How Do I ... Generate a certificate signing request and have it signed by Thawte Certification for Apache Web Servers with SSL

Contents


Introduction

Note:

SHA-1 certificates will trigger warning in new edition of Chrome see http://www.uwo.ca/its/pki/thawte/SHA-1_certificates.html

To check your certificate request see https://ssltools.thawte.com/checker/views/csrCheck.jsp

This document outlines the steps involved to generate a certificate signing request for Apache Web Servers with SSL and get it signed by Thawte Certification.

Generate a Private key and certificate request.

Apache provides a good set of instructions for doing this at http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#realcert

Please look up the instructions from this site for you brand of web server and follow them. Below are brief descriptions of what may be requested during this process. Anything that is in bold must be filled in exactly as given right down to the capitals.

Note that the information you include in the certificate request must be exact and correct. Some data names are misleading. If you are not 100% sure of how to fill in a blank during this process please ask us as it will save a lot of time later. Also note that this process creates a Private Key with a password. If you lose the Private Key or forget its password your certificate will be useless and you will have to start over and pay again. Note also that the Key must be kept safe as if it gets into public hands then all encryption efforts are lost and your system can be spoofed by others.

Field Name Description of what to enter
Password and Confirm Password This is the password for your private key. This should be something that can be remembered but nothing obvious like the server name. WRITE THIS DOWN NOW.
Bit Length This is the bit length of the key. This must be 2048.
Organization The University of Western Ontario
Organizational Unit Your Department or Faculty name. Please use its full name and not a short form or acronym.
Common Name This is the dns name of you web server. This should be what appears in the URL when you access the secure area of your server. (ie. www.dept.uwo.ca)
Country/Region CA
State/Province Ontario
City/Locality London
Your Name This should be the name of the technical contact for the web server. Most likely this will be you.
E-mail Address This should be the e-mail address of the technical contact for the web server. Note if you have a webmaster@dept.uwo.ca then this can be used instead of the person's personal e-mail account.
Phone Number This should be the phone number of the technical contact for the web server. Note if there is a help line for this server it can be used here. Whoever answers this line should know what to do with questions regarding the secure web server.

 

Send the Certificate request for signing.

During this process please read all information on these pages and if you have any questions stop the process and send them to web-certificates@uwo.ca.

    • Email address:

       

    • Server domain Name

      This is the dns name of your web server. This should be what appears in the URL when you access the secure area of your server. (ie. www.dept.uwo.ca)
      Server domain Name:

       

    • Include subject alternative names (SANs) with this certificate

      A Subject Alternative Name (SAN)certificate is capable of supporting multiple domains and multiple host names with domains. SANS certificates are more flexible than Wildcard certificates since they are not limited to a single domain.
      SAN:

       

    • Include subject alternative names (SANs) with this certificate

      A Subject Alternative Name (SAN)certificate is capable of supporting multiple domains and multiple host names with domains. SANS certificates are more flexible than Wildcard certificates since they are not limited to a single domain.
      SAN:

       

    • Paste your certificate signing request

      From the certificate request file generated above cut the Certificate Signing Request (CSR).
      This is the part of the file between and including the begin and end lines. Paste this into the web form in the provided scroll box. CSR example:

      -----BEGIN NEW CERTIFICATE REQUEST-----
      MIIB4DCCAUkCAQAwgZ8xCzAJBgasdfe3AkNBMRAwDgYDVQQIEwdPbnRhcmlvMQ8w
      DQYDVQQHEwZMb25kb24xKjAoBgNVBAoTIVRoZSBVbml22gJzaXR5IG9mIFdlc3Rl
      cm4gT250YXJpbzEoMCYGA1UECxMfSW5mb3JtYXRpb24gVGVjaG5vbG9neSBTZXJ2
      aWNlczEXMB13A1UEAxMOa2ltLml0cy51d28uY2EwgZ8wDQYJKoZIhvcNAQEBBQAD
      gY0AMIGJAoGBALOJ4G4XO4xDSvTudh0tPpLC56Lhw/icO118/ujsbKG3yuUZvzp9
      RIqFR8NRcbN8DQxYT64B9BGXkFO0anpAZ2eCeh23RDzzmDim7RW8LTXLo0VCOojo
      0+6JXMRbFnzEUzE9D7j3Un70Pyx6N40XHXyCLD7cW5bDZBh6nC13pNpzAgMBAAGg
      ADANBgkqhkiG9w0BAQQFAAOBgQB+wL8e10d9liaHvGjzHeePVP7HtMNz3bnn6Gq0
      uFeLIo2y5DIKsAiZI4GEQH7Eu5S3UPh15gsvxI0JQpis/AqmekmMkxasKJJfhpJ3
      9p14Ocfw/G1TcabOXBd0xpHau63LbMrhZRaQOs6z/gbVgIznPXIK+PKgV2Wuqx1W
      6Og5kw==
      -----END NEW CERTIFICATE REQUEST-----
    • Web Server Software

      Select your web server type from the drop down list

    • Authorizing Contact Person

      For the Authorizing Contact Person fill in the information for the head of the department or faculty requesting this certificate. Note that this person must be the director or dean and have signing authority for the department/faculty and verify that the department/faculty is requesting this certificate for its web server. This person must also indicate they have appointed the technical contact as the person responsible for the server. This person will be contacted by an ITS representative to verify this certificate request. An independent search for the head of the department/faculty will be completed and if the result of this search do not match the data given here then the authenticity of this request may be questioned. Please note that if the certificate is for a larger department/Faculty than you belong to then the signing authority should be that of the larger department/Faculty (example. I work for the department of technical services inside the faculty of science. The department maintains the faculty's web server which the certificate is for. Therefor the dean of science is the Authorizing Contact person for this request.)

       

      Full name:
      Job title:
      Telephone:
      (include area code and extension) E.g. (519)661-2111x84737
      Email address:
      E.g. name@uwo.ca

       

    • Technical Contact Person

      For the Technical Contact/Webmaster fill in the information for the person responsible for maintaining the web server. Note that this should not be a generic name or email address like webmaster.

      Full name:
      Job title:
      Telephone:
      (include area code and extension) E.g. (519)661-2111x84737
      Email address:
      E.g. name@uwo.ca
      Peoplesoft #: in the form of #### ######

       

Department
      Select your department from the drop down list

 

 

Verification process and Payment.

Three e-mails will be sent by Thawte. One each to the Authorizing Contact, Technical Contact and to a member of ITS. The ITS representative will then contact the Authorizing Contact and Technical Contact to verify the request. Payment for the certificate will be finalized. Once payment has been received ITS will approve the certificate signing and Thawte will issue the certificate.

Retrieving the certificate.

When the certificate has been approved and signed Thawte will send another email to the Technical Contact. This email will contain a URL which will allow you to download your certificate. Go to this URL and enter in your password. This is the password you gave on the third page of sending your certificate signing request to thawte. On the next screen you will be asked what format you want to download the certificate in. Select 'Standard Certificate Format' and use the 'Fetch Certificate' button to retrieve your certificate. It will look a lot like the CSR. Copy it off this page into a text file. This file will be used to install the certificate into your web server. Backup this file along with the Private Key and keep them safe.

Install your certificate.

At the end of the instructions from Thawte to generate a CSR used to generate a CSR above, are the required steps to install the certificate into your web server.

Getting Help

If you require assistance during any of this process please send an e-mail to web-certificates@uwo.ca . More info on the PKI environment at UWO is available at http://www.uwo.ca/its/pki

Western provides the best student experience among Canada's leading research-intensive universities.