Requesting an InCommon SSL Certificate for your Website
(This page is largely deprecated and only relevant if you’re
configuring and managing your own webserver software. If you
use the web cluster TIG provides,
this is all done for you automatically and you don’t need to think
about it. And even if you do install and configure your own web server,
for most purposes, getting a LetsEncrypt certificate automatically
is a much better choice. If you’re using Apache, mod_md, which we
document here is easy to set up and does this
automatically. For other servers,
LetsEncrypt lists
lots of other tools
to get certificates automatically using the ACME protocol.)
CSAIL (and MIT) server certificates for use with https and other
protocols are obtained through the InCommon federation, a project of
EDUCAUSE, a trade association for universities. (They also operate the
.edu domain.)
Current requirements for server certificates are:
- 2048-bit RSA keys, or ECDSA keys using NIST P-256 (prime256v1) or P-384 (secp384r1) curve
- Common Name must be a valid existing host in the
csail.mit.edudomain - Additional names (for the
subjectAltNameextension) are allowed but must be specified out of band, before the request is submitted
To generate a new key and a new certificate-signing request:
$ umask 077
$ openssl req -new -newkey rsa:2048 -keyout <your hostname>.key -out <your hostname>.csr -nodes
Generating a 2048 bit RSA private key
.+++
...+++
writing new private key to '<your hostname>.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:<your hostname>
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
The only important field in the Distinguished Name is the Common Name, which must be the name of an existing host in the csail.mit.edu domain. All of the other fields of the DN are ignored, so you can just accept the defaults.
You should store the private key on the local disk of the server
machine; it should only be readable by the user ID under which your
server will be running. If at all possible, leave off the -nodes flag
and allow openssl to encrypt the private key for you. (Note that the
server will not be able to start automatically if you do this, since you
will have to enter a password whenever it is started.)
Store the certificate-signing request in an AFS directory that only you (or other authorized people in your group) have access to, and send a ticket to help@csail to request a certificate. Make sure to include in your request any other virtual-host names that may be used to contact this server.