Submit the CSR

To see how this inclusion page fits in with similar ones, perhaps see one of

Need note or new Include page here about OrganizationSSL versus IntranetSSL,

Submit the CSR to the Certificate Authority

IncludeCertSubmitCSR
To obtain an actual certificate, you must submit the CSR to the Certificate Authority ( GlobalSign, http://www.globalsign.com/ ).

To get to the right web page, you need a particular URL which encodes a login session. I will not reproduce that here. Obtain it directly from e.g. someone in IST.

(Hint: the URL looks like https://system.globalsign.com/direct_en/directpv.do?domain=MAGIC

where "MAGIC" is the special part which identifies you as University of Waterloo).

As of about July, 2018, because of a GlobalSign server https certificate change, it seemed that the old
https://systemeu.globalsign.com/direct_en/directpv.do?domain=MAGIC
stopped working, and
https://system.globalsign.com/direct_en/directpv.do?domain=MAGIC
must be used in its place. That is, "systemeu" was replaced by "system".

Note that the included screenshots predate that change, however.

Here is a screenshot showing such a successful session, thereby indicating the top options and settings for a Certificate Request; note OrganizationSSL versus IntranetSSL choice:
Screenshot-2016-11-22-15-37-52.png

There is an option you must select to choose new certificate or renewal. If GlobalSign had never signed a certificate for the particular host before, then you must choose the option for a new certificate. Otherwise, you can possibly choose "renewal". Note that, in the case of a renewal, the private key used for the CSR does not need to match the public key in the old certificate. That is, often when doing renewals you will keep the old private key (this has later implications which ease installation), but in fact the private key can be changed at renewal time. (As was actually necessary when GlobalSign began in 2011 requiring a minimum key size of 2048 bits.

The following is a sample of a CSR which looks like what you need to cut-and-paste into the web page form. (but don't actually use this sample!)

    -----BEGIN CERTIFICATE REQUEST-----
    MIIC6DCCAdACAQAwgaIxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMREw
    DwYDVQQHDAhXYXRlcmxvbzEfMB0GA1UECgwWVW5pdmVyc2l0eSBvZiBXYXRlcmxv
    bzEdMBsGA1UEAwwUY3NjZi5jcy51d2F0ZXJsb28uY2ExLjAsBgkqhkiG9w0BCQEW
    H2NzY2YtY2VydHNAY3NjZi5jcy51d2F0ZXJsb28uY2EwggEiMA0GCSqGSIb3DQEB
    AQUAA4IBDwAwggEKAoIBAQC23vuprMTnHgMvwEDVbEVhEvjgFKkg4QqBxMhazy4f
    b6x2xGmnxO/ef4LZPyF/RT0RUjTcQKAgLyafWGqYDopSr8Xunqy0G2EheqML2Eav
    +Z8yGQ4vBjxXRaSj+1eiNX3VSYQOrM8d1A+mmbZYhyOVOmMkTrtQIhPriTv9j0Md
    lBt0XVNn5bpt29cnSP4hz51Zh1xQmV32TTxyDE/pai1cSzmIXuv1oyzfiYhYeEJc
    GaoSLNZKkv0oqdJkPbq7tlzGcWXdbHDJWPfY438lRF2bJWL3oojdRjZPQAMKanhy
    Jpn04lvNjTCS1kofES1IDzHBHCzYH8d3GGLKU/XwqN87AgMBAAGgADANBgkqhkiG
    9w0BAQUFAAOCAQEAAtkwipWtkH3ehVna3tWDseTknNg/MB8RZWp+mfrwvd3P30SS
    uMNL15+z/Tso5+euxXFB/AUwuqgB4LnHPW9EPWjoxdaU4dWNKSNgJmIERMTgWFpw
    COz8Byl39360nb7pdBWBgvyreizk8l4DsjJov+zi92SvyKHqjpf0p3zpYT6Ifp+A
    ruzw9wX83v/DKfJPiNxXcV+aXEzBksCUEl3RGIGrxfvHf+5hPT2sdSb1KSh3kONl
    UQ0KYyNAIvJO4O6Ia0OXaftXPit/VoS1j7mlpd4WdTXvqerq9wRn6ft/UAiiarkh
    T1WLwniIE8TP/NJb351XsDgnCAvS93W6WXnx9Q==
    -----END CERTIFICATE REQUEST-----

And here follows an example of an old certificate which looks like what you need to cut-and-paste into the web page form. (but don't actually use this sample!)

