University of Minnesota SSL Certificates Frequently Asked Questions

By Chris Bongaarts <cab@tc.umn.edu>
Version 1.6
5 May 2006

The University of Minnesota participates in Thawte's Starter PKI program, in which we (Internet Services) approve certificates that Thawte then issues.

How do I request a new certificate?
At this time, you must send your request to us at sslcerts@umn.edu). Please include the following information: For the future, you should get a Thawte ID and send it to us at sslcerts@umn.edu so we can add you as a Technical Officer. Then you can submit your own certificate requests using Thawte's SPKI interface.

How do I request renewal of a certificate?
For some reason, Thawte does not send expiration warnings to the cert contacts; they send them to the SPKI account contact (i.e. me). I take these warnings and forward them on to the technical contact for that certificate.

At this time, you must send your renewal request to us (sslcerts@umn.edu) unless you have been registered as a Technical Officer with Thawte (see previous answer). If possible, please include the order number (USUNIV####). Depending on your server software, I might have to ask you to send me a new CSR. IIS users will definitely have to do this; Apache and WebSTAR users apparently do not. Be sure to keep all the details (e.g. organizationalUnitName (OU)) exactly the same as the original certificate. Often, the server manager software will have an option to specifically create a "renewal" CSR.

How do I generate a private key and Certificate Signing Request?
Consult the documentation for your server software, as this process is specific to the server you're running. Thawte also has instructions for most of the servers they support.

My server has a "real" name; it's "oscar.meyer.umn.edu". My server also has an alias, it's "www.meyer.umn.edu". Which one should I use as the server name (commonName or CN) in my certificate request?
To prevent client browser warnings, you should use the name that users (and any links that refer to the site) will be actually using. In this case, you should probably use the "www.meyer.umn.edu" name.

When generating the certificate, my server asks me all kinds of embarrassing questions. How should I answer?
Because Thawte is making certain legal representations that the certificates they're issuing are valid, they require several of the fields in the Distinguished Name (DN) of the certificate to have certain values. They must be set exactly as they appear here; the slightest spelling or capitalization difference will prevent us from issuing your cert. Here's the list of required fields; note that even coordinate campuses must use these values: You can have zero or more organizationalUnitNames (OU) in your request. We recommend you put a department or coordinate campus name in this field. We further recommend that you spell out any abbreviations, especially if your site will be used by people outside your area. For example, use "OU=College of Liberal Arts", not "OU=CLA". You can have more than one OU field if you like.

Are you my technical contact?
No, I'm not; YOU are. Thawte sends email to the technical contact when the cert is ready. There's not much point in having them e-mail me when you are the one who wants to install the cert, right?

Am I the authorizing contact too?
Usually not. The authorizing contact is the person who has the authority to let you use the server name that you're using. At the University, this is usually someone at a dean, department head or director level.

Heh heh heh. Since I checked "Enterprise Account" for payment method, that means you're picking up the tab, right?
After applying for the cert, feel free to send mail to <sslcerts@umn.edu> with the CUFS number to charge the certificate to. If you don't, we'll email or call you to find out what it is. Our financial folks tell me that "the object code needs to be set up for 7330", and that your financial folks will know what that means.

What happens after I click the final "submit" on Thawte's form?
When you submit your request, Thawte sends email to us saying there is a new cert to approve. After checking it over for correctness and validating the contacts, we tell Thawte to go ahead and issue it. They will issue the certificate in "about an hour" and email the technical contact when it is ready to pick up.

When I try to pick up my newly issued cert, it asks me for a password. What is it?
It's a security mechanism based on the concept of having a "shared secret" between parties in the form of a word (or more recently, a sequence of letters, numbers, or other symbols). But that's not important right now.

Thawte has the concept of a "privacy password" associated with certificate requests that would prevent other people from accessing your certificate. In most cases, this is not necessary, since anyone who is able to connect to the web server you're putting this on can see it. The only cases I can see where this would be valuable is (1) you're using the cert to secure a site that is not accessible to the Internet in general (but then, why are you wasting your money on a cert from a worldwide CA?) or (2) you're a company about to launch a new site and you need to keep the name a secret for competitive reasons.

For some reason, Thawte has decided that all cert requests MUST have this password, and they don't give us an easy way to set it. The solution is to try to pick up the cert, and there should be an option to have a random password set and emailed to the authorizing and/or tech contact.

Can I get a developer certificate to sign my nifty-keen Java applets?
We are now able to provide these kinds of certificates. They have some important differences from regular certs, and there are several varieties. See Thawte's Code Signing Cert documentation (choose "which certificate to choose" from the left-hand menu) for all the details. As far as I can tell, we can only issue Javasoft SDK signing certs at this time, since they are the only ones that use a CSR instead of directly accessing your browser. Because we issue so few of these, we do not keep issuance credits "in stock", so expect up to a week or two delay for processing these.

How much do the certificates cost?
We only sell standard 1-year SSL server certificates.Prices are subject to change. Prices before January 1, 2008. Prices effective January 1, 2008.

We set up a web site named "www.gopherbasketweavingrocks.com". Can we get an SSL certificate for it through this program?
We can add additional domains to the program. It takes a week or two to get it set up, as Thawte must verify that the domain is indeed affiliated with the University. Second, once a domain has been added to the program, it is no longer possible for certificates to be issued to that domain without going through us. Therefore, if you have a site named "www.uofmusedfleetcars.carsoup.com", we won't be able to issue a certificate through our program.

Can I get one of those 128-bit SuperCerts (also known as Server Gated Cryptography (SGC) certificates)?
No. First, only non-governmental agencies qualify for them according to the terms of Thawte's license. Second, it probably doesn't buy you much: all it does is allow export browsers, normally limited to 40 or 56 bit encryption by US export regulations, to use full 128-bit encryption. Unless you plan to do a lot of international business on your site, you're paying lots of extra money for nothing.

If you have further questions about SSL certificates or PKI in general, or if you just don't get the Oscar Meyer reference, send email to <sslcerts@umn.edu> and we will help you in any way we can. Also send any suggestions regarding this FAQ; its sole purpose to make the certificate issuing process easier for you.