TLS certificates FAQ

General Information

  • Where does the university get its certificates?

    The supplier is Sectigo. That company has won a bid for delivering certificates for all European higher education institutions.

  • Why do I see a GEANT as the Certificate Authority (CA)?
    • Part of the deal between Sectigo and GÉANT was that GÉANT would be a sub-CA. That is why you certificates from Sectigo show up as Issued by GEANT OV RSA CA 4 (or similar).
    • If you follow the certification path you will end up with the Sectigo AAA Certificate Services.
  • What kind of certificates can I request?
    • You can get server certificates. These are used to authenticate the server’s identity to the client.
    • You can also get a client, or personal, certificate. These can be used to authenticate the user to the server. More commonly they are used to sign data, like email messages and documents.
    • The third kind of certificate you can request is a Code signing certificate. It allows you to sign the applications you write. Depending on what environment you write your applications, signing can be mandatory before users are able to install the software.
  • What kind of server certificates can I request?

    The standard UT certificate is an OV type certificate. The OV stands for Organization Verified. The supplier of the certificate has verified it’s the university that requests the certificate. That will also be shown in the certificate itself.

  • Can I request Let’s Encrypt certificates?
    • You can not request Let’s Encrypt certificates from LISA. LISA does not offer support for these certificates.
    • You can directly request certificates from the Let’s Encrypt website. They are allowed on the university’s network.
  • Can I use wildcard certificates?
    • We advise against the use of wildcard certificates as they pose too many risks.
    • Therefore wildcard certificates are prohibited at the top-level of the main domains of the university.
    • They are also prohibited if the scope is too large, like for a whole faculty, research institute or service department.
    • Wildcard certificates are allowed for students, student associations and dedicated domains for projects.
  • I have my own domain. Can I request a certificate through the university?

    Short answer: No

    Long answer: All domains in a request should be under control of the university.

Security Information

  • What about SSL and TLS?
    • You see SSL still mentioned everywhere as a general term for the encryption of traffic using certificates. The SSL protocol itself is out-of-date, insecure and therefore it is not allowed to be used at the university.
    • TLS (Transport Layer Security) is the new version of the encryption protocol. Version 1.2 is the current protocol. Version 1.3 is the emerging one. Versions prior to 1.2 are not allowed.
  • What SSL versions are allowed?

    None of the SSL versions (v1 to v3) are allowed.

  • What TLS versions are allowed?

    Only versions 1.2 and newer are allowed.

  • What is this about cipher suites?

    Cipher suites describe how the server and client negotiate the ways they set up a secure communication. Cipher suites show what type of system is used for Key exchange, Certificate verification, Bulk encryption and Hashing.

    TLS 1.2 example: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS 1.3 example:  ECDHE RSA TLS_AES_256_GCM_SHA384


    Key Exchange

    Certifcate Verification

    Bulk Encryption

    Hashing

    Good

    ECDHE

    ECDSA
    RSA

    AES_256_GCM
    CHACHA20_POLY1305
    AES_128_GCM

    SHA384
    SHA256

    Still allowed

    DHE


    AES_256_CBC
    AES_128_CBC

    SHA1

    Not allowed

    RSA


    3DES-CBC


    "Still allowed" in this context means you have to plan for the removal of these systems so you won't end up without a certificate next time you want to renew it and the system is not allowed anymore.

    More information can be found on the website of the Dutch Nationaal Cyber Security Centrum.

  • How can I check my server?
    • Qualys offers an easy online test at https://ssllabs.com/. Make sure you have a score of A or better. This site only tests websites on the standard port, 443.
    • If your score is lower because you do not have the right certificate yet, you can still request a certificate.
    • If your server is not accessible from outside the university’s network you can (temporarily) give access to the SSLlabs servers. You can find the current IP addresses on their site.

Certificate requests

  • Does the university’s supplier of certificates support Automatic Certificate Management Environment (ACME)?

    Yes, our supplier fully supports ACME. Contact the Service desk ICT if you need an account for your systems.

    We advise users to use ACME to request and install certificates. Currently, the default lifespan of a certificate is 1 year. In the future, it will probably go down to 90 days or less.

  • Can I use ACME with every system?
    • Most web server software supports tools to implement ACME.
    • IIS on Microsoft Windows does not yet natively support ACME. You can install PowerShell modules or separate Windows tools, though.
    • Dedicated devices with web capabilities, like networking equipment, IoT devices etc, often have no support for ACME. You can use ACME on a separate system and upload the certificates to your device.
  • I have received my certificate a while back. When do I need to request a new one?

