This page covers:
- How to create and manage your certificates
- Which SSL/TLS certificate to use
- The SSL root certificate
- Creating a Certificate Signing Request
- How to change the owner of a certificate
- How to get a code signing certificate
How to create and manage your certificates
Once we have created your account, go to Sectigo Certificate Manager. Select Sign in with your institution. Use your University account (formerly Raven) credentials to access your account.
Which SSL/TLS certificate to use
For a website, we recommend a Jisc OV multi-domain SSL certificate. We don't recommend Jisc IGTF multi-domain SSL or Jisc EV anchor (validation only) certificates.
How to choose between Extended Validation (EV) or Organisation Validation (OV)
Modern browsers make no practical distinction between these certificate types. We strongly recommend that you use OV rather than EV certificates. EV certificates will take longer to issue because someone from UIS will need to approve them.
If you still wish to use an EV certificate, we recommend a Jisc EV multi-domain SSL certificate for a subdomain of cam.ac.uk. If it's for another domain, that domain will need to go through the extended validation process if it hasn't already. The process will take several days. Contact servicedesk@uis.cam.ac.uk to arrange this, stating the domains you wish to add and why you cannot use an OV certificate for this application. To complete the process, you will need to provide additional information about the organisation for Sectigo to verify.
EV Anchor certificates
You won't need to create an EV Anchor certificate to create EV certificates if your certificate is a subdomain of cam.ac.uk. Contact servicedesk@uis.cam.ac.uk if you want to create EV certificates for domains outside the University's main domain.
Ensuring your certificate has all the SANs you need
Make sure you select a Jisc OV multi-domain SSL certificate or the corresponding EV version, if needed, when you make your request if you have multiple SANs. If you have selected another type of certificate, you'll find it won't have all the SANs you requested. If this happens, simply revoke the old certificate and request a new one.
Creating a certificate with an IP address as the subject or SAN
Unfortunately, this is not supported.
The SSL root certificate
Sectigo will provide you with the root and intermediate (chain) certificates when your new certificate is issued. Note that this will be different than the SSL root certificate used in a previous iteration of this service.
Creating a Certificate Signing Request
To get your SSL/TLS certificate, you'll need to create a Certificate Signing Request (CSR). The easiest way to do this is using our camcsr.py script (hosted on Gitlab).
Here's an example:
python camcsr.py --ou="Institute for Example Studies" --nodes --force example.cam.ac.uk www.example.cam.ac.uk private.example.cam.ac.uk
The script will generate a key file and the CSR. Install the key file on your server and use the CSR to get your certificate.
You can check your CSR like this:
openssl req -text -noout -verify -in example_cam_ac_uk.csr
How to change the owner of a certificate
You should change the ownership of a certificate if the previous owner, or the person who requested the certificate, leaves your team.
-
Go to Sectigo Certificate Manager. Select Sign in with your institution. Use your University account (formerly Raven) credentials to access your account.
-
Select the relevant certificate from the list and then select 'View'.
-
You can change the owner by selecting 'Details' from the menu and then selecting the edit (pencil) icon. You can now enter the details of the new owner.
How to get a code signing certificate
Code signing is the process of digitally signing executables and scripts. It confirms the software author and guarantees that the code has not been altered or corrupted since it was signed. You can obtain a code signing certificate for free from the Certificate Service.
You can create your code signing certificate directly using the certificate manager. You need to be already signed up to the certificate service and able to receive email at your_crsid@your_domain.cam.ac.uk.
In any other case, use the service request form.