SDSS Documentation Centre | Documents / JohnMurison-GetSDSSCert browse

Requesting an SDSS CA Certificate

Note that SDSS certificates are normally issued only to SDSS staff or to staff engaged on JISC-funded core middleware projects. Please contact the SDSS team (via the EDINA helpdesk, edina@ed.ac.uk) if you wish to acquire an SDSS certificate but do not fall into either of these categories.

Given a key pair, to obtain a server certificate from the SDSS CA you must first generate a Certificate Signing Request (CSR) file containing the public key and the name of the server. This can be done using openssl:

 openssl req -new -config sdsscareq -key my.key -out my.csr

The suggested configuration file is available here. Using this, openssl will prompt for Country Name (default GB), Organisation Name (JISC Core Middleware Programme), Organisational Unit and Common Name fields. These must be filled in as follows:

Country Name: GB
Organisation Name: JISC Core Middleware Programme (note spelling)
Organisational Unit: XYZ Project (where XYZ is the acronym for your project)
Common Name: fully qualified DNS name of Shibboleth server (e.g., shibbox.uni.ac.uk)

If the Country Name or Organisation Name differ from the values above, the request will be rejected. Openssl may also ask for a "challenge password" and optional company name, both of which are usually left empty (the default).

The sdsscareq configuration file is provided mainly as a convenience. You may alternatively omit "-config sdsscareq" from the openssl command and use your site's default configuration. In that case, supply only the fields listed above, and give the Organisation Name exactly as spelled (case is significant). If prompted for other fields (e.g., Locality Name, State or Province Name), enter '.' to suppress them.

Once you have the CSR file, please send e-mail edina@ed.ac.uk containing:

A request to forward the message to the SDSS project team
The CSR file (either as an attachment or cut and pasted)
The name and phone number of your project manager

Within a few days, a member of the SDSS team will phone the project manager to verify the details in the certificate request. If this is successful, the certificate will be issued and e-mailed to you. After you receive the signed certificate back from us, the next step is to apply to join the federation as described at JoinFederation.

Root Certificates

Additionally, you will need to download a copy of the SDSS CA's "root certificate" from http://www.sdss.ac.uk/ca/sdss-ca.crt. This is in the PEM format used by Apache. Shibboleth itself gets root certificates out of the sdss-trust.xml metadata file, which you will download during federation setup.