Page tree

University of Tartu IT wiki

In this guide, you can find instructions on how to order a web certificate for a domain name that belongs to the University of Tartu.

A web certificate is a cryptographic document that ensures a secure connection to a website. It is an important part of the HTTPS protocol that helps protect the privacy of website visitors and ensure the confidentiality of the data being transmitted.

You can order a web certificate for domain names issued by the University of Tartu. For more information, check Ordering web certificates for domain names.

Web certificates perform several functions:

  • Authentication: a certificate verifies the authenticity of a website by confirming that it really belongs to a specific organization or company
  • Data encryption: with the help of a web certificate, the web browser and the web server can establish an encrypted connection, which ensures that the transmitted data is encrypted and secure
  • Data integrity: the certificate also ensures that there are no unauthorized changes or violations in the transmitted data

Online certificates are issued by the respective authorized certification or CA authorities. These authorities verify the identity of website owners and issue certificates that meet specific standards. When a website uses a web certificate, the web browser will usually display a small green lock symbol to indicate that the connection is secure.

The use of web certificates is important for privacy and security on the web, and is especially important when a website collects users' personal information or where transactions involving financial or other sensitive information are conducted.

The University of Tartu uses two certification service providers to order certificates for websites, LetsEncrypt and Sectigo.

  • In the paid web hosting server webhost.ut.ee it is possible to choose both solutions, LetsEncrypt is set by default.
  • sisu.ut.ee uses only LetsEncrypt.
  • In all other cases, depending on your skill, you can set up either LetsEncrypt or order a certificate through IT helpdesk for Sectigo CA.
  • Webhost.ut.ee and sisu.ut.ee LetsEncrypt service is set up by ITO employees. Sectigo CA certificates are mostly ordered by ITO and HPC employees, but if there is a justified need, we create a Sectigo certificate ordering account for non-ITO UT employees as well.

You can order a certificate through the IT helpdesk requests portal here: https://jira.ut.ee/servicedesk/customer/portal/4/create/80.

LetsEncrypt

LetsEncrypt - a free service that requires the installation of a certificate renewal utility on the web server. This is necessary because LetsEncrypt only issues certificates with a validity period of a few months. The website must be open to the entire Internet to order and renew the certificate.

Detailed instructions can be found on the service provider's web portal.

Sectigo

NB! This section is only for those who have a valid Sectigo certificate ordering account.

The procurer of the service contract is GÉANT, it is managed to the University of Tartu by EENet operating under HTM. The Sectigo CA service is free for UT. Based on the current terms of service, Sectigo certificates may be ordered only for domain names registered in the name of the University of Tartu. The certificate is valid for a maximum of one year, it can be ordered both through the service provider's web portal and via the ACME protocol with certbot scripts.

  1. Log in to the Sectigo web portal and make sure that it is possible to order a certificate for the necessary second-level domain name in the portal:
    1. Three dashes in the upper left corner → Menu → Domains - displays a list of available 2LD domain names.
    2. If the required 2LD domain name is not in this directory, contact the IT helpdesk with a request to add it.
  2. To order a certificate, a key file and a certificate order file must be created.
  3. The Linux command line command is suitable for creating the key file:

    openssl genrsa -out <id>.key 2048

    <id> must be replaced with an identifying name, for example a domain name and the year of ordering, such as "www.ut.ee_2021". The command results in the file <id>.key.

  4. The following command is suitable for creating a certificate ordering file:

    openssl req -new -sha256 -key <id>.key -out <id>.csr -subj '/CN=<domeeninimi>'

    <id> is the same as when creating the key. The command results in the file <id>.csr

  5. Make sure the domain name is validated:
    1. Choose from the menu (three dashes in the upper left corner) → Domains → Make sure that the status of the required domain name is "VALIDATED".
  6. If the domain name is not validated, send a request to the IT helpdesk to validate the domain name.
  7. Choose from the menu (three dashes in the upper left corner):

    1. Certificates → SSL Certificates → "+" (upper right corner) → Using a Certificate Signing Request (CSR)Next.

  8. From the drop-down menu:

    1. Organization -> Tartu Ülikool

    2. Department -> The corresponding subdivision of the University of Tartu for which the certificate is ordered

    3. Certificate Profile -> "GÉANT OV SSL" or "GÉANT OV Multi-Domain", if the certificate covers more than one domain name

  9. Click Next.

  10. An area will appear where you can drag the previously created <id>.csr file with the mouse or copy the contents of this file as text.
  11. Click Next.

  12. For Multi-Domain, additional domain names can now be added to the "Subject Alternative Names" field.
  13. Click NextOK.

After some time, Sectigo CA will send an email with instructions on how to download the newly created certificate. If the e-mail has not arrived within an hour, then there is already a reason to contact IT helpdesk.

  1. To use Certbot, the Sectigo key files directory must be pre-configured in the letsencrypt directory.
    If it is not there, ask for it through the IT helpdesk.
  2. Certbot can be used to order certificates only for domain names validated in the Sectigo portal and allowed for script ordering.
    If you are unable to order the certificate, please report it to the IT helpdesk.
  3. Command line example for ordering a certificate:

    certbot certonly --standalone -d myweb.ut.ee

    As a result of this command, myweb.ut.ee certificate files are created in the letsencrypt directory tree. With the certbot command, you can instantly create certificates in the correct location and reload them on the web server. Sectigo ACME does not require the website to be active and available.

  4. It is worth noting that when ordering a certificate using certbot, Sectogo assumes that the order is performed by a script that runs periodically, so no relevant notifications are sent to the subscriber when the certificate's expiration date approaches.
  • No labels

This page has no comments.