Requesting a certificate
When you want to get a certificate for your sites hosted on our servers, it is important you inform us (through your usual support infrastructure) of the desired domain name that you want the certificate for.
When we receive information about a new certificate that needs to be created, we will create a certificate signing request. This is a specially formatted file that includes the name on the certificate that needs to be issued, and a public-key for encryption.
When you receive the certificate signing request, you can take that to your desired certificate provider to get a new certificate issued. Once the new certificate is issued, you can send it to us as a reply to the certificate signing request.
While we generate the certificate signing request, we also generate a private-key, this key will only ever live inside the NORDUnet server environment. We will not share this key with anybody, not even the owner of the domain! This is to ensure that the private-key is not leaked to others.
Asymmetric cryptography relies on pairs of keys, called a public/private key-pair. The private key can be used to decrypt messages encrypted with corresponding public key. As the names indicate, the public key is assumed to be known to everybody and the private only to be known by the owner of the key-pair. This is why we never let the private key leave the server where it is to be used. All the parts of the certificate and certificate signing request that you handle can be treated as any public knowledge. In fact the certificate that you get from the certificate provider, is exactly what the server sends to any browser that wants to talk to it.
No key leakage, not ever!
Because we take your site security seriously we will not accept certificates that include a private key, or that have been encrypted through a symmetric key.
Short explanation of what asymmetric encryption is.