    You have to make sure you have a new certificate installed on your system before the current one expires. The best moment for a new request is about one month in advance. That gives everybody time to handle the request and solve any issue that may arise.

    If you use ACME, requesting and installing certificates on most systems will happen automatically.

  • Do I get a reminder?

    You get a warning 90 days before the certificate expires. Sixty days later both you and the LISA employee who handled your request will receive one. Then, 15 days before the certificate expires, all LISA employees involved in the handling of certificates will get the warning.

  • How can I request a server certificate?
    • Request an ACME account through the Service desk ICT.
    • Install and configure an ACME client on your system.

    If your system does not support ACME you can use the old processes for now.

    • Make sure you create a Certificate Signing Request. Be sure to use a key length of at least 2048 bits. Keep the private key secure!
    • Then log into the Self Service Portal and fill in the form. In a few days, you will receive the signed certificate.

    We advise you to make plans to start using ACME for all your certificates, as the lifetime of certificates will get shorter in the next couple of years. Eventually, perhaps, to about one month.

  • How can I request a personal certificate?

    DO NOT request a personal certificate on a computer that is not your own personal or work computer. Even though, later on in the process, you will need to provide a password to secure access to the certificate, if it's on a public computer, people can get access to it and try to break your password.

    • Go to the login page of our supplier, Sectigo.
    • Select the "GÉANT Personal Certificate" Profile.
      • If you need to use your certificate for authentication, only then should you select the "GÉANT IGTF-MICS Personal Certificate" Profile. This certificate will contain sensitive information that is only needed for authentication, not for signing or encrypting data.
    • Choose the number of days you want the certificate to be valid.
    • Choose the "Key Generation" Enrollment Method.
    • Check whether you need Standaard (RSA) certificates or EC certificates and what length.
      • EC is better, but not all applications support that type of certificate yet. For instance, Outlook does not (yet) support encryption using EC certificates. To be sure, you can request both and test them in the applications you want to use them for.
      • The same goes for the type of RSA (4096, 3072 or 2048) and EC (P-384, P-256). The longer ones are better, but not all applications support all lengths. To be sure, don't choose the longest yet.
    • Let your Password Manager generate a new password. Remember that password as you need it after downloading the certificate. If you don't have a Password Manager, we advise you to get one first. If you want the certificate, come up with a strong password.
      • Enter your password (twice).
    • Read the EULA and select that you have read it.
    • Press Submit

    After that, your certificate will be generated and downloaded to your computer. You can now import it into your application using the password you provided earlier.

  • What is the lifespan of a certificate?

    Certificates supplied by the university have a lifespan of 1 year.

    Be aware, this will probably change to 90 days, or less, in the next couple of years.

Certificate signing requests

This information is relevant if you don’t use ACME. When using ACME, creating CSRs is automated.

  • How do I create a certificate signing request (CSR)?

    Different systems use different methods to generate a CSR. On most systems you can use a tool like OpenSSL. Some applications allow the generation of a CSR inside the application. Check the manual for your environment.

  • What are the requirements of a CSR?
    • The CSR should be generated in PEM format.
    • It should have a minimum strength of 2048 bits.
    • The hash must comply with at least SHA-256.
    • Each CSR should at least contain a CN (Common Name) which has to be the hostname of the system or the application. The C (Country) should be “NL”. L (Locality) should be “Enschede” and O (Organization) is “University of Twente”.
    • You can add Subject Alternative Names (SAN’s) to a maximum of 250 entries.
  • What other things should I consider when generating a CSR?
    • Wildcards are allowed in CN, but a SAN is not possible anymore.
    • Wildcards are only allowed when the scope is small enough, like a student association. Using a wildcard to cover all systems in a faculty is prohibited.

Installing a certificate

This information is relevant if you don’t use ACME. When using ACME, the installation of certificates is automated.

  • How do I install a certificate on my system?
    • If your application offers to generate CSR’s, it probably does too for installing certificates. Use that.
    • Installing certificates is dependent on the system you use. Check the manual for your systems and the certificate tool you use.
  • Do I need to provide a certificate chain when installing a certificate on my server?

    Yes, but only the GEANT-branded sub-CA certificate (CN = GEANT OC RSA CA 4 of similar)

  • How do I check if I installed the certificate correctly?
    • Qualys offers an easy online test at https://ssllabs.com/. Make sure you have a score of A or better. This site only tests websites on the standard port, 443.
    • If your score is lower because you do not have the right certificate yet, you can still request a certificate.
    • If your server is not accessible from outside the university’s network you can (temporarily) give access to the SSLlabs servers. You can find the current IP addresses on their site.

SURF was written guidelines (in Dutch) which include configurations for most systems.