An SSL certificate is a signed electronic guarantee that verifies the authenticity of a particular server. It's primarily used for providing web pages through an encrypted connection. Any service accessible by SSL must have a certificate, including any web server with encrypted or “secure” content.
Sometimes a self-signed certificate is sufficient for test and development servers, and it works with SSL encryption. You can create a self-signed certificate by following these instructions. However self-signed certificates don't help confirm the authenticity of the server and they could be open to some attacks. Most clients display a warning when they connect to a server with a self-signed certificate before proceeding (and some won't work at all).
On servers that require an encrypted connection, you should use an SSL certificate signed by a trusted certificate authority. Stanford users previously had to purchase such certificates with their university account numbers from Comodo's InstantSSL offering. Starting in mid-2011, there is no cost to Stanford users. IT Services contracted with InCommon (in partnership with Comodo) to provision an unlimited number of certificates at a flat fee with no additional cost passed on to you.
To obtain an SSL certificate, you must first generate a CSR (Certificate Signing Request). This file contains the required technical information to generate an SSL certificate.
To request a certificate, follow these steps:
- Generate a CSR. You can generate a CSR in multiple ways. Your server software may have a built-in function that creates the private key and CSR for you, but in most cases, you should use the openssl command-line utility to create them (see instructions). For more information, read these InstantSSL instructions and choose your server from the links on their page for specific guides.
Note: The service only supports 2048-bit keys. CSRs signed with 1024-bit keys will not be accepted.
- Store your key in a safe and secure location.
- Complete the online request form.
After InCommon issues your certificate, you'll receive a confirmation email through an IT Services administrator. The message contains several links to the certificate in different file formats (the first link contains the most common format) along with a link to a file that contains the root and chaining certificates (combined in one file) used to sign your certificate. These two files can be viewed here:
The process for certificate renewal is exactly the same as for ordering a new certificate. You must create a CSR and submit the request form.