Service Desk Knowledgebase: Certificates: Difference between revisions
| (16 intermediate revisions by one other user not shown) | |||
| Line 30: | Line 30: | ||
==Service Desk Call Handling Procedure== | ==Service Desk Call Handling Procedure== | ||
* [ | * [http://helpdesk.csx.cam.ac.uk/ RT] tickets can be escalated by changing the '''Queue''' to '''backoffice''' with the '''Owner''' set to '''Nobody''' and the '''Status''' as '''new'''. Tell the requestor:<br /> ''I am passing this request over to the experts who, I'm sure, will be in contact shortly.'' | ||
===Certificate Requests=== | |||
We should handle certificate requests and generate the CSR rather than ask users to do it as it is a bit fiddly and they often get the details wrong resulting in too many iterations. Windows is easy if for a single machine but difficult for requests with Subject Alternative Names ('''SAN'''s) added. | |||
Procedures are documented on [http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/HelpDesk/Software/Certificates the CL WiKi] | |||
using the email address '''sys-admin@cl.cam.ac.uk''' for any correspondence. | |||
Note that the background process here is: | |||
http://www.ucs.cam.ac.uk/tlscerts/ | |||
In the 1st instance you will recieve a query such as: | |||
Hello, | |||
Please may you generate certificates for these CSRs? | |||
Thanks! | |||
The request will look something like: | |||
-----BEGIN CERTIFICATE REQUEST----- | |||
MIIFRzCCAy8CAQAwgcMxCzAJBgNVBAYTAkdCMRcwFQYDVQQIEw5DYW1icmlkZ2Vz | |||
aGlyZTESMBAGA1UEBxMJQ2FtYnJpZGdlMSAwHgYDVQQKExdVbml2ZXJzaXR5IG9m | |||
IENhbWJyaWRnZTEcMBoGA1UECxMTQ29tcHV0ZXIgTGFib3JhdG9yeTEgMB4GA1UE | |||
AxMXaHVza3kwLmR0Zy5jbC5jYW0uYWMudWsxJTAjBgkqhkiG9w0BCQEWFmR0Zy1p | |||
bmZyYUBjbC5jYW0uYWMudWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC | |||
AQDDgMRh0trx7ntxL9jC+XEhDbJ9qnCGvmMburDTf2bUEX4sED5z3jyu/Ld+IDmO | |||
eWWF0qeqfahSqt2kC//pa03cZNxRQIaR7F0cMJJA+JQkQE77YUKMZIF6PXbqScQq | |||
GKA6M5tnxT3LfiIKvB89TPIL+mH5EM7h4M6JlcbSbKm23zsUfghWLSuM+vsn9oOL | |||
9ZkAwcq/wz6W2WjafTkB5SrKMZprAnSP4rM6D5d/+n1Yw5lGnZ6Oib0AS0Z2nTw0 | |||
3f0CBpcIpR5ktXD9hwcuZ6RZoUQeGavOb+OCNVJXUzvXw9NyAobqgXSvoJyHFlzw | |||
LbhtC/YrxsK/dhFnSZ47RE7HJGc9+fJYzYjz2/GeyuIbe1slT7oXXUa4UyckgW96 | |||
pw17pCqhHS3aBip2H33X81A4z6i/ZTZYrH/timzCkouuaZocYf417LLZ0ZSnapGZ | |||
mr0OdvvpZojW8I2TMg2I3XrNLOc1sUI7/rl5NKRB35L4/+tKGw/IMMo+ttbbZgDp | |||
6ab+6mtex/xGToX4ttjoYsQm1KyqAjV7LZwI4ep1VIMQ29q74pVD3DPA3uhBV4ks | |||
vEZfoUhKGmddg1pk55qbtU2eHgoZw7geAabN2V1kNV8RthVx2aW5Tr4UiAdv4GPj | |||
4SeFFNBeRa4gQWjnXfnwjPrfPHC5KdnHk1CQ63+azuifnwIDAQABoD4wPAYJKoZI | |||
hvcNAQkOMS8wLTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFIDATBgNVHSUEDDAKBggr | |||
BgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEAaZRtdE7qOdhrmoRBURUSo0ptMScI | |||
j5iyowWnEsE6gf1vX7DpkdQoTYy058naDCzjsQNy6RI7Zs5zGUiBnPSZGIuOGiom | |||
4yEd2aFjiBJM4/JgBdeGEa2k0VecM6uLVVR+pVhWqT10zOYxGxyCGmB6+v4mzy6k | |||
6pBIDgHgyxhfEbOYqlbeVtqlU2i0+OlC4KPH5nP4puaTEP1FGzCmTHPExv1oNTt3 | |||
fkiFLxIAPardDY+nosjxpfrkVSaoouoJwvlJdTfG5g4rCnO+0QynKLxjpiR939ap | |||
G1GIfMdnGW14eO2jgRyR2iyk1Bj428GsTOiExlmGubhohIZDqxNmgpNOZhqx/9Nw | |||
JWT3MvFy6ztu0aRCBPSqnhtdfExMML7fmgIa1emrW8HUXPU0MgBaOfjs1nmkacaD | |||
qS6rmSLYJQ9BgDzG3wWdZx7ClW003MQfPuCU1fqKvii1UMp+MVIbGbEhDIrmKahD | |||
