JANET Server Certificate Service FAQs
Q. What organisations are eligible to join this service?
A. Organisations can check their eligibility for this service.
Q. How much does a certificate cost?
A. JANET will absorb the cost of providing JANET Server Certificates, so at present there will be no charge to JANET customers.
Q. What is the objective of this service?
A. The objective is to provide the education and research community with server certificates that are automatically recognised by web browsers.
Q. What can the certificates be used for?
A. JANET Server Certificates are for educational use only and can be used to provide secure access to, for example, web based email services. It should be noted, however, that JANET Server Certificates cannot be used for commercial transactions. For example they cannot be used to secure credit card transactions or any other request that will result in the transfer of money between people or organisations. Certificates for commercial transactions are available from GlobalSign at a discounted price for servers with addresses in the .ac.uk domain.
Q. How do I join this service?
A. The first step is to send an email to service@ja.net Eligible organisations will then be referred to the Proxy document. The full process is described here.
Q. I'd like to use generic email addresses for the contacts provided in schedule 1, is that possible?
A. The use of generic email addresses for authorised representatives is not permissible.
Q. Can I apply for this service if my domain name does not belong to a JANET connected organisation?
A. Yes, please see eligibility criteria for further details.
Q. Can I request certificates for *.example.ac.uk?
A. No, we are not permitted to issue wildcard certificates under this service.
Q. What other initial requirements must I meet?
A. Applicants must ensure that their domain name registration is up-to-date with the appropriate domain registry. To check your domain name we suggest that you check in accredited domain registrars such as:
Note: All search engines used to verify domains must be listed with ICANN accredited domain registrars: http://www.icann.org/registrars/accredited-list.html
The database of ccTLD management organisations and pointers to their registries can be consulted at: http://www.iana.org/cctld/cctld-whois.htm
Q. There are three types of certificate offered within the request form, which should I choose?
A. Of the three types, SureServerEDU TLS is regarded as the default type, it supports all general platforms such as email, web, directory services etc. SureServerEDU TLS certificates do not permit the use of an email address within the subject of the CSR. This is the recommended choice.
SureServerEDU TLS emailserver is a specific type used for servers that automatically generate their own messages, such as email alert services - it is not required for standard SMTP/IMAP/POP servers.
The SureServerEDU type is obsolete and we would recommend that this is not used. This type includes the legacy netscape-cert-type extension.
Q. When I submit my certificate request, the challenge email states that I can use a digitally signed email to authenticate the request - what type of signing certificates can be used for this purpose?
A. The certificate used must be of an assurance level equal to or higher than the GlobalSign PersonalSign 2 Pro certificate type. Such certificates offer assurances as to the identity of the individual and also the organisation within which they work. Further details of the GlobalSign PersonalSign 2 Pro certificate can be found on the GlobalSign web pages at:
https://www.globalsign.com/support/personalsign2.html
Q. My browser doesn't appear to recognise the installed certificate, why might this be?
A. The Server Certificate Service uses the GTE CyberTrust Global Root that is installed in the vast majority of browsers by default. In addition to this, the service relies on the Cybertrust Educational CA, which is an intermediate certificate. Therefore, it is important to ensure that your server has the intermediate certificate installed accordingly. The intermediate certificate can be downloaded from:
http://www.terena.org/activities/scs/cacert/sureserverEDU.pem
Q. How can I test that the intermediate certificate has been installed correctly?
A. If the certificate is installed on a webserver, navigate to the appropriate https location and double click on the padlock that appears at the bottom of the browser. Using the browsers certificate viewer to view the details, you should see the certificate hierarchy, with the GTE CyberTrust Global Root at the top, followed by the Cybertrust Educational CA and finally the individual certificate for your server all linked together.
Alternatively, you may wish to run a simple openssl query such as:
openssl s_client -connect myserver.example.com:443 -showcerts
This query should return the certificate chain held on the server. You should check that the resultant output from this returns two certificates - the certificate issued for your server and also the Cybertrust Educational CA certificate.
Q. How do I revoke my certificate?
A. You can either revoke it online by following the revocation link provided in the certificate delivery email and using the password that was used at the time of the initial application
Or
A nominated proxy for your organisation can complete the JANET SCS Certificate Revocation Request form and fax to 0870 850 2213.