

The second common motivator for using a digital certificate is to provide trust management by means of the credentials carried by the certificate. A certificate carries with it credentials signed (verified and mastered) by Carnegie Mellon University Computing Services.  This means that by issuing a certificate, the University asserts that the web server in question is a registered machine on the University network.  So the user is guaranteed the web service he or she is accessing is indeed one hosted by a machine on the campus network.

Important! No other assertion about the service can be implied from the knowledge that Carnegie Mellon University has signed a digital certificate. This signature asserts only that the web server is a registered machine on the campus network. It is still possible that the web service has offensive, illegal, and/or malicious intent.  

Some examples of services that use digital certificates include Web Login and NetReg

Requesting CMU CA-Signed Certificates

To request a commercial SSL certificate for University business or research:

  1. Ensure the system is registered in NetReg or SCS RAMS OR you can demonstrate administrative control of the domain by: Controlling DNS, Receiving email at administrative addresses, or Publishing web content.
  2. Email certificate-authority@andrew.cmu.edu with the following information
  • Department or group email or mailing list address
  • Certificate Signing Request (CSR)
  • List of Subject Alternative Names, if needed

For instructions on generating the required CSR, please see the appropriate article below:

Most Popular:

For everything else visit Sectigo’s CSR Generation Knowledgebase List

For instructions on installing your SSL certificate see the appropriate article below:

Most Popular:

For everything else visit Sectigo’s SSL Certificate Installation Knowledge Base List

To request a commercial code signing certificate for University business or research:

  1. Email certificate-authority@andrew.cmu.edu with the following information:
  • Desired department or research group name for certificate Subject name
  • Department or group email or mailing list address for certificate Subject email
  • Type of code to be signed: Apple, Java or Windows applications
  • Department or group email or mailing list address for enrollment invitation
  1. Additional instructions will be emailed once the request has been validated.

For an overview of the enrollment process visit Code Signing Certificate End User Guide

For instructions on using code signing certificates please see Code Signing Certificates Technical FAQ

To request a commercial personal (email) certificate for University business or research:

  1. Email certificate-authority@andrew.cmu.edu with the following information:
  • Desired individual, department or group email address

2. Additional instructions will be emailed once the request has been validated.

For an overview of the enrollment process and how to use personal certificates, visit Email and Client Certificate End User Guide. Given the diversity of email client software we do not provide support for usage of personal certificates.