SSL certificates

Related pages

This is a specialist service available to administrators of IT systems and servers.

Administrators can request SSL certificates for any service hosted under york.ac.uk, or other domains legally owned by the University.

Request an SSL certificate »

Overview

Eligibility

Departmental Computing Officers (DCOs) and IT Services staff can request certificates.

Types of certificate

The service is provided by Janet, and allows us to obtain the following types of certificates on behalf of the University:

Unless a specific certificate type is requested, we will issue a Organisation Validated certificate (OV). Extended Validation (EV) certificates are also available, if required - if you're requesting an EV certificate, please let us know why it is needed.

Charges

OV and EV certificates are free of charge. IT Services purchase a bundle of credits each year to meet the University's needs based on the current number of certificates and expiry dates. You can have up to 50 SANs (alternative names) as part of the standard service.

The following specialist certificates can be purchased at £100 each:

  • Wildcard certificates (OV type)

About the certificates

  • All certificates must use RSA keys of at least 2048 bits
  • All certificate signing requests (CSRs) must use the SHA256 hash algorithm - SHA1 is no longer supported.
  • All certificates are signed and issued by QuoVadis but the request and issuing process is managed by IT Services (via Janet).
  • Certificates can be issued for hosts with a DNS entry in the .york.ac.uk domain and for any domain that is legally owned by the University.
  • Certificates can have a lifetime of of 1-3 years from the day of issuance.
  • Certificates can now be used for financial transactions.

Instructions

1. Generate a Certificate Signing Request (CSR)

This step can be carried out by the server or system administrator, or by the Departmental Computing Officer (DCO).

Gather the following information regarding the server administrator:

  • Full name
  • Phone number
  • York email address

Create a Certificate Signing Request (CSR). 

For instructions on how to generate a CSR, please see the Comodo support site.

The process usually requires you to provide the following information to the CSR generation software:

  • Country Name (2 letter code): GB
  • State or Province Name: York
  • Locality Name: York
  • Organization Name: University of York
  • Organizational Unit Name: This should be the name of the unit or department as recognised by the University. Examples are: IT Services, Biology.
  • Common Name: The fully qualified domain name of the server. This is the name that is used by clients to connect to the server.

Important notes:

  • Your CSR must use the SHA256 algorithm. Some tools (including openssl) use SHA1 by default, which can not be accepted.
  • The Country Name or Country Code must be 'GB' not 'UK'.
  • The CSR must not have an email address embedded in it.
  • The Organization Name must be exactly 'University of York' not 'The University of York'.

Provide the certificate signing request and the administrator information to the DCO.

2. Submit the certificate application

This step must be carried out by the DCO.

  1. Submit the information collected in Step 1 to IT Services using the Certificate Request Form.
  2. IT Services will conduct all required checks to validate the request. This will include a check with the Head of Department or Administrative Head.
  3. Once the checks are complete, the certificate will be issued and sent via email to the York email address of the server administrator.

3. Certificate revocation and expiry

This step can be carried out by the server or system administrator, or by the Departmental Computing Officer (DCO).

You can request that a certificate be revoked (for example because the private key has been compromised).

The administrator should contact the Library & IT Help Desk, who will take steps to validate the identity of the subscriber before revoking or suspending the certificate.

It is the responsibility of the server administrator to renew certificates before they expire. Expiry notifications will be sent to the email address that was included with the certificate request.

Help & troubleshooting

Help

Library & IT Help Desk

If you're having problems with any aspect of SSL certificates, get in touch with the Library & IT Help Desk.

Our commitments

Service status Live and supported service.
Hours of service 24/7
Service support For help and support with this service, contact the Library & IT Help Desk.
Hours of support Help from the Library & IT Help Desk is available 9am to 5pm, Monday to Friday.
Target availability

General IT Services targets:

Our performance

Our service standards have been produced in consultation with our customers, and monitor the quality, timeliness and access to facilities and services:

Complaints procedure

If you wish to give us general feedback on this service, please see our Feedback page for ways to get in touch.

If you wish to make a complaint, please see our complaints procedure.

Your responsibilities

It is your responsibility to:

  • Follow the guidance on generating a CSR to ensure that a certificate can be issued successfully first time
  • Respond to notifications of certificate expiry and make a new request if appropriate
  • Inform IT Services about certificates that are no longer required so they can be revoked