Getting a certificate
This page contains information about how to apply for a certificate to protect your service.
If you are a web server administrator or someone who is managing a service that requires an X.509 certificate, you may submit a certificate request to us and we will sign it with the University Certificate Authority (CA or root) certificate and/or request it be signed by the JISC Certificate Service. Your users will then be able to use your secured service without having to go through the manual process of installing your certificate.
We can only provide certificates for members of the University of Edinburgh and only for hosts and domains owned and registered to the university or providing hosted services to the university.
Different types of certificate
There are four different types of certificate that you can use. They are as follows:
Self-certification is easy to do for the system administrator as it means that the certificate signs itself and the administrator can install the certificate quickly without waiting for a certificate authority to sign it. However, users will be challenged to refuse or accept the certificate the first time they use the site. You would typically uses these just for development or testing. This doesn't require any certificate authority.
University of Edinburgh signed certificate
You may apply for one from Information Services and then it is very similar to the self-signed certificate except that if the user has gone through the one-off acceptance of the University of Edinburgh Certificate Authority certificate, they will not be prompted to accept your new one. Internally facing web services, and the authentication between your web service and the EASE authentication service use these certificates. Public-facing websites may also use these though this will generate browser warnings if the University CA certificate has not been pre-loaded into the user's browser and we therefore do not recommend their use for this.
JISC Certificate Service (Sectigo certificates)
JISC have made available certificates signed by Sectigo CA (Comodo) for the academic community (previously this service was tendered from TERENA with Comodo CA and then by QuoVadis CA) to secure websites, other host-based services and includes code and document sigining and end user certificates for email signing/encryption. Browsers already know about the CA and so will not be prompted to accept them. This is the best option to choose for public-facing web services.
Certificates for wildcards, single domains and for Subject Alternative Names are issued free of charge for up to one year period and can be used for any purpose including financial transactions. ISG absorbs the cost for this service and so there is no charge for it to service owners.
Verisign, Globalsign, QuoVadis, Sectigo and other Certificate Authorities are other certification authorities similar to the JISC service. These authorities charge for issuing certificates but you may use them for any purpose including code-signing and document signing and financial transactions.
Applying for a certificate
To apply for a certificate to be signed by a certificate authority you need to create a certificate signing request (CSR). This will generate a private key file and the CSR. You send the CSR to the authority, they sign it and return the public key part of the certificate to you.
Creating a CSR file
This guidance page describes the process of creating a valid certificate signing request (CSR) for submitting to be signed by any certificate authority.
Applying for a University or JISC (Sectigo) certificate
To apply for a University certificate or a Sectigo certificate from the JISC Certificate Service complete the following form. You will need to provide a Certificate Signing Request (CSR). You should also provide a contact email address that will be used to inform you when the certificate is due to expire. We recommend you use a functional mail account or alias or a mailing list for this purpose so that expiry messages do not go to named individuals who may no longer be in the role when the certificate expires.
On submission of the certificate request to the certificate authority the certificate request will be checked for validity. Assuming it is ok, the certificate will be signed and emailed back to you. Sectigo certificates will come in a zip file containing your signed certificate and other certificates. This will be emailed directly to the contact address you supply from the Sectigo service. These other certificates are needed to validate your certificate and should be included in your certficate chain file or certificate authority directory of the software you are using. A university signed certificate will not come with the equivalent certificate authority certificate for validation but this can be downloaded from this website by following the link to the pages for installing the university CA certificate.
Applying for a commercial certificate
To apply for a commercial certificate contact the Certificate Authority directly. For example: