• BackLinks
• Search
• Print

Requesting an SCS Certificate

JANET(UK) is the UK Registration Authority for TERENA Server Certificate Service (SCS) certificates. It only accepts requests from JANET-connected organisations. However, certificates are not obtained directly from JANET(UK) but from nominated local proxies within your own organisation.

If you do not know who the proxies within your organisation are, then you will need to find out by approaching your local IT support service. If it turns out that your organisation has not yet joined the Server Certificate Service then it will need to apply, as described at http://www.ja.net/services/scs/application.html. The procedure described below assumes that you have identified a local proxy who will handle your certificate request.

Generating the Certificate Signing Request

Using the key pair file you made previously (my.key, described in GetCertificate), you must now create a Certificate Signing Request (CSR) containing your public key, the DNS name of the server machine to be certified and the name of your organisation. A CSR file can be generated by openssl:

 openssl req -new -key my.key -out my.csr

When you run this command, openssl should prompt you to input Country Name (GB), your Organisation Name, Organisational Unit Name and Common Name.

• The Common Name given must be the fully qualified DNS name of your Shibboleth server (e.g., shibbox.uni.ac.uk).
• The Organisation Name must exactly match the full formal name of your organisation as known to JANET(UK), which will be checked against public lists of educational organisations. Your local proxy should be able to tell you the exact string to use.
• The Organisational Unit given should reflect any existing practice within your organisation (faculty, department, etc.) Guidelines may be available from your local proxy.
• Finally, openssl may also ask for a "challenge password" and optional company name, both of which are usually left empty (the default).

Make sure all of the information entered into the Certificate Signing Request is exactly what you want: it can't be changed after the certificate is issued.

Submitting the Request

Once you have made the CSR file, send it to the local proxy, telling them which type of SCS certificate you want. There are three types of SCS certificate, described at http://www.switch.ch/pki/scs/samples.html. You should tell the proxy that you want a "SureServerEDU TLS" certificate, which is the only type that has been qualified for interoperability with the UK Federation. The proxy will submit the request to the Registration Authority (JANET(UK)). They check it and, if it is approved, cause the certificate to be issued for you.

After you receive the signed certificate, you can proceed to register identity or service providers with the UK Federation using that certificate as described at RegisterEntities.

CA Certificate

As well as your own certificate, you will also need a copy of the Cybertrust Educational CA certificate used to sign SureServerEDU certificates. This can be downloaded from http://secure.globalsign.net/cacert/sureserverEDU.pem.

Helpdesk | Privacy Policy | Website Info
© The JNT Association - JANET(UK), Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0SG
Tel: 01235 822200 Fax: 01235 822399