SrqIRiFpzVAud8BX6AmodrQE9vcLUYknBYFU8or3w8fV3eZJydAsBlhFnCOTxtYp | |||
sJdDSMzLbYJ2l6pXS1JoONpRiOWWvhtKUcKonCEdCdOlMAzDVBB3PNn7/FbR+huC | |||
wg3wYNIQMKgGSA5cbZxQ151aEF0I4d5/0Pvrg+zu3N3+TBkjW0xcMj4XzV+TgayJ | |||
FPQ7aLi2YKkUfLQ= | |||
-----END CERTIFICATE REQUEST-- | |||
Reply to requestor to clarify what is needed: | |||
Hello Ollie, | |||
Happy to get these processed for you but just need to clarify a couple of points. | |||
1. I need to update which servers you require these for? | |||
Apache | |||
Tomcat | |||
Microsoft IIS5 | |||
Microsoft IIS6 | |||
Microsoft IIS7 | |||
VPN device | |||
SSL device | |||
Web logic | |||
IBM Websphere | |||
Lansa | |||
Other | |||
2. Can you state which certificate you require please? | |||
Standard QuoVadis Certificate (OV) | |||
QuoVadis Wildcard Certificate (recharged at cost) | |||
QuoVadis Extended Validation (EV) Certificate | |||
Once the requestor replied with the information required then go to here to register your cerficates: | |||
https://tlscerts.uis.cam.ac.uk/ | |||
Take the confirmtation: | |||
Submitted by R.J. Taylor (rjt58) at 18 Nov 2015, 4:10 p.m. | |||
And other info: | |||
Certificate request content: | |||
Country/Region: GB | |||
State/Province: Cambridgeshire | |||
City/Locality: Cambridge | |||
Organization: University of Cambridge | |||
Organizational Unit: Computer Laboratory | |||
Common Name: husky0.dtg.cl.cam.ac.uk | |||
Email address: dtg-infra@cl.cam.ac.uk | |||
Key length: 4096 | |||
And paste this onto the ticket to record what has been done. | |||
Then when the Certificate is approved send the user a reply and give them this link for guidance: | |||
http://www.ucs.cam.ac.uk/tlscerts/deploying | |||
Then You can download the certicattes and forward them as attachments in email to the requestor. | |||
Link the tickets send form to the certificate provider as children of the original request. | |||
Thanks | |||
Rob | |||
And after the private key is created: | |||
1. Copy private key file ('''.pem''') to requestors home directory adding the date to avoid filename clashes using:<br /> | |||
'''sudo cp <font color="red">cdn-dtg</font>.pem /homes/<font color="red">ipd21</font>/<font color="red">2015-02-16.cdn-dtg</font>.pem''' | |||
2. Make sure only that person can read it as it is this file that ensures that the site is what it claims to be using:<br /> | |||
'''sudo chmod 600 /homes/<font color="red">ipd21</font>/<font color="red">2015-02-16.cdn-dtg</font>.pem''' <br /> | |||
then<br /> | |||
'''sudo chown <font color="red">ipd21</font>:<font color="red">ipd21</font> /homes/<font color="red">ipd21</font>/<font color="red">2015-02-16.cdn-dtg</font>.pem ''' | |||
3. In the RT Ticket tell the person it is there and that we'll pass on the certificate when we have it from the UIS. | |||
4. Pass-on the certificate to the requestor when it arrives from the UIS into RT. | |||
== Contacts == | == Contacts == | ||
Latest revision as of 15:16, 23 November 2015
This is the Certificates content page of the CL Wiki Service Desk Knowledgebase. Its purpose is to provide information to the Service Desk team on how to handle problems and requests about this CL service. If you are involved with the provision of this CL service please feel free to add to the knowledge about that it.
