Getting a certificate
This page contains information about how to apply for a certificate to protect your service.
If you are a web server administrator or someone who is managing a service that requires an X.509 certificate, you may submit a certificate request to us and we will sign it with the University Certificate Authority (CA or root) certificate and/or request it be signed by the Jisc Certificate Service. Your users will then be able to use your secured service without having to go through the manual process of installing your certificate.
We can only provide certificates for members of the University of Edinburgh and only for hosts and domains owned and registered to the university or providing hosted services to the university.
Different types of certificate
There are four different types of certificate that you can use. They are as follows:
Self-certification is easy to do for the system administrator as it means that the certificate signs itself and the administrator can install the certificate quickly without waiting for a certificate authority to sign it. However, users will be challenged to refuse or accept the certificate the first time they use the site. You would typically uses these just for development or testing. This doesn't require any certificate authority.
Jisc Certificate Service (Sectigo certificates)
Jisc have made available certificates signed by Sectigo CA (Comodo) for the academic community to secure websites, other host-based services and includes code and document signing, and end user certificates for email signing/encryption. Browsers trust the CA and so this is the best option to choose for public-facing web services.
Certificates for wildcards, single domains and for Subject Alternative Names are issued free of charge for up to one year period and can be used for any purpose including financial transactions. ISG absorbs the cost for this service and so there is no charge for it to service owners.
University of Edinburgh signed certificate
You may apply for one from Information Services and then it is very similar to the self-signed certificate except that if the user has gone through the one-off acceptance of the University of Edinburgh Certificate Authority certificate, they will not be prompted to accept your new one. These may be used on internal systems, for example to secure communications between your web service and the EASE authentication service. Public-facing websites should not use these as browsers will refuse to connect if the University CA certificate has not been pre-loaded into the user's browser.
Verisign, Globalsign, QuoVadis, Sectigo and other Certificate Authorities are other certification authorities similar to the Jisc service. These authorities charge for issuing certificates but you may use them for any purpose including code-signing, document signing and financial transactions.
Applying for a certificate
To apply for a certificate to be signed by a certificate authority you need to create a certificate signing request (CSR). This will generate a private key file and the CSR. You send the CSR to the authority, they sign it and return the public key part of the certificate to you.
Creating a CSR file
This guidance page describes the process of creating a valid certificate signing request (CSR) for submitting to be signed by any certificate authority.
Applying for a University or JISC (Sectigo) certificate
To apply for a University certificate or a Sectigo certificate from the JISC Certificate Service complete the following form. You will need to provide a Certificate Signing Request (CSR). You should also provide a contact email address that will be used to inform you when the certificate is due to expire. We recommend you use a functional mail account or alias or a mailing list for this purpose so that expiry messages do not go to named individuals who may no longer be in the role when the certificate expires.
On submission of the certificate request to the certificate authority the certificate request will be checked for validity. Upon approval, the certificate will be signed and emailed back to you. Sectigo certificates will come in a zip file containing your signed certificate and other certificates. This will be emailed directly to the contact address you supply from the Sectigo service. These other certificates are needed to validate your certificate and should be included in your certificate chain file or certificate authority directory of the software you are using. A university signed certificate will not come with the equivalent certificate authority certificate for validation but this can be downloaded here.
Applying for a commercial certificate
To apply for a commercial certificate contact the Certificate Authority directly. For example: