News: Major Changes for the Certificate Re-Selling Service!
The certificate re-selling service has changed its billing model with its supplier Comodo. Most certificate products are covered under a single agreement maintained by the Office of the CIO so there is no chargeback for orders. Use the form below as usual to order your certs at no charge. Also, the service now provides delegated certificate ordering and management capability with Comodo’s Comodo Certificate Manager, a web application. If your unit is interested in managing its own cert products, please send an email to firstname.lastname@example.org for more information.
News: Web Server TLS Configuration
It is highly recommended that configuration of HTTPS websites follow current standards for the acceptance of cryptographic algorithms. One excellent source of these standards is the following Mozilla site:
In particular, we recommend that the ‘intermediate compatibility’ configuration be deployed on websites. Website settings can be evaluated using one of the many vendor testsites including https://www.ssllabs.com/ssltest/. Click the ‘Do not show the results on the boards’ box.
The Information Security group of I+TS facilitates the purchase of Comodo Group TLS (formerly known as SSL) Certificate products for University server administrators. This service provides advantages over purchasing direct from a commercial Certificate Authority:
- The site validation process for the utoronto.ca or toronto.edu domains is completed.
- There is no cost to most cert products.
- The Information Security group in I+TS adds a departmental contact vetting process to ensure authorization to use server certificates (see note for more details below).
- Notification of imminent cert expiry is provided at least two weeks before the expiry date.
The following certificate products are available for order. Please use the form below.
- Server certificates: these are used to protect one domain name. Note that all of these certs include ‘www.’ as well as the fully qualified domain name specified. A single certificate can be used with unlimited logical or physical servers.
- Wildcard certificates: these are used to protect a range of domain names under a single domain level, eg. ‘*.mysubnet.utoronto.ca’. It does not include the single name ‘mysubnet.utoronto.ca’.
- Unified Communication (multi-domain) certificates: these are used to protect a range of domain names with no restriction.
Note on certificate issuance verification: The certificate issuance validation feature that is provided with this service adds an extra degree of assurance for site administrators and end users. Before cert orders are processed, the site administrator authorization is vetted by checking the authoritative ‘/etc/networks’ file. If the admin is not present in that database, they are requested to have someone who is validate the request. Note that this may delay the issuance of the the certificate.
Site users can be assured of this validation process when they see the Comodo cert on a University website. This is a step above how a commercial CA handles validation for low cost products – such CAs compare the requestor with the owner of the domain name only. This has minimal effectiveness since spammers obtain domain names.
After ordering and installing your cert, please check the TLS configuration of your website by running one of the vendor site checking programs such as: https://www.ssllabs.com/ssltest/.
If you have questions about the results of the test or need a reference on TLS configuration, please consult: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations.
Certificate Ordering Information
Certificate Signing Request (CSR)
Ensure the Common Name (CN) in your CSR is your server’s fully qualified domain name (eg. ‘myserver.mydepartment.utoronto.ca’).
The minimum keysize for SSL/TLS server certs is 2048 bits. The Organization field must be set to ‘University of Toronto’ (no quotes). When renewing a certificate, you must always generate a new keypair – do not try to use the existing keypair.
Click here for more instructions to generate a CSR.
Submit the Certificate Order
To submit the CSR, you will also need to know the server software used to generate the CSR (e.g. Apache ModSSL (OpenSSL), Microsoft IIS version 7), and the desired term for the certificate (1, 2 or 3 years).
Submit the CSR at the UofT Certificate Manager Self Enrollment Site. Use Access Code ‘UofTCerts2017’ and your UTmail address; click on ‘CHECK ACCESS CODE’.
Fill in the form:
- Select the ‘Certificate Type’.
- Select the ‘Certificate Term’.
- Select the ‘Server Software’.
- Paste your CSR in the ‘CSR’ field. That should automatically populate the ‘Common Name’ field; if it doesn’t there is likely something wrong with your CSR.
- Put your e-mail address in as the ‘External Requester’.
- Optionally, you can put other e-mail address(es) into the ‘Administrative Contact’ (comma separated); these addresses will also be notified about certificate renewals, etc.
- Do not set ‘ Renew’ as this will by default use the same key pair as the current certificate to renew the certificate; this is not an advisable security practice as a new key pair should be generated when the certificate is replaced.
- Scroll down through the ‘Subscriber Agreement’.
- Click the ‘I Agree’ box (which is only activated when the ‘Subscriber Agreement’ has been viewed).
- Click the ‘ENROLL’ button to submit the certificate request.