If CL staff need to tell the Service Desk team about problems with this service please email
sys-admin-aside@cl.cam.ac.uk.
Return to the Service Desk Knowledgebase SERVICE PORTFOLIO
Key Service Description & URLs
CL Customer Documentation
Further CL Sys-Admin Resources
- http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/HelpDesk/Software/Certificates - Certificates documentation
Underpinning Services
- None
Customer-base for this Service
- All staff and research students of the Computer Laboratory
Costs
- Free to all current staff and research students of the Computer Laboratory
SLA
- N/A
Service Desk Call Handling Procedure
- RT tickets can be escalated by changing the Queue to backoffice with the Owner set to Nobody and the Status as new. Tell the requestor:
I am passing this request over to the experts who, I'm sure, will be in contact shortly.
Certificate Requests
We should handle certificate requests and generate the CSR rather than ask users to do it as it is a bit fiddly and they often get the details wrong resulting in too many iterations. Windows is easy if for a single machine but difficult for requests with Subject Alternative Names (SANs) added.
Procedures are documented on the CL WiKi using the email address sys-admin@cl.cam.ac.uk for any correspondence.
Note that the background process here is:
http://www.ucs.cam.ac.uk/tlscerts/
In the 1st instance you will recieve a query such as:
Hello, Please may you generate certificates for these CSRs? Thanks!
The request will look something like:
-----BEGIN CERTIFICATE REQUEST----- MIIFRzCCAy8CAQAwgcMxCzAJBgNVBAYTAkdCMRcwFQYDVQQIEw5DYW1icmlkZ2Vz aGlyZTESMBAGA1UEBxMJQ2FtYnJpZGdlMSAwHgYDVQQKExdVbml2ZXJzaXR5IG9m IENhbWJyaWRnZTEcMBoGA1UECxMTQ29tcHV0ZXIgTGFib3JhdG9yeTEgMB4GA1UE AxMXaHVza3kwLmR0Zy5jbC5jYW0uYWMudWsxJTAjBgkqhkiG9w0BCQEWFmR0Zy1p bmZyYUBjbC5jYW0uYWMudWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC AQDDgMRh0trx7ntxL9jC+XEhDbJ9qnCGvmMburDTf2bUEX4sED5z3jyu/Ld+IDmO eWWF0qeqfahSqt2kC//pa03cZNxRQIaR7F0cMJJA+JQkQE77YUKMZIF6PXbqScQq GKA6M5tnxT3LfiIKvB89TPIL+mH5EM7h4M6JlcbSbKm23zsUfghWLSuM+vsn9oOL 9ZkAwcq/wz6W2WjafTkB5SrKMZprAnSP4rM6D5d/+n1Yw5lGnZ6Oib0AS0Z2nTw0 3f0CBpcIpR5ktXD9hwcuZ6RZoUQeGavOb+OCNVJXUzvXw9NyAobqgXSvoJyHFlzw LbhtC/YrxsK/dhFnSZ47RE7HJGc9+fJYzYjz2/GeyuIbe1slT7oXXUa4UyckgW96 pw17pCqhHS3aBip2H33X81A4z6i/ZTZYrH/timzCkouuaZocYf417LLZ0ZSnapGZ mr0OdvvpZojW8I2TMg2I3XrNLOc1sUI7/rl5NKRB35L4/+tKGw/IMMo+ttbbZgDp 6ab+6mtex/xGToX4ttjoYsQm1KyqAjV7LZwI4ep1VIMQ29q74pVD3DPA3uhBV4ks vEZfoUhKGmddg1pk55qbtU2eHgoZw7geAabN2V1kNV8RthVx2aW5Tr4UiAdv4GPj 4SeFFNBeRa4gQWjnXfnwjPrfPHC5KdnHk1CQ63+azuifnwIDAQABoD4wPAYJKoZI hvcNAQkOMS8wLTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFIDATBgNVHSUEDDAKBggr BgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEAaZRtdE7qOdhrmoRBURUSo0ptMScI j5iyowWnEsE6gf1vX7DpkdQoTYy058naDCzjsQNy6RI7Zs5zGUiBnPSZGIuOGiom 4yEd2aFjiBJM4/JgBdeGEa2k0VecM6uLVVR+pVhWqT10zOYxGxyCGmB6+v4mzy6k 6pBIDgHgyxhfEbOYqlbeVtqlU2i0+OlC4KPH5nP4puaTEP1FGzCmTHPExv1oNTt3 fkiFLxIAPardDY+nosjxpfrkVSaoouoJwvlJdTfG5g4rCnO+0QynKLxjpiR939ap G1GIfMdnGW14eO2jgRyR2iyk1Bj428GsTOiExlmGubhohIZDqxNmgpNOZhqx/9Nw JWT3MvFy6ztu0aRCBPSqnhtdfExMML7fmgIa1emrW8HUXPU0MgBaOfjs1nmkacaD qS6rmSLYJQ9BgDzG3wWdZx7ClW003MQfPuCU1fqKvii1UMp+MVIbGbEhDIrmKahD SrqIRiFpzVAud8BX6AmodrQE9vcLUYknBYFU8or3w8fV3eZJydAsBlhFnCOTxtYp sJdDSMzLbYJ2l6pXS1JoONpRiOWWvhtKUcKonCEdCdOlMAzDVBB3PNn7/FbR+huC wg3wYNIQMKgGSA5cbZxQ151aEF0I4d5/0Pvrg+zu3N3+TBkjW0xcMj4XzV+TgayJ FPQ7aLi2YKkUfLQ= -----END CERTIFICATE REQUEST--
