Requesting a GlobalSign Certificate

Once you have a key pair, you need to send the public key to GlobalSign, along with the DNS name of the server machine to be certified and the name of your institution. You must also prove to GlobalSign that you are a legitimate user of those names. The names and public key are sent as a Certificate Signing Request (CSR) file, which can be generated by openssl: 

 openssl req -new -config globalsignreq -key my.key -out my.csr

An example openssl configuration file is available here. This is a slightly modified version of the config file we (EDINA) have used, with our organisation and project names replaced by placeholders for yours. When you run the above command, openssl should prompt you to input the Country Name (default GB), Organisation Name (University of XYZ), Organisational Unit Name (JISC Core Middleware Programme - XYZ Project) and Common Name. The Common Name given MUST be the fully qualified DNS name of your Shibboleth server (e.g., shibbox.uni.ac.uk). Openssl may also ask for a "challenge password" and optional company name, both of which are usually left empty (the default).

The name format you use is likely to reflect existing practice in your organisation, which may require changes to the configuration file (e.g., to allow for multiple Organisational Unit elements). In any case, the name must be acceptable to the Head of IT Services (or equivalent) at your institution, who in the next step of the process will be required to sign a letter to GlobalSign agreeing to the certificate request. Make sure the name is exactly what you want: it can't be changed after the certificate is issued.

Once you have made the Certificate Signing Request file, it must be submitted to GlobalSign. The procedure to follow is given at http://www.ja.net/cert/web/globalsign.html. Note that this procedure requires you to send, in addition to the certificate request forms printed out during the application process and signed by the head of IT, a cover letter on the institution's letterhead. This letter should be signed by the same person, and should state that this person is entitled to act for the institution. The letter replaces the "proof of your company's legal status" requested at the end of the online process. GlobalSign's suggested wording is:

This letter is to confirm that I, Mister XXX, Head of XXXXX department,
for the purpose of purchasing ServerSign Certificates, is authorised to
bind legally XXXX University.

They also request that the letter should be accompanied by this person's business card, if possible. The following alternative form of words has also worked for us:

This is to endorse the attached certificate requests for domain names xxx
and yyy. These domain names are registered to the University of zzz.

After you receive the signed certificate back from GlobalSign, the next step is to apply to join the federation as described at JoinFederation.

Root Certificates

As well as your own certificate you will also need to download a copy of GlobalSign's "root certificate chain" from http://support.globalsign.net/en/serversign/root_install_ap.cfm (follow the secureroots_new.crt link). This is in the PEM format used by Apache. Shibboleth itself gets the root certificates of the CAs accepted by the federation out of its metadata file, which you will download during federation setup.