Sectigo SSL Certificates
The administrators at RENU will create you an account for access to https://cert-manager.com/customer/UbuntuNet
Prerequisites
- Administrator account for access to https://cert-manager.com/customer/UbuntuNet
- OpenSSL on your local/working machine
- Validated Entry for the domain (Covered below). Using email validation is a tested and easier method and this requires you to have access to one of the following email addresses. (Assuming your domain is utamu.ac.ug); admin@utamu.ac.ug, hostmaster@utamu.ac.ug
Registration and Validation of the domain
In order to create SSL certificates for websites, the domain must be registered and validated.
Create the Domain
- Log into the Cert Manager at https://cert-manager.com/customer/UbuntuNet
- Navigate to Settings > Domains > Delegations
- Click on the “+ Add” button
- Enter the name of the domain you want to register, eg. *.utamu.ac.ug (for wildcard certificates)
- Add a description telling what the website is being used for
- In the subform below, choose the institution you belong to
- Click on the “OK” button
- This will now send an email out to the certificate administrators asking them to approve the domain request (You may need to be patient here).
Validate Domain
There are three options for validating your domain (DCV): Email, HTTP/HTTPS and CNAME. Here is how you start the validation process:
- Open the DCV interface by clicking “Settings > Domains > DCV”
- Select your domain and click on the “DCV” button that appears above to open the DCV wizard
- Choose one of the validation options
EMAIL
HTTP/S
CNAME
- The wizard will take you through the rest of the validation process. This process is known to take up to several hours if you are unlucky, so please be patient.
After creation and validation of the domain, it is time to apply for your first certificate
Generate the CSR
Create a file called myserver.cnf (replacing myserver with the actual name of your server/website) with the following content (This is an edited version and applies to utamu.ac.ug)
# OpenSSL configuration file for creating a CSR for a server certificate
# Adapt at least the COUNTRY, FQDN, ORGNAME and INSTITUTION lines, and then run
# openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csr
# on the command line.
# The fully qualified server (or service) name
# For wildcard certificates add a * in front of the domain. Please use with care,
# as there are some serious issues with these wildcard certificates.
FQDN = *.utamu.ac.ug
# The two-letter abbreviation of your country, e.g.
# See also https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
COUNTRY = UG
# The name of your NREN (e.g. RENU, MAREN, etc.)
# See also https://www.ubuntunet.net/members
ORGNAME = RENU
# Name of your institution/universities, if applicable
INSTITUTION = Uganda Technology and Management University
# subjectAltName entries: to add DNS aliases to the CSR, delete
# the ‘#’ character in the ALTNAMES line, and change the subsequent
# ‘DNS:’ entries accordingly. Please note: all DNS names must
# resolve to the same IP address as the FQDN.
ALTNAMES = DNS:$FQDN # , DNS:bar.example.org , DNS:www.foo.example.org
# — no modifications required below —
[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = req_ext
[ dn ]
C = $COUNTRY
O = $ORGNAME
OU = $INSTITUTION
CN = $FQDN
[ req_ext ]
subjectAltName = $ALTNAMES
Then, after having saved the myserver.cnf file, create the key pair and the CSR with the following command(s):
$ umask 0377
$ openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csr
This will create a 2048-bit RSA key pair, store the private key in the file myserver.key and write the CSR to the file myserver.csr. The private key is stored with no passphrase, that’s why the umask command is used to tighten file permissions first (on a non-UNIX system, use a directory with restrictive file ACLs or equivalent).
Submit CSR for Signing
- Log into the Sectigo Certificate manager website at https://cert-manager.com/customer/eI4Africa
- Navigate to ‘Certificates > SSL Certificates’ and click on the ‘+ Add’ button
- Choose your organization and Department (If applicable)
- Choose the type of certificate you want to request, eg. for a single website or service, the option ‘Sectigo Enterprise Pro Wildcard’
- Choose the desired life span of your certificate
- Select the software/application you will use the certificate for, eg. Apache/ModSSL
- Copy and paste the content of the CSR myserver.csr created above into the appropriate field
- The common name should be filled in automatically, just check that it show the correct domain name
- Scroll down to the end of the Subscriber Agreement – maybe even reading it, if you are that kind of person – and tick the ‘I agree’ field
- Submit your request
- Your request will now be send to an administrator for review. If everthing is okay, he will approve and you will get an email telling you that the certificate is ready for download.
Check a certificate:
$ openssl x509 -in myserver.crt -text -noout