SSL Certificates - KBA

General Information

SSL certificates are used to secure web traffic. SSL certificates can be used with any object using SSL or TLS to encrypt traffic. For example, SSL certificates encrypt:

  • traffic between a browser and web server
  • traffic between client software and servers (i.e., Outlook mail client and CWRU mail servers)

SSL certificates are tied to specific domains. CWRU has authority over the following domains (and no others):



Who may request a certificate

CWRU provides SSL certificates free of charge to CWRU faculty and staff, affiliates (e.g., contractors and temporary employees) acting on behalf CWRU faculty or staff, and CWRU faculty or staff organizations.

CWRU does NOT provide SSL certificates to students or student organizations.

As of May 2011, CWRU no longer provides self-signed server certificates.

Requirements for requesting a certificate

In order to request an SSL certificate you must provide a Certificate Signing Request (CSR). There are various ways to generate a CSR, depending on the web server or system you are securing.

All CSRs have several things in common:

  1. CSR Requirements
    • MUST have a common (server) name. (ex., common name for web server "" would be "".
    • MUST have a domain as part of the common name.
    • Organization is Case Western Reserve University.
    • State is Ohio.
    • Locality is Cleveland.
    • Every CSR (and the certificate created from it) is tied to a private key.
    • Key MUST be 2048 bits or greater or greater.

      NOTE: Performance impact to your web server increases as the size of the key increases due to greater complexity in encrypting and decrypting the data streams.

  2. Signing requirements

    To comply with with National Institute of Standards for Technology (NIST) guidelines, CWRU stopped issuing certificates using the SHA1 signing algorithm. Existing SHA1 certificates CANNOT be renewed and must be requested as new certificates.

  3. When you request a certificate either by the self enrollment form or by contacting you MUST provide a contact address that allows multiple recipients (e.g., Google Group address or email list.)

    The certificate management system will use this address to contact you with instructions on how to download your certificate and send you notices when your certificate is expiring.

InCommon Certificate Authority

As certificate security needs change, the intermediate certificates can also change. For that reason we no longer provide intermediate and root CA certificates for pages. Use the certificate "chains" provided in the email issued by Comodo instead.

One chain certificate is created for every server certificate issued under the new service. Each Certificate Authority (CA) sets up a Chain of Trust by issuing one or more intermediate, or "chain" certificates. Each intermediate is signed by the one immediately superior to it ending ultimately in a "root" CA certificate that is trusted by browsers and other devices as part of their certificate store of trusted CAs.

CWRU subscribes to the InCommon Certificate Authority service. The service is mediated by InCommon/Internet2 but the actual certificate authority is Comodo.

SSL Certificates - Types, Uses, and Requesting

We currently offer two types of SSL certificates: InCommon SSL (SHA-2) and InCommon Multi-Domain SSL (SHA-2).

InCommon SSL (SHA-2) Certificates

InCommon SSL (SHA-2) certificates are used for securing servers that only require a single server name (for example You may not secure multiple sites using this type of certificate, even if they all run on the same web server. You may, however, secure multiple pages running on the same site (for example,

Request an InCommon SSL (SHA-2) certificate. Please note:

  • Email to get the access code for this page if you don't have it already
  • Do not share the access code with anyone except CWRU faculty, staff, or a contractor acting on behalf of one
  • Use your standards-conforming contact email in the self-enrollment form, NOT be your personal email address

Complete the form:

  1. Choose a 1, 2, or 3 year term for the certificate. The term indicates when the certificate will expire and must be renewed.
  2. Choose "Server Software" from the drop-down list. Popular web server software is included in the drop-down. If you are unsure what software to choose, "Apache/ModSSL" is generally a good choice.
  3. Enter the CSR in the space provided (including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines). If the CSR is in a file on your computer, click UPLOAD CSR to upload your file.
  4. Enter the server/site name (for example in the "Common Name" field.
  5. While a pass-phrase is not required, if you wish to revoke or renew your certificate using the self-enrollment form, you will need one.
  6. Enter any comments you feel necessary either for you to remember the purpose of the certificate or for the Certificate Administrators.
  7. Click ENROLL to submit your request.

InCommon Multi-Domain SSL (SHA-2) Certificates:

InCommon Multi-Domain SSL (SHA-2) certificates are used to secure multiple sites or multiple domains running on the same server. InCommon Multi-Domain SSL (SHA-2) certificates are also known as Subject Alternative Names (SAN) certificates. A SAN certificate cannot be added to or removed from an existing certificate until the certificate is up for renewal, or a new certificate from the existing CSR is requested.

