What is required to add SSL encryption to a customised URL?
The instructions for enabling SSL encryption with a customised URL are as follows:
- YOU provide us with the information required to create a Certificate Signing Request (CSR)
- We generate the CSR and send it to you
- YOU buy the SSL certificate and upload it using a secure upload facility (details will be emailed to you in step 2)
- We install the certificate and then email you an IP address
- YOU create the DNS record for your domain so that it points to the IP address we provided
- We finalise the setup and configure BOS to use your custom URL and SSL
Any deviation from the above process (such as you buying the SSL certificate without us supplying a CSR) can lead to delays and additional work on our part. If additional work is required we reserve the right to charge for this on a time/materials basis.
Information required to create the Certificate Signing Request
In order to buy the SSL certificate, you will need a Certificate Signing Request (CSR) which was created against a server key. We will create this for you (at no extra charge), but will need the following information from you:
(Note: We provide the first CSR at no charge, but reserve the right to make an administrative charge for replacement or reissuing of CSRs. To minimise the risk of being charged, please check any organisational guidelines before supplying this information and retain the CSR for future certificate renewals)
Country Name (2 letter code) [GB]:
State or Province Name (full name) [e.g. Poppleshire]:
Locality Name (eg, city) [e.g. Poppleton]:
Organization Name (eg, company) [e.g. University of Poppleton]:
Organizational Unit Name (e.g. section) [eg, ILRT]:
Common Name (eg, YOUR name) [e.g. www.survey.poppleton.ac.uk]:
Email Address [e.g. survey@poppleton.ac.uk]:
The email address is important - this can be the administrator for the BOS account at your institution, but it is often better to use a shared email address. The address will receive all certificate postings (including renewal details) so having the messages go to more than one person is desirable should the original contact leave.
If you are using the JANET service, there is no need to supply an email address but please let us know that you are using the JANET service when you provide the above information.
So, to recap, although we prefer you to buy the actual SSL certificate, if we create the CSR and server key, the process is often smoother for all concerned.
Purchasing an SSL certificate
A certificate will need to be purchased for your domain. We normally suggest that you do this but we can manage this process for an additional charge.
While we don't recommend any particular supplier of certificates the following Certificate Authorities should be able to provide a good service:
www.thawte.com
www.verisign.com
We also support certificates created using the JANET Server Certificate Service:
http://www.ja.net/services/scs/index.html
After purchase, the certificate needs to be installed on our Apache Web server.
When purchasing the certificate you may be asked for the operating system and/or Web server software the certificate will be used with (sometimes this is phrased as "what program was used to generate the CSR?"), you should state: ApacheSSL (sometimes this is listed as: Apache mod_ssl) and the operating system is Linux.
Once the certificate has been purchased we will then need the certificate (and the server key if you have not used our preferred process of us supplying a CSR) and any Chained SSL certificates (if appropriate). Please do not email the files to us; instead upload the files to a secure location as specified by us.
Creating the DNS records
Once we have received the SSL certificate from you we will ask you to set up an 'A record' in your DNS to resolve to our server's IP address.
We will send you the correct IP address (after you have sent us the certificate) and then someone responsible for setting up the DNS records at your institution will need to add the 'A record'.
Once this has been done please let us know and we will finalise the installation.
How long does the process take
Our steps can usually be accomplished quickly and we aim for a maximum of a 24 hour turnaround on each of our requirements in this process (steps 2, 4 and 6); assuming the request occurs during the working week.
In our experience the longest delays almost always occur in one or more of the following areas:
- Supplying information for us to generate the CSR
- Client buying the SSL certificate
- Client creating the A record
- The time taken for the DNS changes to propagate
The setup can usually be accomplished in a day or two but is client dependent.
Can we use a CNAME instead of an A record?
No, we do not support any other setup than that outlined.
In addition, the BOS support team will not provide technical advice regarding any proposed setup that deviates from the supported arrangement outlined. Should an institution create a setup that differs from our supported setup then the BOS service makes no guarantees, nor offers warranties, that the setup will continue to work or that any subsequent changes to BOS will not affect the institution's setup. Institutions choosing to adopt a different setup do so at their own risk and in the knowledge that this is not supported by BOS and no assistance will be provided.
Important note on administration charges:
When you come to renew your SSL certificate we won't make any further charge as long as the details used to generate the CSR have not changed. If we need to issue you with a new CSR then we will charge an administrative fee of £50 + VAT per instance.
It is your responsibility to monitor when your SSL certificate expires, and to replace it when necessary. Should you allow your certificate to expire then we reserve the right, after appropriate warning, to continue to provide encryption for respondents by removing the setup for a custom URL from your account. We can reinstate the custom URL set up for you once you have obtained a valid SSL certificate. However, we will charge a separate admin fee of £50 + VAT to do so.