    -----BEGIN CERTIFICATE-----
    MIIE+jCCA+KgAwIBAgILAQAAAAABKRmXjogwDQYJKoZIhvcNAQEFBQAwajEjMCEG
    A1UECxMaT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gQ0ExEzARBgNVBAoTCkdsb2Jh
    bFNpZ24xLjAsBgNVBAMTJUdsb2JhbFNpZ24gT3JnYW5pemF0aW9uIFZhbGlkYXRp
    b24gQ0EwHhcNMTAwNjA4MjEwNjA5WhcNMTEwODE2MTM0ODA5WjByMQswCQYDVQQG
    EwJDQTEQMA4GA1UECBMHT250YXJpbzERMA8GA1UEBxMIV2F0ZXJsb28xHzAdBgNV
    BAoTFlVuaXZlcnNpdHkgb2YgV2F0ZXJsb28xHTAbBgNVBAMMFGNzY2YuY3MudXdh
    dGVybG9vLmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu9DAZcrz
    KtWx7GNsbKig6LqFtU1PDmL1S5JfhMz23J2ISLfMXHIrW+8H5rrT5UzC59u8eZO5
    YdO5dSllRtoOXYWfLaCz2+axONOQrN08av7S6+0uyYD8ioF6ZgoW2J4Xn0T/ruVQ
    we9fHavje6TkYE00qat1e+72YGX95FmiX3juzTrJ0HUKTCsMDS2JuvOU3z4xcyyH
    yO1vLZfmtRtkS13aOBWsb/Tf6WTjfxPR3FdMBauLSVEYEXUKBpuDMbOagN4CoBTq
    AbEfZo4rLcufaPFL2Sxcr+yVKOXpoTwG83YSpwM/NWf4+Y9CQ+2qfYQtWP8Xm3vg
    fZhGEUu6UCWWFwIDAQABo4IBlzCCAZMwHwYDVR0jBBgwFoAUfW0q7Garp1E2qwJp
    8XCPxFkLmh8wSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzAChi1odHRwOi8vc2Vj
    dXJlLmdsb2JhbHNpZ24ubmV0L2NhY2VydC9vcmd2MS5jcnQwPwYDVR0fBDgwNjA0
    oDKgMIYuaHR0cDovL2NybC5nbG9iYWxzaWduLm5ldC9Pcmdhbml6YXRpb25WYWwx
    LmNybDAdBgNVHQ4EFgQUfHNlksoZYTqu2nJYNBJK2APW+F4wCQYDVR0TBAIwADAO
    BgNVHQ8BAf8EBAMCBaAwKQYDVR0lBCIwIAYIKwYBBQUHAwEGCCsGAQUFBwMCBgor
    BgEEAYI3CgMDMEsGA1UdIAREMEIwQAYJKwYBBAGgMgEUMDMwMQYIKwYBBQUHAgEW
    JWh0dHA6Ly93d3cuZ2xvYmFsc2lnbi5uZXQvcmVwb3NpdG9yeS8wEQYJYIZIAYb4
    QgEBBAQDAgbAMB8GA1UdEQQYMBaCFGNzY2YuY3MudXdhdGVybG9vLmNhMA0GCSqG
    SIb3DQEBBQUAA4IBAQBkFzKLz37xdXPbbspX4ST3NVd4a4ThH+qoDu2l1/7TsZ8J
    RDeDxQf4ckmPSYya9nJRNDAfF47o1P6hmfiw20CbPefKwHc5Tf+xdy1QTa0ivJtJ
    grmC2Cc74b6pe51MawEDD0N8qFjJjQENXlQ5MXoqbPsKER6I9H7pbZHvfqJG0UXE
    iQmieXQu0p+FxsKNOn+dyO9j6NKSL8l3Rr4H+tqLQK+fHvSeQKo1q11Q8soUM7Ql
    /3tVT/qLTzEy8QRkYRF9p+3ihQEIhyYFDD9JnSiLeOsQvxhAj+jEqdS+w15p3ORR
    /xbBgIXEOKKniB9CLXLKQuOTXMl2HxTWMSCubBAu
    -----END CERTIFICATE-----

In addition to the CSR (and optionally old Certificate), the form requires 4 pieces of information,

  • First Name
  • Last Name
  • Telephone (inc. region code)
  • Email Address

For First and Last Name, enter your own (something IST will recognize).

For Email Address, CS should always use

No permission to view CFPrivate.EMailAddressCscfCerts

For the telephone number, I always use +1 519 888 4567 (in that format).

You must first click "Continue" to submit the page, then an "I Agree" to an Agreement (suffixed to confirmation of details).

After the CSR has been so submitted to the Certificate Authority ( http://www.globalsign.com/ ) they will contact University of Waterloo IST to verify the request (and arrange for payment).

Once the CSR has been submitted, it is of no further use and can be deleted.

I did the above just as an example. I generated a new key, and will throw it and the CSR away without using them for anything in production.

After approval by IST, certificates will arrive by email.

-- AdrianPepper - 07 Mar 2011


IncludeAdrianReferers

Referers

This topic IncludeCertSubmitCSR is referred to by...

Topic attachments
I Attachment Action Size Date Who Comment
PNGpng Screenshot-2016-11-22-15-37-52.png manage 104.7 K 2016-11-22 - 15:40 AdrianPepper A screen shot indicating the top options and settings for Certificate Request; note OrganizationSSL versus IntranetSSL choice
Topic revision: r14 - 2018-08-01 - AdrianPepper
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback