» Home     » How To…   » Site Map   » Contact Us 
 Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
Your location: Home > Web publishing > Web server certificates
 Documentation
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » E-mail & netnews 
 » Networking 
 » Printing 
 » Purchasing 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Your health 
 » Macintosh support 
 » Unix/Linux support 
 » Windows PC support 

Web server certificates

SCS Facilities runs a certificate authority for signing server certificates for web servers within SCS. These server certificates take advantage of CMU's public key infrastructure and the widespread deployment of Carnegie Mellon server certificates in people's browsers. To obtain a certificate signed by the SCS certificate authority, you will need to send mail containing a certificate signing request (CSR) to certificates@cs.cmu.edu. The specific instructions to generate a CSR depend on the type of web server & platform that is being used.

How to generate a certificate signing request (CSR)

If you are using the Facilities wwwsrv collection

On Facilitized Unix/Linux hosts, SCS Facilities provides a wwwsrv misc collection that makes it easy to set up a web server. If you are using this collection, you can run:
  /usr/local/sbin/getwwwcert
which will ask you some questions, generate a secret key and CSR, and mail the CSR to SCS Facilities in order to be signed. As part of the generation process, an MD5 hash for the CSR will be calculated and displayed. You should write down this hash, since SCS Facilities may contact you by phone in order to verify your request.

Once you have received your certificate, save the contents of the e-mail containing the certificate to a file and run:
  /usr/local/sbin/getwwwcert -I /path/to/email.txt
in order to install the certificate.

After installing the certificate, you will need to restart the web server by running:
  /usr/local/etc/nanny -restart httpd

If you are using a Windows host running IIS

To generate a CSR on a Windows host running IIS, follow the directions on the Facilities IIS SSL instructions documentation.

If you are using OpenSSL on a non-Facilitized host

If you are using OpenSSL to generate the CSR, your config file should contain: 

# OpenSSL config file for getwwwcert

[ req ]
default_bits                    = 1024
default_keyfile                 = privkey.pem
distinguished_name              = req_distinguished_name
attributes                      = req_attributes
x509_extensions                 = self_extensions
req_extensions                  = req_extensions
string_mask                     = nombstr
prompt                          = no

[ req_distinguished_name ]
countryName                     = US
stateOrProvinceName             = Pennsylvania
localityName                    = Pittsburgh
0.organizationName              = Carnegie Mellon University
0.organizationalUnitName        = School of Computer Science
1.organizationalUnitName        = *YOUR DEPARTMENT HERE*
2.organizationalUnitName        = *YOUR GROUP HERE*
commonName                      = *HOSTNAME OF WEB SERVER*

[ req_attributes ]

[ req_extensions ]
basicConstraints                = CA:FALSE
nsCertType                      = server
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier            = hash
keyUsage                        = critical,digitalSignature,keyEncipherment

[ self_extensions ]
basicConstraints                = CA:FALSE
nsCertType                      = server
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always
keyUsage                        = critical,digitalSignature,keyEncipherment

Note: Be sure to put in the correct information for the organizationalUnitName and commonName attributes.

To generate the CSR, you will need to:

  1. Generate the private key with the command:
      openssl genrsa -rand /etc/egd-pool -out key.pem 1024
    This step can be skipped if you've already generated a key, and you simply want to renew an expired or expiring certificate.
  2. Generate the CSR, using the openssl configuration mentioned above in the file openssl.conf:
      openssl req -config openssl.conf -new -key key.pem-out req.pem
  3. Take note of the md5 hash of req.pem since it will be used to verify the certificate you've sent. You can get the md5sum of the CSR by running:
      openssl md5 req.pem
  4. Send the contents of the CSR, req.pem, to certificates@cs.cmu.edu, along with your name and a phone number to contact you. Be sure to mention that you are running your own web server and not the facilities-provided one. Once the request has been verified and signed, you will recieve an email that contains the signed certificate and the intermediate CA certificate.

If you want to use a self-signed certificate until you get a response, generate one by running:
 openssl x509 -req -days 30 -extfile openssl.conf -extensions self_extensions -in req.pem -out self.pem -signkey key.pem
This certificate will generate a warning on most web browsers, and will expire in 30 days.




 This site is maintained by SCS Computing Facilities; send comments to help@cs.cmu.edu.
 Accessibility information  © Carnegie Mellon School of Computer Science