SSL certificates
Related pages
This is a specialist service available to administrators of IT systems and servers.
Administrators can request SSL certificates for any service hosted under york.ac.uk, or other domains legally owned by the University.
Overview
Eligibility
Departmental Computing Officers (DCOs) and IT Services staff can request certificates.
Types of certificate
The service is provided by JISC, and allows us to obtain the following types of certificates on behalf of the University:
-
Certificate types (JISC)
Unless a specific certificate type is requested, we will issue an Organisation Validated certificate (OV). Extended Validation (EV) certificates are also available, if required.
If you're requesting an EV certificate, please let us know why it is needed.
Charges
OV and EV certificates are provided to you free of charge. IT Services purchase a bundle of credits each year to meet the University's needs based on the current number of certificates and expiry dates.
You can have up to 50 SANs (alternative names) as part of the standard service.
The following specialist certificates can be purchased at £100 each:
-
Wildcard certificates (OV type)
About the certificates
- All certificates must use RSA keys of at least 2048 bits
- All certificate signing requests (CSRs) must use the SHA256 hash algorithm - SHA1 is no longer supported.
- All certificates are signed and issued by QuoVadis but the request and issuing process is managed by IT Services (via JISC).
- Certificates can be issued for hosts with a DNS entry in the .york.ac.uk domain and for any domain that is legally owned by the University.
- Certificates can have a lifetime of of 1-2 years from the day of issuance.
- Certificates can now be used for financial transactions.
Instructions
1. Generate a Certificate Signing Request (CSR)
There are two available options to generate a CSR:
1. Use the CSR Wizard:
The CSR wizard is available through the Certificate Request System, by clicking “Generate a new CSR” option.
2. To manually generate a CSR:
This step can be carried out by the server or system administrator, or by the Departmental Computing Officer (DCO).
Gather the following information regarding the server administrator:
- Full name
- Phone number
- York email address
Create a Certificate Signing Request (CSR).
For instructions on how to manually generate a CSR, please see the Comodo support site.
The process usually requires you to provide the following information to the CSR generation software:
- Country Name (2 letter code): GB
- State or Province Name: York
- Locality Name: York
- Organization Name: University of York
- Organizational Unit Name: This should be the name of the unit or department as recognised by the University. Examples are: IT Services, Biology.
- Common Name: The fully qualified domain name of the server or website. This is the name that is used by clients to connect to the server, or website.
Important notes:
- Your CSR must use the SHA256 algorithm. Some tools (including openssl) use SHA1 by default, which can not be accepted.
- The Country Name or Country Code must be 'GB' not 'UK'.
- The CSR must not have an email address embedded in it.
- The Organization Name must be exactly 'University of York' not 'The University of York'.
Provide the certificate signing request and the administrator information to the DCO.
2. Submit the certificate application
This step must be carried out by the DCO.
- Submit the information collected in Step 1 to IT Services using the Certificate Request System.
- If this is a manually generated CSR, click “Use my own CSR”, otherwise click “Generate a CSR” to use the CSR wizard.
- IT Services will conduct all required checks to validate the request. This will include a check with the Head of Department or Administrative Head.
- Once the checks are complete, the certificate will be issued and sent via email to the York email address of the server administrator.
3. Certificate revocation and expiry
This step can be carried out by the server or system administrator, or by the Departmental Computing Officer (DCO).
You can request that a certificate be revoked (for example because the private key has been compromised).
The administrator should contact the Library & IT Help Desk, who will take steps to validate the identity of the subscriber before revoking or suspending the certificate.
It is the responsibility of the server administrator to renew certificates before they expire. Expiry notifications will be sent to the email address that was included with the certificate request.
Help & troubleshooting
Help
Library & IT Help Desk
If you're having problems with any aspect of SSL certificates, get in touch with the IT Support.
Our commitments
| Service status | Live and supported service. |
|---|---|
| Hours of service | 24/7 |
| Service support | For help and support with this service, contact the IT Support. |
| Hours of support | Help from the Library & IT Help Desk is available 9am to 5pm, Monday to Friday. |
| Target availability |
General IT Services targets:
|
| Our performance |
Our service standards have been produced in consultation with our customers, and monitor the quality, timeliness and access to facilities and services:
|
|
Complaints procedure |
If you wish to give us general feedback on this service, please see our Feedback page for ways to get in touch. If you wish to make a complaint, please see our complaints procedure. |
Your responsibilities
It is your responsibility to:
- Follow the guidance on generating a CSR to ensure that a certificate can be issued successfully first time
- Respond to notifications of certificate expiry and make a new request if appropriate
- Inform IT Services about certificates that are no longer required so they can be revoked