Reply to requestor to clarify what is needed:
Hello Ollie,
Happy to get these processed for you but just need to clarify a couple of points.
1. I need to update which servers you require these for?
Apache
Tomcat
Microsoft IIS5
Microsoft IIS6
Microsoft IIS7
VPN device
SSL device
Web logic
IBM Websphere
Lansa
Other
2. Can you state which certificate you require please?
Standard QuoVadis Certificate (OV)
QuoVadis Wildcard Certificate (recharged at cost)
QuoVadis Extended Validation (EV) Certificate
Once the requestor replied with the information required then go to here to register your cerficates:
https://tlscerts.uis.cam.ac.uk/
Take the confirmtation:
Submitted by R.J. Taylor (rjt58) at 18 Nov 2015, 4:10 p.m. And other info: Certificate request content:
Country/Region: GB State/Province: Cambridgeshire City/Locality: Cambridge Organization: University of Cambridge Organizational Unit: Computer Laboratory Common Name: husky0.dtg.cl.cam.ac.uk Email address: dtg-infra@cl.cam.ac.uk Key length: 4096
And paste this onto the ticket to record what has been done.
Then when the Certificate is approved send the user a reply and give them this link for guidance:
http://www.ucs.cam.ac.uk/tlscerts/deploying
Then You can download the certicattes and forward them as attachments in email to the requestor.
Link the tickets send form to the certificate provider as children of the original request.
Thanks
Rob
And after the private key is created:
1. Copy private key file (.pem) to requestors home directory adding the date to avoid filename clashes using:
sudo cp cdn-dtg.pem /homes/ipd21/2015-02-16.cdn-dtg.pem
2. Make sure only that person can read it as it is this file that ensures that the site is what it claims to be using:
sudo chmod 600 /homes/ipd21/2015-02-16.cdn-dtg.pem
then
sudo chown ipd21:ipd21 /homes/ipd21/2015-02-16.cdn-dtg.pem
3. In the RT Ticket tell the person it is there and that we'll pass on the certificate when we have it from the UIS.
4. Pass-on the certificate to the requestor when it arrives from the UIS into RT.
Contacts
Primary
- Graham Titmus (for Windows Certificates)
Other
Availability
- N/A
Hints, Tips & Known Issues
Janet Certificate Service: SSL certificate expiry notice for ServerName
Graham Titmus (27/01/15)
You may receive email from JANET warning that a certificate is due to expire shortly. However certificates are often replaced early. Check the certificate using IE to the web-server & click the padlock next to the URL & view certificate to check the expiry date. If it's later than JANET think the ticket can be Resolved with an appropriate comment. If it is due to expire soon follow the escalation route.
Categorising Keywords
- A categorization or service type
