This page contains information about how to apply for a certificate to protect your service. If you are a web server administrator or someone who is managing a service that requires an X.509 certificate, you may submit a certificate request to us and we will sign it with the University Certificate Authority (CA or root) certificate and/or request it be signed by a commercial Certificate Authority (currently Digicert). Your users will then be able to use your secured service without having to go through the manual process of installing your certificate.NoteWe can only provide certificates for members of the University of Edinburgh and only for hosts and domains owned and registered to the University or providing hosted services to the University.Different types of certificateThere are a number of different routes to getting a certificate that you can use. They are as follows:Self-certificationSelf-certification is easy to do for the system administrator as it means that the certificate signs itself and the administrator can install the certificate quickly without waiting for a certificate authority to sign it. However, users will be challenged to refuse or accept the certificate the first time they use the site. You would typically uses these just for development or testing. This doesn't require any certificate authority.LetsEncryptThis is the preferred option for certificatesLetsEncrypt provide a free to use service for all types of Domain Validated (DV) certificates to the University. The provide this through an automated update mechanism (ACME) which allows you to completely automate the ongoing installation and updating of certificates as the expire and need renewed. This is the preferred type of certificate for all public-facing University services and provides a cost-effective and management-lite capability for securing services. Automating certificate renewal is vital as the industry is moving to shorter and shorter certificate lifetimes: TLS Certificate Lifetimes Will Officially Reduce to 47 DaysMore information on using LetsEncrypt: LetsEncrypt documentationLocally produced documentation on how to set up certificate automation: Automated SSL/TLS Certificate ManagementUniversity procured Digicert certificatesInformation Services have made available certificates signed by Digicert to secure websites, other host-based services and includes code and document signing, and end user certificates for email signing/encryption. Browsers trust the CA and so this is the best option to choose for public-facing web services if LetsEncrypt is not an option.Organisation Validated (OV) certificates for single domains and for Subject Alternative Names (additional DNS names of the service) are issued free of charge for up to one year period and can be used for any purpose including financial transactions. ISG absorbs the cost for this service and so there is no charge for it to service owners. Wildcard certificates and Extended Validation certificates are not provided free of charge and may incur cost.University of Edinburgh signed certificateYou may apply for one from Information Services and then it is very similar to the self-signed certificate except that if the user has gone through the one-off acceptance of the University of Edinburgh Certificate Authority certificate, they will not be prompted to accept your new one. These may be used on internal systems that end users will not interact with and may be issued with a long-lifetime. Public-facing websites should not use these, as browsers will refuse to connect if the University CA certificate has not been pre-loaded into the user's browser.Other Commercial Certificate providersGoDaddy, Thawte, GeoTrust, RapidSSL, Sectigo and other Certificate Authorities are other certification authorities are available. These authorities charge for issuing certificates but you may use them for any purpose including code-signing, document signing and financial transactions.Applying for a certificateTo apply for a certificate to be signed by a certificate authority you need to create a certificate signing request (CSR). This will generate a private key file and the CSR. You send the CSR to the authority, they sign it and return the public key part of the certificate to you.Creating a CSR fileThis guidance page describes the process of creating a valid certificate signing request (CSR) for submitting to be signed by any certificate authority.Creating a CSRApplying for a Digicert certificateTo apply for a University certificate or a Digicert certificate complete the following form. You will need to provide a Certificate Signing Request (CSR). You should also provide a contact email address that will be used to inform you when the certificate is due to expire. We recommend you use a functional mail account or alias or a mailing list for this purpose so that expiry messages do not go to named individuals who may no longer be in the role when the certificate expires.Applying for a University or Digicert certificateOn submission of the certificate request to the certificate authority the certificate request will be checked for validity. Upon approval, the certificate will be signed and emailed back to you. Digicert certificates will come in a zip file containing your signed certificate and other certificates. This will be emailed directly to the contact address you supply from the Digicert service. These other certificates are needed to validate your certificate and should be included in your certificate chain file or certificate authority directory of the software you are using. A university signed certificate will not come with the equivalent certificate authority certificate for validation but this can be downloaded here.Applying for a commercial certificateTo apply for a commercial certificate contact the Certificate Authority directly, you will need to generate a certificate signing request and submit it to whatever Certificate Authority you choose for signing. You will need to procure and pay for that through standard University procurement processes. This article was published on 2024-10-08
