skip to primary navigationskip to content


How to obtain SSL and TLS certificates, for use within the University of Cambridge, from the Computing Service

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are two closely related ways of securing Internet communications. They are used in the secure form of HTTP, normally called HTTPS, but can also be used to secure any stream-based protocol and are used in the secure versions of SMTP, IMAP, POP, NNTP, LDAP, etc. While using similar techniques, SSL and TLS are otherwise unrelated to the Secure Shell (SSH).

TLS and SSL require that the server end of any communication has access to a public/private key pair and a cryptographic certificate linking the server's identity, and that of its operators, to these keys. Clients must be configured to 'trust' the entity that signed this certificate. If the server and clients are controlled by the same people then certificates can be created locally, but in general they need to be signed by an organisation that clients, such as browsers, are pre-configured to trust. In practice this means dealing with one of the many commercial 'Certification Authorities' (CAs).

Obtaining and renewing certificates from a commercial CA normally costs money, and can be time consuming since the CA should verify the identity of the server operator, their entitlement to use the server's host name, etc. To simplify this process, the Computing Service maintains agreements with well known CAs under which the Computing Service acts as a 'Registration Authority' (RA), able to approve certificate requests for servers within the University. This reduces or eliminates the cost to end users of obtaining a certificate, significantly reduces the administrative cost, and speeds-up the entire process. This scheme does cost the University real money - some of the costs are recharged on a cost recovery basis but the majority of the cost is currently absorbed by the Computing Service.

Last updated: November 2013