Requesting a Janet Certificate Service Certificate

Eligible organisations may acquire SSL certificates from the Janet Certificate Service. A charge for this service was introduced from 1 May 2013 (see for details).

Certificates issued by the Janet Certificate Service can only be used for non-commercial purposes and may not be used to secure financial transactions.

Janet certificates are not obtained directly from Janet but from a local authorised representative within your own organisation. If you do not know who the representatives within your organisation are, then you will need to find out by approaching your local IT support service. If it turns out that your organisation has not yet joined the Janet Certificate Service, then it will need to sign and return, by fax or post, the Authorised Representative form. The same form should be used if an existing list of representatives is to be changed.

The procedure described below assumes that you have identified a local representative who will handle your certificate request.

Generating the Certificate Signing Request

Using the private key file you made previously (my.key, as described in in our documentation on certificate creation), you must now create a Certificate Signing Request (CSR) containing your public key, the DNS name of the server machine to be certified and the name of your organisation. A CSR file can be generated by openssl:

 openssl req -new -key my.key -out my.csr

When you run this command, openssl should prompt you to input Country Name (GB), your Organisation Name, Organisational Unit Name and Common Name.

  • The Common Name given must be the fully qualified domain name of your Shibboleth server (e.g.,
  • The Organisation Name must exactly match the full formal name of your organisation as known to Janet, which will be checked against public lists of educational organisations. Your local representative should be able to tell you the exact string to use.
  • The Organisational Unit given should reflect any existing practice within your organisation (faculty, department, etc.). Guidelines may be available from your local representative.
  • Finally, openssl may also ask for an email address, a "challenge password" and optional company name, all of which are usually left empty (the default).

Make sure all of the information entered into the Certificate Signing Request is exactly what you want: it can't be changed after the certificate is issued.

Submitting the Request

Once you have made the CSR file, send it to a local authorised representative. You will be asked to specify which 'software stack' your certificate will be running on. Note: If your certificate is intended for use with an IdP you should specify "Apache/ModSSL". Otherwise select an appropriate option; ask your representative for advice if necessary.

The Janet Certificate Service provides authorised representatives with access to a password-controlled web interface. Once a representative has received a correctly specified CSR, he or she can submit the request via the interface and be issued with the appropriate certificate in .crt format directly. However, the normal mechanism will be for the user requesting the certificate to specify an email address, and to have the certificate and associated information delivered in due course via email.

Assuming you are following this route, you will be sent, as an email attachment, a zip file containing your signed certificate, and three other certificates comprising the chain of intermediate certificates required to validate your certificate. The 'software stack' information which you specified when making the request is used to select an appropriate format within the zip file for the certificate and its associated intermediate certificates. Specifying a software stack of "Apache/ModSSL", as recommended, will result in an attached zip file containing a .crt file for the issued certificate and a .ca-bundle containing the intermediate (chaining) certificates.

Once you have received the signed certificate, you can proceed to register identity or service providers with the UK federation using that certificate. Details for specifying the intermediate certificates in your configuration are contained in the various entity 'set up' pages.