Requesting a VeriSign Secure Site Certificate

Once you have a key pair, you need to send the public key to VeriSign, along with the DNS name of the server machine to be certified and the name of your organisation. You must also prove to VeriSign that you are a legitimate user of those names. The names and public key are sent as a Certificate Signing Request (CSR) file, which can be generated by openssl: 

 openssl req -new -key my.key -out my.csr

When you run the above command, openssl should prompt you to input the Country Name (normally GB), Organisation Name, Organisational Unit Name and Common Name. The Common Name given must be the fully qualified DNS name of your Shibboleth server (e.g., shibbox.uni.ac.uk). openssl may also ask for a "challenge password" and optional company name, both of which are usually left empty (the default).

The Organisation Name and Unit you choose must match the name of your organisation on the official documents VeriSign will require you to provide to demonstrate the actual existence of your organisation. Make sure the name is exactly what you want: it can't be changed after the certificate is issued.

Once you have made the Certificate Signing Request file, it must be submitted to VeriSign. The procedure to follow is given at http://www.verisign.co.uk/ssl/buy-ssl-certificates/index.html. A number of different certificate types are offered:

  • The basic Secure Site type has been qualified for use with the UK federation and is available to the federation operator.
  • Secure Site Pro and Managed PKI have been shown to work with the UK federation but are not used by the federation operator and may therefore be harder for it to support.
  • Other types, including Secure Site Pro with EV and Premium EV have not been qualified for use with the UK federation and should not be used.

During the certificate request process, you will be asked to enter the CSR into a web form. The content of the my.csr file generated previously is plain text that can be copied and pasted into the form.

After you have submitted your online certificate request, VeriSign will contact you and ask you to provide official documents supporting your request. Once they are satisfied with the authenticity of the request, they will supply the certificate.

CA Certificate

As well as your own certificate you will also need to download a copy of the appropriate VeriSign intermediate CA certificate.

The intermediate CA certificate can be copied and pasted from one of the web pages above into a .pem or .crt file, as used by Apache, or a Windows .cer file. The rest of the UK federation setup documentation assumes this file will be called VeriSignClass3SecureServerCA.crt, which is appropriate for Secure Site certificates. For Secure Site Pro certificates, VeriSignInternationalCA.crt would be better name, but if you do use a name other than VeriSignClass3SecureServerCA.crt then make sure to use the same name consistently throughout your server configuration.

Shibboleth itself gets the certificates of the CAs accepted by the federation out of its metadata file, which you will download during federation setup.