SSL: Difference between revisions
No edit summary |
|||
| Line 1: | Line 1: | ||
== GlobalSign == |
== GlobalSign == |
||
The CSC currently has an SSL Certificate from GlobalSign for *.csclub.uwaterloo.ca provided at no cost to us through IST. GlobalSign likes to take a long time to respond to certificate signing requests (CSR) for wildcard certs, so our CSR really needs to be handed off to IST at least 2 weeks in advance. Having an invalid cert for any length of time leads to terrible breakage, followed by terrible workarounds and prolonged problems. |
The CSC currently has an SSL Certificate from GlobalSign for *.csclub.uwaterloo.ca provided at no cost to us through IST. GlobalSign likes to take a long time to respond to certificate signing requests (CSR) for wildcard certs, so our CSR really needs to be handed off to IST at least 2 weeks in advance. You can do it sooner – the certificate expiry date will be the old expiry date + 1 year (+ a bonus ) Having an invalid cert for any length of time leads to terrible breakage, followed by terrible workarounds and prolonged problems. |
||
When the certificate is due to expire in a month or two, syscom should (but apparently doesn't always) get an email notification. This will include a renewal link. Otherwise, use the [https://ist.uwaterloo.ca/security/IST-CA/self-service/index.html IST-CA self service system]. Please keep a copy of the key, CSR and (once issued) certificate in <tt>/home/sysadmin/certs</tt>. The OpenSSL examples linked there are good to generate a 2048-bit RSA key and a corresponding CSR. It's probably a good idea to change the private key (as it's not that much effort anyways). Just sure your CSR is for <tt>*.csclub.uwaterloo.ca</tt>. |
|||
JBROMAN WILL EXPAND THIS |
|||
At the self-service portal, these options worked in 2013. If you need IST assistance, [mailto:ist-ca@uwaterloo.ca ist-ca@uwaterloo.ca] is the email address you should contact. |
|||
Products: OrganizationSSL |
|||
SSL Certificate Type: Wildcard SSL Certificate |
|||
Validity Period: 1 year |
|||
Are you switching from a Competitor? No, I am not switching |
|||
Are you renewing this Certificate? Yes (paste current certificate) |
|||
30-day bonus: Yes (why not?) |
|||
Add specific Subject Alternative Names (SANs): No (*.csclub.uwaterloo.ca automatically adds csclub.uwaterloo.ca as a SAN) |
|||
Enter Certificate Signing Request (CSR): Yes (paste CSR) |
|||
Contact Information: |
|||
First Name: Computer Science Club |
|||
Last Name: Systems Committee |
|||
Telephone: +1 519 888 4567 x33870 |
|||
Email Address: syscom@csclub.uwaterloo.ca |
|||
== Certificate Location == |
== Certificate Location == |
||
Revision as of 17:47, 8 October 2013
GlobalSign
The CSC currently has an SSL Certificate from GlobalSign for *.csclub.uwaterloo.ca provided at no cost to us through IST. GlobalSign likes to take a long time to respond to certificate signing requests (CSR) for wildcard certs, so our CSR really needs to be handed off to IST at least 2 weeks in advance. You can do it sooner – the certificate expiry date will be the old expiry date + 1 year (+ a bonus ) Having an invalid cert for any length of time leads to terrible breakage, followed by terrible workarounds and prolonged problems.
When the certificate is due to expire in a month or two, syscom should (but apparently doesn't always) get an email notification. This will include a renewal link. Otherwise, use the IST-CA self service system. Please keep a copy of the key, CSR and (once issued) certificate in /home/sysadmin/certs. The OpenSSL examples linked there are good to generate a 2048-bit RSA key and a corresponding CSR. It's probably a good idea to change the private key (as it's not that much effort anyways). Just sure your CSR is for *.csclub.uwaterloo.ca.
At the self-service portal, these options worked in 2013. If you need IST assistance, ist-ca@uwaterloo.ca is the email address you should contact.
Products: OrganizationSSL SSL Certificate Type: Wildcard SSL Certificate Validity Period: 1 year Are you switching from a Competitor? No, I am not switching Are you renewing this Certificate? Yes (paste current certificate) 30-day bonus: Yes (why not?) Add specific Subject Alternative Names (SANs): No (*.csclub.uwaterloo.ca automatically adds csclub.uwaterloo.ca as a SAN) Enter Certificate Signing Request (CSR): Yes (paste CSR) Contact Information: First Name: Computer Science Club Last Name: Systems Committee Telephone: +1 519 888 4567 x33870 Email Address: syscom@csclub.uwaterloo.ca
Certificate Location
Keep a copy of newly generated certificates in /home/sysadmin/certs on the NFS server (currently aspartame).
A list of places you'll need to put the new certificate to keep our services running. Private key (if applicable) should be kept next to the certificate with the extension .key.
- caffeine:/etc/ssl/private/csclub-wildcard.crt (for Apache)
- mail:/etc/ssl/private/csclub-wildcard.crt (for Apache, Postfix and Dovecot)
- auth1:/etc/ssl/private/csclub-wildcard.crt (for slapd)
- artificial-flavours:/etc/ssl/private/csclub-wildcard.crt (for Apache and slapd)