This document describes the procedure for applying for TLS certificates. Certificates are provided by DigiCert. This ensures reliability. DigiCert certificates are supported by all common browsers and other clients.
This procedure has been written for the system and application administrator who wants to apply for a TLS certificate. An administrator is deemed to have sufficient knowledge of creating a CSR and installing the required certificates. The administrator should also be authorized to do so.
The University uses so-called CAA records. These indicate which certificate suppliers we accept for our domains. This is done to prevent malicious vendors from providing certificates to criminal. We currently accept certificates from the following suppliers:
- DigiCert (provided bij LISA)
- Let's Encrypt
All certificates provided by the University of Twente in accordance with the procedure described in this document are free of charge.
Every employee, officially employed at the University of Twente, and every student who studies at the University of Twente, is entitled to a personal certificate. A personal certificate can be used for signing and encrypting email and for identifying websites.
Certificates can only be requested for domains owned by the University according to an independent third party (e.g., SIDN). Servers within those domains can be provided with these certificates. For personal websites, sites of student associations etc. under their own domain, certificates can not be requested. If an association wants to request a certificate according to this procedure, they must transfer the ownership of the domain to the University of Twente.
Participants in the eScience Grid Computing community are also entitled to an eScience server certificate for the servers and clients that connect to an eScience grid.
Server certificate requests can be made via the ICT service desk, via e-mail or the self-service page. If you apply for certificates on a regular basis, you can directly apply for a certificate at DigiCert. If you think you qualify, please file a request with the ICT Service Desk.
Do not forget to indicate which environment the certificate is intended for. You will receive the certificate and any necessary chaining certificates in the best format for your system.
A CSR must be available in PEM format. The key used to generate the CSR must have a minimum strength of RSA 2048 bits. The hash must comply with SHA-256.
The CSR should contain the following information:
- C (Country) - NL
- ST (State) - OV
- L (Locality) - Enschede
- O (Organization) - University of Twente
- OU (Organizational Unit) - The official (English) name or abbreviation of the unit within the university
- CN (common Name) - The host name for which the certificate is to be used
The first four (C, ST, L, O) are fixed and may be adjusted to the correct value during the application. CN is a required field and contains the primary host name. OU is optional.
If you apply for an eScience server certificate, you must explicitly report this. Furthermore, such a certificate will only be valid for 13 months and all fields must be ASCII. This is so agreed within the "grid community". This type of certificate is therefore intended only for participants in eScience Grid Computing.
A wildcard in the CN is only possible if you do not use SAN. A wildcard can also be used only in the CN host. However, we do not allow wildcards if the scope becomes too large. An application for *.department.utwente.nl is not granted. An application for *.association.utwente.nl is acceptable though. In that case you will automatically get the SAN association.utwente.nl. If you want a TLS certificate for the websites of the association, this is a good choice. You can still request a separate certificate for, for example, the mail server.
If you want a single certificate to be suitable for more hosts, then you must use Subject Alternative Names (SANs). The use of wildcards is not possible. You must therefore name all possible names. In case of a change, you must apply for a new certificate.
Further processing to obtain a signed certificate will be carried out by ICTS within a few days.
Certificates are requested by default for 2 years.
If the application has been processed, you will receive an email with the signed certificate.
Do not forget to install the Chaining Certificate on the server for correct operation of clients. If you have specified the environment for which the certificate is intended, you will get it in the optimal format.
A personal certificate can be requested directly from the DigiCert website: www.digicert.com/sso. Do not do this on a public computer. Your certificate will be saved in the browser.
Enter as Identity Provider "University of Twente". You can also simply start typing "Twente" and when "University of Twente" appears, select that entry. Next you must log in on the login page of the University of Twente. The first time you will be asked if the information displayed may be passed to DigiCert. Check the data and, if everything is okay, click approve.
On the next page you can see the certificates you have requested previously. You can revoke one of them or make a new request. For the latter, choose a "Premium" product. Next click on "Request Certificate".
The certificate is then generated and stored in the browser. Make a backup. This can usually be done through the "Advanced - Certificates" options or settings of the browser. Provide a good password.
From now on the certificate can be trasnfered to your mail client and/or other browsers you use on the same or other computers. Please note that you do not install the certificate on public computers.
To guarantee the security of a system and communication, a number of requirements are set before a system is eligible for a certificate. We monitor (web) servers by default with the SSL Labs tool from Qualys. In this test, a score of at least A must be achieved.
Furthermore, the Dutch Standardization Forum has drawn up a number of requirements that the University's servers have to meet. The most important ones are listed below.
- HTTPS; all servers must use HTTPS for communication.
- TLS 1.2; the protocol to be used for encryption must be at least version TLS 1.2 for EV certificates. For non-EV certificates TLS 1.0 is allowed, but should get phased out. The use of SSL prohibited.
- HSTS; In order to prevent attackers from detecting traffic, such as cookies etc., HSTS must be used.
When applying for a certificate, these requirements are checked.