Carnegie Mellon

CMU Certificate Authority

Home

Requesting a Certificate

  • with Andrew Apache

    • Installing your Certificate

  • with Andrew Apache

    • Questions, comments, and concerns can be directed to the CMU CA

    Certificate Authority (CA) Service

    Do you need a certificate for a server in the ECE, CS, or PSC domain? Computing Services has issued intermediate ("signing") certificates to representatives of each of these domains. You can request one for your ECE, CS, or PSC web server today.

    Introduction

    The Carnegie Mellon University Certificate Authority (CA) issues and manages security credentials and public keys for the encryption of Internet network traffic.

    Qualifying web servers can receive a certificate that takes advantage of the university's public key infrastructure (PKI); in particular, the widespread penetration of the CMU CA Server certificate, which uses the RSA algorithm and a key length of 1,024 bits.

    (Lost? Perhaps you are looking to download the CMU CA Server certificate for your personal use.)

    Why you might want a certificate

    There are typically two reasons that motivate a campus web developer to deploy our CA-signed digital certificate. The first reason is to provide encrypted transactions via HTTPS (SSL/TLS over HTTP).  It is unwise and potentially irresponsible to host a web service inviting the transmission of confidential information unencrypted across the network wire. Unencrypted (plaintext) traffic is easily snooped by anyone on the campus network with the desire and basic knowledge about computer networking.  Use of a digital certificate and the SSL/TLS protocol provides a convenient way to contain this threat using a protocol and cryptosystem that is native to nearly every browser and platform.

    The second common motivator for using a digital certificate is to provide trust management by means of the credentials carried by the certificate. A certificate carries with it credentials signed (verified and mastered) by Carnegie Mellon University Computing Services.  This means that by issuing a certificate, the university asserts that the web server in question is a registered machine on the university network.  So the user is guaranteed the web service he or she is accessing is indeed one hosted by a machine on the campus network.

    Important! No other assertion about the service can be implied from the knowledge that Carnegie Mellon University has signed a digital certificate. This signature asserts only that the web server is a registered machine on the campus network. It is still possible that the web service has offensive, illegal, and/or malicious intent.

    Some examples of services that use digital certificates include NetReg, University Directory, and others.


    Support Statement

    To qualify for a CMU CA signed digital certificate, all of the following conditions must be met:

    1. You must agree and conform to the Computing Code of Ethics. Take special note of the Privacy section.

    2. You must agree and conform to the Network Protocol Guidelines.

    3. The server must be in a cmu.edu domain.

    4. The server cannot be in res.cmu.edu.

    5. If you are a student, you must have a faculty sponsor willing to submit the request on your behalf. Your certificate will expire in one semester.
    Computing Services supports certificate request and installation tasks on Andrew Apache. Best-effort advice and recommended third-party documentation is provided for other web servers.


    How to request a certificate

    If you meet the above requirements, the next step is to request a certificate for your web server.


    How to install your certificate

    Have you received your signed certificate? The final step is to install your certificate.


    How to get help

    Computing Services supports the CMU CA service according to the support statement above. If you have a problem it will be our pleasure to assist you. Please contact the CA at certificate-authority@andrew.cmu.edu for assistance.


    Further Reading

    SSL

  • What is SSL? (RSA Security, Inc.)
  • The SSL Protocol Version 3.0 (the original IETF specification)
  • Anatomy of a SSL handshake (Network Computing)
  • OpenSSL Project

    Digital Certificates

  • What is a digital certificate? (searchSecurity.com)

    Cryptography

  • What is public-key cryptography? (RSA Security, Inc.)
  • Public vs. private-key cryptography (RSA Security, Inc.)
  • Hash functions (RSA Security, Inc.)

    X.509

  • Internet X.509 Public Key Infrastructure Certificate and CRL Profile


    Carnegie Mellon Certificate Authority
    is a service of Carnegie Mellon University Computing Services
    ©2001 Carnegie Mellon University