Service Desk Knowledgebase: Certificates

This is the Certificates content page of the CL Wiki Service Desk Knowledgebase. Its purpose is to provide information to the Service Desk team on how to handle problems and requests about this CL service. If you are involved with the provision of this CL service please feel free to add to the knowledge about that it.

If CL staff need to tell the Service Desk team about problems with this service please email
sys-admin-aside@cl.cam.ac.uk.

Return to the Service Desk Knowledgebase SERVICE PORTFOLIO

Key Service Description & URLs

• Janet Certificates
• Computer Laboratory News

CL Customer Documentation

• ???

Further CL Sys-Admin Resources

• http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/HelpDesk/Software/Certificates - Certificates documentation

Underpinning Services

• None

Customer-base for this Service

• All staff and research students of the Computer Laboratory

Costs

• Free to all current staff and research students of the Computer Laboratory

SLA

• N/A

Service Desk Call Handling Procedure

• RT tickets can be escalated by changing the Queue to backoffice with the Owner set to Nobody and the Status as new. Tell the requestor:
  I am passing this request over to the experts who, I'm sure, will be in contact shortly.

Certificate Requests

We should handle certificate requests and generate the CSR rather than ask users to do it as it is a bit fiddly and they often get the details wrong resulting in too many iterations. Windows is easy if for a single machine but difficult for requests with Subject Alternative Names (SANs) added.

Procedures are documented on the CL WiKi using the email address sys-admin@cl.cam.ac.uk for any correspondence.

Note that the background process here is:

http://www.ucs.cam.ac.uk/tlscerts/

In the 1st instance you will recieve a query such as:

 Hello,
 Please may you generate certificates for these CSRs?
 Thanks!

The request will look something like:

 -----BEGIN CERTIFICATE REQUEST-----
 MIIFRzCCAy8CAQAwgcMxCzAJBgNVBAYTAkdCMRcwFQYDVQQIEw5DYW1icmlkZ2Vz
 aGlyZTESMBAGA1UEBxMJQ2FtYnJpZGdlMSAwHgYDVQQKExdVbml2ZXJzaXR5IG9m
 IENhbWJyaWRnZTEcMBoGA1UECxMTQ29tcHV0ZXIgTGFib3JhdG9yeTEgMB4GA1UE
 AxMXaHVza3kwLmR0Zy5jbC5jYW0uYWMudWsxJTAjBgkqhkiG9w0BCQEWFmR0Zy1p
 bmZyYUBjbC5jYW0uYWMudWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
 AQDDgMRh0trx7ntxL9jC+XEhDbJ9qnCGvmMburDTf2bUEX4sED5z3jyu/Ld+IDmO
 eWWF0qeqfahSqt2kC//pa03cZNxRQIaR7F0cMJJA+JQkQE77YUKMZIF6PXbqScQq
 GKA6M5tnxT3LfiIKvB89TPIL+mH5EM7h4M6JlcbSbKm23zsUfghWLSuM+vsn9oOL
 9ZkAwcq/wz6W2WjafTkB5SrKMZprAnSP4rM6D5d/+n1Yw5lGnZ6Oib0AS0Z2nTw0
 3f0CBpcIpR5ktXD9hwcuZ6RZoUQeGavOb+OCNVJXUzvXw9NyAobqgXSvoJyHFlzw
 LbhtC/YrxsK/dhFnSZ47RE7HJGc9+fJYzYjz2/GeyuIbe1slT7oXXUa4UyckgW96
 pw17pCqhHS3aBip2H33X81A4z6i/ZTZYrH/timzCkouuaZocYf417LLZ0ZSnapGZ
 mr0OdvvpZojW8I2TMg2I3XrNLOc1sUI7/rl5NKRB35L4/+tKGw/IMMo+ttbbZgDp
 6ab+6mtex/xGToX4ttjoYsQm1KyqAjV7LZwI4ep1VIMQ29q74pVD3DPA3uhBV4ks
 vEZfoUhKGmddg1pk55qbtU2eHgoZw7geAabN2V1kNV8RthVx2aW5Tr4UiAdv4GPj
 4SeFFNBeRa4gQWjnXfnwjPrfPHC5KdnHk1CQ63+azuifnwIDAQABoD4wPAYJKoZI
 hvcNAQkOMS8wLTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFIDATBgNVHSUEDDAKBggr
 BgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEAaZRtdE7qOdhrmoRBURUSo0ptMScI
 j5iyowWnEsE6gf1vX7DpkdQoTYy058naDCzjsQNy6RI7Zs5zGUiBnPSZGIuOGiom
 4yEd2aFjiBJM4/JgBdeGEa2k0VecM6uLVVR+pVhWqT10zOYxGxyCGmB6+v4mzy6k
 6pBIDgHgyxhfEbOYqlbeVtqlU2i0+OlC4KPH5nP4puaTEP1FGzCmTHPExv1oNTt3
 fkiFLxIAPardDY+nosjxpfrkVSaoouoJwvlJdTfG5g4rCnO+0QynKLxjpiR939ap
 G1GIfMdnGW14eO2jgRyR2iyk1Bj428GsTOiExlmGubhohIZDqxNmgpNOZhqx/9Nw
 JWT3MvFy6ztu0aRCBPSqnhtdfExMML7fmgIa1emrW8HUXPU0MgBaOfjs1nmkacaD
 qS6rmSLYJQ9BgDzG3wWdZx7ClW003MQfPuCU1fqKvii1UMp+MVIbGbEhDIrmKahD
 SrqIRiFpzVAud8BX6AmodrQE9vcLUYknBYFU8or3w8fV3eZJydAsBlhFnCOTxtYp
 sJdDSMzLbYJ2l6pXS1JoONpRiOWWvhtKUcKonCEdCdOlMAzDVBB3PNn7/FbR+huC
 wg3wYNIQMKgGSA5cbZxQ151aEF0I4d5/0Pvrg+zu3N3+TBkjW0xcMj4XzV+TgayJ
 FPQ7aLi2YKkUfLQ=
 -----END CERTIFICATE REQUEST--

