City University of Hong Kong
Central Web Hosting
Service provided by Central IT
City University of Hong Kong
Central Web Hosting
Service provided by Central IT

Purchase a SSL Web Server Certificate

Secure the web content / application

The primary reason for using SSL (https://) is to keep sensitive information such as username/password and credit card information sent across the Internet encrypted so that only the intended recipient can understand it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. If it is not encrypted with an SSL certificate, any computer in between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects it from hackers and identity thieves. In addition to encryption, a SSL certificate also provides authentication. This means you can be sure that you are sending information to the right server.

Purchase a SSL Web Server Certificate

You will be charged for the cost of the SSL Certificate. The cost for a certificate is about HK$700 for 1 year (subjected to review every year).

You can submit a Software License Request in Service portal to ask CSC to help to purchase a SSL web server certificate for your departmental web server(s). Upon receiving the request, you will be contacted to provide the Certificate Signing Request (CSR).

Purchase a SSL Wildcard Web Server Certificate

Wildcard certificate, for example, *.cb.cityu.edu.hk will secure www.cb.cityu.edu.hk, www2.cb.cityu.edu.hk, and any other subdomain of cb.cityu.edu.hk.

Advantages of SSL Wildcard Certificate

  • Secures unlimited sub-domains
  • Cheaper if secure many sub-domains
  • Easier to manage

Disadvantages of SSL Wildcard Certificate

  • Security issue, if you only use one certificate and private key on multiple servers, it only takes one server to be compromised and all of the others will be vulnerable as well.
  • Mobile device compatibility, some popular mobile device operating systems may not recognize the wildcard character (*) and therefore can't use a wildcard certificate.

The cost for a certificate is about HK$7,000 for 1 year (subjected to review every year)

Phasing out of SHA1 algorithm

Starting from 1 Jan 2016 no Certificate Authorities should issue SHA1 algorithm certificates and major browsers (IE, Chrome, Firefox) will not support SHA1 algorithm certificate after 01 Jan 2017. From now on all SSL certificates will generate with SHA2 algorithm. Please make sure your server is compatible with SHA2 algorithm before procurement.

Generating the Certificate Signing Request (CSR)

Followings are the steps to generate the Certificate Signing Request (CSR) for

  • Microsoft Internet Information Server (IIS7 or above)
  • Microsoft Internet Information Server (IIS6)
  • Sun Java System Web Server (previously named as Sun One Web Server or iPlanet Web Server)
  • Apache web server

1. Microsoft Internet Information Server (IIS7 or above)

  1. In Internet Information Services Manager, double click on "Server Certificates".
  2. Click on "Create Certificate Request" on the right column of "Actions".
  3. Type in the following information with the exact wording except the Organization Unit and Common Name.
    • Common Name : www.cityu.edu.hk
    • Organization : City University of Hong Kong
    • Organizational Unit : Computing Services Centre
    • City/Locality : Kowloon Tong
    • State/Province : Hong Kong
    • Country/Region : HK
  4. Select bit length "2048" in the dropped down list and then click Next.
  5. Click Next and then type in a name for the certificate.
  6. Type in a filename to store the certificate request.
  7. Send the CSR file to e-Services Section ofComputing Services Centre.

2. Microsoft Internet Information Server (IIS6)

  1. In Internet Information Services Manager, right click on the web server and then select "Properties".
  2. Click on the tab "Directory Security".
  3. Click on "Server Certificate" button.
  4. Select "Create a new certificate".
  5. Click Next and then type in a name for the certificate.
  6. Select bit length "2048" in the dropped down list and then click Next.
  7. Type in the following information with the exact wording except the Organization Unit and Common Name.
    • Organization : City University of Hong Kong
    • Organizational Unit : Computing Services Centre
    • Common Name : www.cityu.edu.hk
    • Country/Region : HK
    • State/Province : Hong Kong
    • City/Locality : Kowloon Tong
  8. Type in a filename to store the certificate request.
  9. Send the file to e-Services Section of Computing Services Centre.

3. Sun Java System Web Server (Sun One Web Server, iPlanet Web Server)

i) Creating a Certificate Trust Database (first time only)

A certificate database is a key-pair and certificate database installed on the host. In Sun Java System Web Server, each server instance (including the Administration Server) has its own certificate/key pair which is referred to as a trust database.

A key-pair file contains both the public and private keys used for SSL encryption. You use the key-pair file when you request and install a certificate. When you create the key, you specify a password that you later use when you request the certificate and when you start a server that is using encrypted communications.

To create the certificate trust database, perform the following steps:

  1. Access the Administration Server and click on the "Security" tab.
  2. Click on "Create Database".
  3. Type the password in Database Password.
  4. Re-type the password in Password (again).
  5. Click OK.

ii) Generating a Certificate Signing Request (CSR) for the web server

To generate a certificate request, perform the following steps:

  1. Access the target web server and click on the "Security" tab.
  2. Click the "Request a Certificate".
  3. In the form shown, specify if this is a new certificate or a certificate renewal.
  4. Click "CA Email Address" and type in your email address. The CSR will then send to your email account.
  5. Type the password for your key-pair file. This is the same password you specified when you created the trust database in Creating a Certificate Trust Database.
  6. Select bit length "2048".
  7. Type in the following information with the exact wording except those in purple.
    • Requestor name : Mr. Chan Tai Man
    • Telephone number : +852 34421122
    • Common Name : www.cityu.edu.hk
    • Email Address : so-easy@cityu.edu.hk
    • Organization : City University of Hong Kong
    • Organizational Unit : Computing Services Centre
    • Locality : Kowloon Tong
    • State or Province : Hong Kong
    • Country : HK
    Click the "OK" button and the CSR will be generated
  8. Copy the CSR and then send to e-Services Section of Computing Services Centre.

4. Apache Web Server

  1. Install OpenSSL if not on the server yet and add it to PATH
  2. Generate a private key
    • cd <directory where key, csr, certificate will be stored>
    • openssl genrsa -out server.key 2048

A 2048 bit RSA private key is generated and stored in the file server.key. Backup and well protected the key file. Purchased SSL certificate has to be used together with this private key file.

  1. Generate the corresponding CSR
    • openssl req -new -key server.key -out server.csr
    • Country Name: HK
    • State: Hong Kong
    • Locality: Kowloon Tong
    • Organization Name: City University of HongKong
    • Organizational Unit Name: Computing Services Centre
    • Common Name: www.cityu.edu.hk
    • Leave it blank for the fields Email Address, Challenge Password and Optional Company Name.

The CSR is stored to file server.csr

  1. Send the file to e-Services Section of Computing Services Centre.