Security certificates
Introduction to Certificates
A digital certificate is used to secure traffic using a popular encryption protocol called TLS (or sometimes SSL). When you make a purchase, or access other protected content on the internet, and notice the closed lock icon at the top or bottom of your browser or the https:// prefix in the URL, it means you have established a secure TLS connection. This means that your browser has examined the signed certificate received from the web site, determined it to be authentic and encrypted keys have been computed at both ends of the connection. During the connection all the information you enter will be encrypted before being sent to the server.
If you run a web server and need a digital certificate then here's how to obtain one:
Obtaining a certificate
The recommended certificates to use come from Let's Encrypt, which is a service providing free digital certificates to web servers. A large proportion of the University's central services use these certificates. The main benefits are that the certificates are free and that your server can automatically renew the certificates itself, saving you from having to renew every couple of years.
There is an official tool called Certbot that supports many popular web servers such as Apache and Nginx. Follow the instructions on this website to get it set up, including the periodic cron job to keep it updated.
That's it, enjoy being on HTTPS!
Obtaining a certificate from the University
- If you wish to purchase or renew a Certificate, please raise a Service Now order request via ITS-Orders attaching the relevant CSR.
- To obtain a University security certificate you must be University staff.
- The process generally takes about a day, but there are factors that may delay this, e.g. staff availability / workload, mistakes in the application, unusual requirements. If the request is urgent, please let us know, and make sure we have a reliable means of contacting you.
- Resources will process your request and forward the certificate onto you. They will also update the relevant CMDB entry, attaching the certificate and CSR document. The Service Now call will then be resolved.
- Finance Link Officers will supply Service Owners with a monthly report of upcoming renewals at their monthly budget meetings.
Installation Notes
When installing the new certificate the service will need to reference/import a chain of intermediate certificates. The chain refers to the issuer of the previous certificate in turn until reaching the root certificate that the client will trust. You should receive the appropriate chain file along with the certificate, via an email link or other download mechanism.
Dependant on the server software it may matter in which order the certificates are imported. Please make sure you know exactly what you are doing before you start.
Generate a CSR
Current recommendations are to use at least a 2048 bit key, any less will be rejected by the issuing authority.
For an Apache server:
> openssl req -newkey rsa:2048 -nodes -keyout servicename.warwick.ac.uk.key -out servicename.warwick.ac.uk.csr
Notes on responses to openssl, everything else it is recommended you leave blank:
Country Name= GB
State or Province name= West Midlands
Locality Name= Coventry
Organization Name= The University of Warwick
Organizational Unit Name: Your department (if ITS please use Information Technology Services)
Common Name: yourservicename.warwick.ac.uk
- The Common Name should be the fully qualified service or host name for your application. It wll be matched against URL requests, and web browsers usually show a warning if they are different.
- Make sure the
.key
file is not readable by anyone but root - this is the private key that no one except the server process should see.
Some excellent notes for other types of servers:
https://knowledge.digicert.com/generalinformation/INFO212.html
This FAQ is intended for technical staff who administer servers.
Alternatively see our FAQ if you want to know about setting up an online payment system.