Reply to requestor to clarify what is needed:

 Hello Ollie,
      Happy to get these processed for you but just need to clarify a couple of points.
   1. I need to update which servers you require these for?
   Apache
   Tomcat
   Microsoft IIS5
   Microsoft IIS6
   Microsoft IIS7
   VPN device
   SSL device
   Web logic
   IBM Websphere
   Lansa
   Other
  2. Can you state which certificate you require please?
  Standard QuoVadis Certificate (OV)
  QuoVadis Wildcard Certificate (recharged at cost)
  QuoVadis Extended Validation (EV) Certificate

Once the requestor replied with the information required then go to here to register your cerficates:

https://tlscerts.uis.cam.ac.uk/

Take the confirmtation:

 Submitted by R.J. Taylor (rjt58) at 18 Nov 2015, 4:10 p.m.
 And other info:
 Certificate request content:

 Country/Region: GB
 State/Province: Cambridgeshire
 City/Locality: Cambridge
 Organization: University of Cambridge
 Organizational Unit: Computer Laboratory
 Common Name: husky0.dtg.cl.cam.ac.uk
 Email address: dtg-infra@cl.cam.ac.uk
 Key length: 4096

And paste this onto the ticket to record what has been done.

Then when the Certificate is approved send the user a reply and give them this link for guidance:

http://www.ucs.cam.ac.uk/tlscerts/deploying

Then You can download the certicattes and forward them as attachments in email to the requestor.

Link the tickets send form to the certificate provider as children of the original request.

Thanks

Rob

And after the private key is created:

1. Copy private key file (.pem) to requestors home directory adding the date to avoid filename clashes using:
sudo cp cdn-dtg.pem /homes/ipd21/2015-02-16.cdn-dtg.pem

2. Make sure only that person can read it as it is this file that ensures that the site is what it claims to be using:
sudo chmod 600 /homes/ipd21/2015-02-16.cdn-dtg.pem
then
sudo chown ipd21:ipd21 /homes/ipd21/2015-02-16.cdn-dtg.pem

3. In the RT Ticket tell the person it is there and that we'll pass on the certificate when we have it from the UIS.

4. Pass-on the certificate to the requestor when it arrives from the UIS into RT.

Contacts

Primary

• Graham Titmus (for Windows Certificates)

Other

• Firstname Lastname

Availability

• N/A

Hints, Tips & Known Issues

Janet Certificate Service: SSL certificate expiry notice for ServerName

Graham Titmus (27/01/15)

You may receive email from JANET warning that a certificate is due to expire shortly. However certificates are often replaced early. Check the certificate using IE to the web-server & click the padlock next to the URL & view certificate to check the expiry date. If it's later than JANET think the ticket can be Resolved with an appropriate comment. If it is due to expire soon follow the escalation route.

Categorising Keywords

• A categorization or service type