University IT » Security » Protect Your Data
Secure Web Transactions
Certificate Services
The secure socket layer (SSL) protocol provides assurance that web servers are legitimate and that the conversation is encrypted to prevent network eavesdropping. In order to run a secure web server, system administrators must obtain a digital certificate which is signed by an external third party (a certificate authority). This process is similar in concept to obtaining a notarized document. VeriSign is one firm offering digital certificates.
In order to obtain better service from VeriSign for SSL server certificates, University IT has pre-purchased certificates in bulk via VeriSign’s OnSite for Server IDs service. This significantly streamlines the approval process associated with obtaining server certificates.
These certificates are for SSL web service only - they are not suitable for individuals or for becoming a Certificate Authority ourselves. In the public-key parlance, the University of Rochester is now a Registration Authority (we validate the requests, but the signing is still done by VeriSign).
Instructions for Obtaining VeriSign Certificates through VeriSign's OnSite Enrollment
|
Instructions for obtaining web server certificates: For certificate renewals, please follow the instructions in the renewal notice you received from VeriSign. Follow these steps for new registrations:
You'll need to provide an account number for a charge of $825 (3-year cert), $550 (2-year cert), or $275 (1-year cert). Most people have been using a -2290 subcode. If you have any questions anywhere in the process, send email to: certificate-questions@infosec.rochester.edu. This address is also posted on the VeriSign enrollment page. |
Frequently Asked Questions
What is the difference between getting a certificate through the University’s VeriSign contract, compared to buying directly from VeriSign (or any other certificate vendor)?
In order to obtain or renew a certificate directly from a commercial Certificate Authority, you must follow these steps, which can cause a significant delay in turn around:
- Visit a vendor web page to provide your personal identification and server information to their automated system.
- Issue a Purchase Order to VeriSign
- Wait for the vendor to call HR to verify your identity, employment, etc.
- Then go through the technical steps of generating a certificate signing request, downloading the signed certificate, etc.
By taking advantage of the University's VeriSign OnSite contract, the University provides the approval for VeriSign generate your certificate. The process can go much more quickly, as most of the paper handoffs and manual interventions are gone.
Compared to a direct VeriSign purchase, the cost to you is slightly lower on initial purchase, and slightly higher on renewal, but there is no paperwork, and the response time is always much better. Costs from other vendors may be lower (and you are welcome to go anywhere), but the purchase and order verification details will be similar at any commercial Certificate Authority.
How long are certificates valid?
When purchasing a certificate, both through the University’s contract or directly from the vendor, there is the choice of one, two, or three-year certificates.
I do not want to purchase a certificate. How can I get one for free?
The ipsCA certificate authority offers free certificates for use on .edu domains. These certificates are no less secure than those purchased through VeriSign or other vendors, and are functionally the same. The ipsCA root certificate is integrated into all modern web browsers, meaning users will not be presented with an error message when visiting a secure site using their certificate. These free certificates may be ideal for test or development systems which do not have the exposure a production service might have and do not require the VeriSign name associated with them.