• BackLinks
• Search
• Print

Getting Certificates

To set up a service provider within the UK federation according to current recommendations, you will normally require two X.509 digital certificates:

• a trust-fabric certificate for machine-to-machine use, and
• a browser-facing certificate that users will see; this must be an SSL certificate from an external Certification Authority (CA)

These two certificates are used for different purposes and have different properties. A self-signed certificate with a lifetime of 10 or 20 years is recommended for the trust fabric certificate. An SSL certificate is requred for the browser-facing certificate. A key length of 2048 bits is recommended for all certificates.

To avoid confusion, they may be stored in files named after the fully qualified domain name of the host server, but with different suffices, for example:

• host.uni.ac.uk.ss.crt for the trust-fabric certificate
• host.uni.ac.uk.crt for the browser-facing certificate

It is usually a good idea to ensure that each certificate is stored in just one place in the file system (rather than having multiple scattered copies), so that when a certificate is changed only a single copy of each file must be modified and every reference to the certificate is then automatically updated.

Details of acquiring these two types of certificate follow:

• Trust-Fabric Certificate
• Browser-Facing Certificate

Helpdesk | Privacy Policy | Website Info
© The JNT Association - JANET(UK), Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0SG
Tel: 0300 300 2212 (UK), +44 1235 822 212 (International)