To request an InCommon Multi-Domain SSL (SHA-2) certificate, create a CSR as you normally would, and attach it in an email request to Please include:

  1. Certificate Signing Request (CSR)
  2. Certificate term (1, 2, or 3 years)
  3. A comma-separated list of SANs: (ex., for common name [CN], you might have a SAN list of (,,,, The limit of SANs per certificate is 100.
  4. Contact email address for the certificate.

Checking Your Certificate Deployment

Once your certificate has been requested, issued, and installed, you will probably want to check the installation to verify that the new certificate was installed properly. There are several useful sites and tools to allow you to gather information not only about the certificate, but also about the web server on which the certificate is installed:

Qualys SSL Labs Server Test

The Qualys SSL tester is not only more comprehensive than the Comodo SSL analyzer, but also gives a letter grade from A to F to the security of the web server. The only drawback of this particular analyser is that it supports HTTPS (port 443) ONLY. The URL for the Qualys analyzer is


OpenSSL is in many ways the "go to" SSL utility: it is available on nearly every flavor and version of Unix, can be used to manipulate certificate as well as test them (see below), and the libraries on which it is build are the same libraries which are used to build the SSL modules of most web servers (and many, many, other SSL services). In a pinch the program and SSL library sources can be freely downloaded and compiled without great difficulty. The only drawback to OpenSSL is that it is a command-line interface (CLI) program, and like many low-level CLIs its use and commands are somewhat cryptic.

Using openssl to Test Certificates

To test a certificate deployment in a browser-agnostic way, you can use the openssl s_client command to open an SSL or TLS connection (additionally printing certificate chains and verifications). The command may also be used to test SMTP encrypted connections using the second code example.

  1. To test a web server (default SSL port is 443) use the command:

    openssl s_client -connect [hostname]:[port] -CAfile [CA Root Certificate file] </dev/null

    After the connection is opened you may issue commands such as GET /, which "gets" the top-level web page of the server in the example above. The connection will close automatically if a command is issued, or you can terminate the session by entering Ctl-D.

  2. To test a mail server connection (default send port is 25) use the command:

    openssl s_client -connect [hostname]:[port] -starttls smtp -CAfile [CA Root Certificate file]

    After the connection is opened you may issue commands such as “ehlo”, which returns the services that are enabled on the mail server in the example above. You can even send mail by entering “raw” SMTP commands:

    mail From:
    	rcpt To:
    	Subject: Hi There!
    	[Text of message ended by a "." alone on a line. ]
  3. To exit and close the connection enter:


Creating a CSR Using OpenSSL

  1. Create the key
    • Create a new private key (encrypted)

      openssl req -newkey rsa:2048 -keyout <Apache server dir>/conf/ssl.key/<server name>.key -keyform PEM \
                -out <Apache server dir>>conf/ssl.csr/<server name>.csr -outform PEM
    • Create a new private key (unencrypted for pubcookie)

      openssl req -newkey rsa:2048 -nodes -keyout <Apache server dir>/conf/ssl.key/<server name>.key -keyform PEM \
                -out <Apache server dir>/conf/ssl.csr/<server name>.csr -outform PEM
    • Create a CSR using an existing key

      openssl req -new -key <Apache server dir>/conf/ssl.key/<server name>.key -keyform PEM \
                -out <Apache server dir>/conf/ssl.csr/<server name>.csr -outform PEM
    • If the key you are using is encrypted, you will be asked to provide the password with which it was generated when openssl goes to generate the CSR. Copy the entire CSR (including the “—–BEGIN...” and “—–END...” lines) into the appropriate form field at the URL above (example text below).

  2. Check the request using command

    openssl req -in <Apache server dir>/conf/ssl.csr/<server name>.csr -noout -text
  3. This will generate text output similar to (note that in this updated example, the RSA Public Key is set at 2048-bit encryption:

    Certificate Request:
            Version: 0 (0x0)
            Subject: C=US, ST=Ohio, L=Cleveland, O=CWRU Western Reserve University, OU=Technology Infrastructure Services,
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (2048 bit)
                    Modulus (2048 bit):
                    Exponent: 65537 (0x10001)
            Requested Extensions:
                X509v3 Subject Alternative Name: 
        Signature Algorithm: md5WithRSAEncryption
  4. To digitally sign (but not encrypt) a message use

    openssl smime -in <message body> -sign -text -CAfile /apps/pkg/CWRU/files/ca-bundle.crt \
            -signer <signer PEM certificate> -inkey <unencrypted key for cert> -from <from field> \
            -to <to field> -subject <subject field> | sendmail -t
  5. To digitally sign and encrypt

    openssl smime -in <message body> -sign -text -CAfile /apps/pkg/CWRU/files/ca-bundle.crt \
            -signer <signer PEM certificate> -inkey <encrypted key for cert> -passin pass:<password> \
            -from <from field> -to <to field> -subject <subject field> | sendmail -t