Norwegian version of this page


SSL (Secure Socket Layer) is a protocol for secure transmission of data over the Internet. SSL encrypts all data which is sent between the web browser and the web server, and by using digital keys you make sure that the data arrives safely to the recipient. 

Recipe for ordering and use of SSL-certificates (Uninett)

UiO is authorized to issue certificates under the domain

Get started

You need:

  • OpenSSL 0.9.X or newer

All instances of '' in the text should be replaced with the name/URL that the certificate should be for. In this regard we need the full domain name (FQDN), ex or

Important: If you copy the contents from the CSR-file in windows after creating it on a *nix-computer, you must  use Wordpad and not Notepad.

Generating the key and the CSR

Start with creating the file A typical example would be:

[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
utf8 = yes

[ dn ]
C = NO
L = Oslo
O = Universitetet i Oslo
CN =

In [req] you can set the default_bits to higher, but beware that some services are have problems with too high bitrates. 2048 is a safe choice.

Here you need to change OU and CN.
OU is Organizational Unit and CN is Common Name or domain name, '' in our example.

If you are ordering certificat for multiple DNS-names (aliases) we need to expand the .cnf-file:

[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
utf8 = yes
req_extensions = v3_req

[ v3_req ]
subjectAltName = @alt_names

[ dn ]
C = NO
O = Universitetet i Oslo
CN =

DNS.0 =
DNS.1 =

Change OU and CN as the previous example. CN should be the same as DNS.0. in addition we have DNS.1 as an alias. if you need multiple alias' you add DNS.2, DNS.3 etc.

Then you create an RSA-key and a CSR (Certificate Signing Request) with OpenSSL. Save all files a place you can find again. You don't need to create the key and CSR on the same machine that the certificate is for. /local/bin/openssl req -new -config -keyout -out
Generating a 2048 bit RSA private key
writing new private key to ''

Next we need to protect the private key. Choose a secure password and remember it. It can be changed later if you remember the old password. Take a backup of /local/bin/openssl rsa -in -des3 -out
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

The encrypted key will be stored as

You can view the key in cleartext with: /usr/bin/openssl rsa -noout -text -in
...[bøttevis av output]

Do not save the private key in cleartext.

You should now reassure yourself that you have a proper backup of the private key.

To use the automated ordering form, there are some simplicities that have to be considered. It is only for multidomain, so no wildcard domains are posible, it has to be encrypted with sha256. If you need special certs you need to contact us at

Then you send in the order

When the certificate is created it will be sent to you in an email — save it as

Adding the certificate to the server

you need:

  • The private key (should be password-protected):
  • The signed certificate: (recieved in the email)
  • CA certificate (Certificate Chain in the email) DigiCertCA.pem

We recoment to run apache from RedHat, and the newest RHEL available to you. You can save the certificate files wherever you like, but it is neatest to put them in:


If you need to run RHEL5 and apache 2.2 from Store you move the files to:


(path-specified in the distributed httpd.conf). Then you run: ln -s /site/opt/apache2.2/conf/ssl.crt/ /site/opt/apache2.2/conf/ssl.crt/server.crt ln -s /site/opt/apache2.2/conf/ssl.key/ /site/opt/apache2.2/conf/ssl.key/server.key Apache2.2 finds the files, to secure the files: chmod 440 /site/opt/apache2.2/conf/ssl.crt/ chmod 400 /site/opt/apache2.2/conf/ssl.key/

The Certificate Chain file should be saved as DigiCertCA.pem in /site/opt/apache2.2/conf/ssl.crt/

If no SSL-config exist you need to copy the default config:

cp -i /local/opt/apache2.2/conf/extra/httpd-ssl.conf /site/opt/apache2.2/conf/

... and change the necessary values.

Important: if you use a certificate from UNINETT you must change SSLCACertificateFile to use the one from DigiCert:

SSLCACertificateFile /site/opt/apache2.2/conf/ssl.crt/DigiCertCA.pem

Add this to /etc/httpd.conf:

ErrorLog /site/opt/apache2.2/logs/ssl.error_log
TransferLog /site/opt/apache2.2/logs/ssl.access_log


# Include local SSL-config (make sure the path is correct):
Include /site/opt/apache2.2/conf/httpd-ssl.conf

Start the SSL-server: /local/etc/init.d/httpd start
Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog)
Some of your private key files are encrypted for sequrity resasons.
IN order to read them you have to provide us with the pass phrase. 

Server (RSA)
Enter pass phrase:


Other tasks and info about certificates


The content of your CSR will look something like this:


When you order, you have to send the whole content, from and including ----BEGIN... to and including END CERTICATE REQUEST-----

Years of validity

Lifespan for a SSL-certificate is one, two or three years. You can choose this when you order.

How to change passphrase for the private key

You can change the passphrase like this: /local/bin/openssl rsa -des3 -in -out
read RSA key
Enter PEM pass phrase:
writing PEM pass phrase:
Verifying password - Enter PEM pass phrase: mv

Check lifespan for a SSL-certificate /local/bin/openssl x509 -startdate -enddate -noout <
notBefore=Apr 16 12:00:51 2007 GMT
notAfter=Apr 18 16:23:16 2008 GMT


Published Mar. 30, 2015 11:16 AM - Last modified Oct. 18, 2017 3:42 PM