UK Federation Information Centre | Documents / GetThawteCert browse

Thawte Certificate Types

Thawte offer several types of SSL server certificate:

Server Gated Cryptography (SGC) "supercerts"
SSL web server certificates
SSL web server certificates with EV
SSL123
SPKI managed multiple certificates
Wildcard certificates

Of these, only the plain "SSL web server" certificates (without EV) are currently supported for use with the UK Federation. SSL123 is not supported and the others have not been qualified.

Requesting a Thawte Certificate

Once you have a key pair, you need to send the public key to Thawte, along with the DNS name of the server machine to be certified and the name of your institution. You must also prove to Thawte that you are a legitimate user of those names. The names and public key are sent as a Certificate Signing Request (CSR) file, which can be generated by openssl:

 openssl req -new -key my.key -out my.csr

When you run this command, openssl should prompt you to input Country Name (GB), your Organisation Name, Organisational Unit Name and Common Name. The Common Name given MUST be the fully qualified DNS name of your Shibboleth server (e.g., shibbox.uni.ac.uk). openssl may also ask for a "challenge password" and optional company name, both of which are usually left empty (the default).

The Common Name is the important part of the name for Shibboleth. The other parts of the full name should reflect existing practice in your organisation. Make sure the name is exactly what you want: it can't be changed after the certificate is issued.

Once you have made the Certificate Signing Request file, it must be submitted to Thawte. The procedure to follow is given at http://www.thawte.com/ssl-digital-certificates/ssl/index.html. After you fill out the online enrolment form there, Thawte will contact the registered owner of the DNS domain referred to in the Common Name part of the certificate request to confirm that you are using it legitimately and will also request copies of documents demonstrating that you are a legitimate, authorised representative of the institution named in the certificate request.

After you receive the signed certificate back from Thawte, the next step is to apply to join the federation as described at JoinFederation.

Root Certificates

As well as your own certificate you will also need a copy of the CA's "root certificate". Thawte's root certificates can be downloaded from http://www.thawte.com/roots/. The resulting zip file contains, under the Thawte Server Roots folder, the required root certificate, ThawtePremiumServerCA.txt, in the PEM format used by Apache. Shibboleth itself gets the root certificates of the CAs accepted by the federation out of its metadata file, which you will download during setup.