TLS certificates FAQ

The supplier is Sectigo. That company has won a bid for delivering certificates for all European higher education institutions.

• Part of the deal between Sectigo and GÉANT was that GÉANT would be a sub-CA. That is why you certificates from Sectigo show up as Issued by GEANT OV RSA CA 4 (or similar).
• If you follow the certification path you will end up with the Sectigo AAA Certificate Services.

• You can get server certificates. These are used to authenticate the server’s identity to the client.
• You can also get a client, or personal, certificate. These can be used to authenticate the user to the server. More commonly they are used to sign data, like email messages and documents.
• The third kind of certificate you can request is a Code signing certificate. It allows you to sign the applications you write. Depending on what environment you write your applications, signing can be mandatory before users are able to install the software.

The standard UT certificate is an OV type certificate. The OV stands for Organization Verified. The supplier of the certificate has verified it’s the university that requests the certificate. That will also be shown in the certificate itself.

• You can not request Let’s Encrypt certificates from LISA. LISA does not offer support for these certificates.
• You can directly request certificates from the Let’s Encrypt website. They are allowed on the university’s network.

• We advise against the use of wildcard certificates as they pose too many risks.
• Therefore wildcard certificates are prohibited at the top-level of the main domains of the university.
• They are also prohibited if the scope is too large, like for a whole faculty, research institute or service department.
• Wildcard certificates are allowed for students, student associations and dedicated domains for projects.

Short answer: No

Long answer: All domains in a request should be under control of the university.

• You see SSL still mentioned everywhere as a general term for the encryption of traffic using certificates. The SSL protocol itself is out-of-date, insecure and therefore it is not allowed to be used at the university.
• TLS (Transport Layer Security) is the new version of the encryption protocol. Version 1.2 is the current protocol. Version 1.3 is the emerging one. Versions prior to 1.2 are not allowed.

None of the SSL versions (v1 to v3) are allowed.

Only versions 1.2 and newer are allowed.

Cipher suites describe how the server and client negotiate the ways they set up a secure communication. Cipher suites show what type of system is used for Key exchange, Certificate verification, Bulk encryption and Hashing.

TLS 1.2 example: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS 1.3 example:  ECDHE RSA TLS_AES_256_GCM_SHA384

"Still allowed" in this context means you have to plan for the removal of these systems so you won't end up without a certificate next time you want to renew it and the system is not allowed anymore.

More information can be found on the website of the Dutch Nationaal Cyber Security Centrum.

• Qualys offers an easy online test at https://ssllabs.com/. Make sure you have a score of A or better. This site only tests websites on the standard port, 443.
• If your score is lower because you do not have the right certificate yet, you can still request a certificate.
• If your server is not accessible from outside the university’s network you can (temporarily) give access to the SSLlabs servers. You can find the current IP addresses on their site.

• Yes, the supplier supports ACME.
• If you don’t need EV of OV certificates you can use Let’s Encrypt ACME implementation.

We advise users to use ACME to request and install certificates. Currently, the default lifespan of a certificate is 1 year. In the future it will probably go down to 90 days.

• Most web server software supports tools to implement ACME.
• IIS on Microsoft Windows does not yet natively support ACME. You can install PowerShell modules or separate Windows tools, though.
• Dedicated devices with web capabilities, like networking equipment, IoT devices etc, often have no support for ACME. You can use ACME on a separate system and upload the certificates to your device.

You have to make sure you have a new certificate installed on your system before the current one expires. The best moment for a new request is about one month in advance. That gives everybody time to handle the request and solve any issue that may arise.

If you use ACME, requesting and installing certificates on most systems will happen automatically.

You get a warning 90 days before the certificate expires. Sixty days later both you and the LISA employee who handled your request will receive one. Then, 15 days before the certificate expires, all LISA employees involved in the handling of certificates will get the warning.

• Request an ACME account through the Service desk ICT.
• Install and configure an ACME client on your system.

If your system does not support ACME you can use the old processes:

• Make sure you create a Certificate Signing Request. Be sure to use a key length of at least 2048 bits. Keep the private key secure!
• Then log into the Self Service Portal and fill in the form. In a few days you will receive the signed certificate.

DO NOT request a personal certificate on a computer that is not your own personal or work computer. Even though, later on in the process, you will need to provide a password to secure access to the certificate, if it's on a public computer, people can get access to it and try to break your password.

• Go to the login page of our supplier, Sectigo.
• Select the "GÉANT Personal Certificate" Profile.
  • If you need to use your certificate for authentication, only then should you select the "GÉANT IGTF-MICS Personal Certificate" Profile. This certificate will contain sensitive information that is only needed for authentication, not for signing or encrypting data.
• Choose the number of days you want the certificate to be valid.
• Choose the "Key Generation" Enrollment Method.
• Check whether you need Standaard (RSA) certificates or EC certificates and what length.
  • EC is better, but not all applications support that type of certificate yet. For instance, Outlook does not (yet) support encryption using EC certificates. To be sure, you can request both and test them in the applications you want to use them for.
  • The same goes for the type of RSA (4096, 3072 or 2048) and EC (P-384, P-256). The longer ones are better, but not all applications support all lengths. To be sure, don't choose the longest yet.
• Let your Password Manager generate a new password. Remember that password as you need it after downloading the certificate. If you don't have a Password Manager, we advise you to get one first. If you want the certificate, come up with a strong password.
  • Enter your password (twice).
• Read the EULA and select that you have read it.
• Press Submit

After that, your certificate will be generated and downloaded to your computer. You can now import it into your application using the password you provided earlier.

Certificates supplied by the university have a lifespan of 1 year.

Be aware, this will probably change to 90 days in the near future.

Different systems use different methods to generate a CSR. On most systems you can use a tool like OpenSSL. Some applications allow the generation of a CSR inside the application. Check the manual for your environment.

• The CSR should be generated in PEM format.
• It should have a minimum strength of 2048 bits.
• The hash must comply with at least SHA-256.
• Each CSR should at least contain a CN (Common Name) which has to be the hostname of the system or the application. The C (Country) should be “NL”. L (Locality) should be “Enschede” and O (Organization) is “University of Twente”.
• You can add Subject Alternative Names (SAN’s) to a maximum of 250 entries.

• Wildcards are allowed in CN, but a SAN is not possible anymore.
• Wildcards are only allowed when the scope is small enough, like a student association. Using a wildcard to cover all systems in a faculty is prohibited.

• If your application offers to generate CSR’s, it probably does too for installing certificates. Use that.
• Installing certificates is dependent on the system you use. Check the manual for your systems and the certificate tool you use.

Yes, but only the GEANT-branded sub-CA certificate (CN = GEANT OC RSA CA 4 of similar)

• Qualys offers an easy online test at https://ssllabs.com/. Make sure you have a score of A or better. This site only tests websites on the standard port, 443.
• If your score is lower because you do not have the right certificate yet, you can still request a certificate.
• If your server is not accessible from outside the university’s network you can (temporarily) give access to the SSLlabs servers. You can find the current IP addresses on their site.