JANET-Connected Organisations

Since JANET-connected organisations can obtain certificates issued by GlobalSign free of charge from the JANET Server Certificate Service (see GetSCSCert), they will normally only use the procedure described here if the same certificate is also to be used to secure financial transactions, for which SCS certificates may not be used.

Requesting a GlobalSign Certificate

Once you have a key pair, you need to send the public key to GlobalSign, along with the DNS name of the server machine to be certified and the name of your institution. You must also prove to GlobalSign that you are a legitimate user of those names. The names and public key are sent as a Certificate Signing Request (CSR) file, which can be generated by openssl: 

 openssl req -new -key my.key -out my.csr

When you run the above command, openssl should prompt you to input the Country Name (normally GB), Organisation Name, Organisational Unit Name and Common Name. The Common Name given must be the fully qualified DNS name of your Shibboleth server (e.g., shibbox.uni.ac.uk). openssl may also ask for a "challenge password" and optional company name, both of which are usually left empty (the default).

The Organisation Name and Unit you choose must match the name of your organisation on the official documents GlobalSign will require you to provide to demonstrate your right to use the name. Make sure the name is exactly what you want: it can't be changed after the certificate is issued.

Once you have made the Certificate Signing Request file, it must be submitted to GlobalSign. If you are certifying an .ac.uk domain, JANET(UK) has a special agreement with GlobalSign that reduces the cost of the certificate and simplifies the supporting documentation required. In this case, the procedure to follow is described in the next section. For all other domains, including .sch.uk domains, you should follow GlobalSign's standard application procedure for an OrganizationSSL certificate, at http://www.globalsign.net/digital_certificate/serversign/index.cfm.

Several different types of certificate are available there:

  • OrganizationSSL: This is the type you should request. Do not request the Wildcard option.
  • DomainSSL: a lower-assurance certificate; do not use.
  • ExtendedSSL: Extended Validation (EV) certificates are not currently supported by the UK Federation; do not use.

Applying for an .ac.uk Certificate

For .ac.uk domains only, follow this procedure. In the last step of the process, when you are asked to supply documentation appropriate for your organisation, you should send two items:

  • First, the certificate request form printed out during the application process. This must be signed by your institution's head of IT or equivalent.
  • Second, a covering letter on the institution's letterhead.

The covering letter should be signed by the same person who signed the form, and should state that this person is entitled to act for the institution. This letter replaces the "proof of your company's legal status" requested at the end of the online process. GlobalSign's suggested wording is:

This letter is to confirm that I, Mister XXX, Head of XXXXX department,
for the purpose of purchasing ServerSign Certificates, is authorised to
bind legally XXXX University.

They also request that the letter should be accompanied by this person's business card, if possible. The following alternative form of words has also worked:

This is to endorse the attached certificate requests for domain names xxx
and yyy. These domain names are registered to the University of zzz.

After you receive the signed certificate back from GlobalSign, the next step is to register an identity or service provider as described at JoinFederation.

Root Certificates

As well as your own certificate you will also need to download a copy of GlobalSign's "intermediate CA certificate" from http://www.globalsign.com/support/root-organizationssl.html. Save this as gs_organization_ca.crt for use later.