wiki:ordering-cartel-x509-certificates

Version 3 (modified by Jamie McClelland, 7 years ago) (diff)

--

Ordering cartel x509 certificates

For many domains, we choose to purchase x509 certificates from companies that are most browsers ship trusting by default.

When that is necessary, please follow these steps:

  • Order from https://cheapssls.com/ (login in keyringer)
  • Purchasing and activating are different steps. First check to see if any x509 certificates have been purchased but not yet activated. If so, activate an already purchased certificate. Otherwise, purchase a new certificate. For payment method, choose paypal (password in keyringer).
  • Puppet will auto-generate a certificate signing request for you, with the canonical name as the "common name" (e.g. mandela.mayfirst.org). If you want a different "common name" (e.g. members.mayfirst.org or webmail.mayfirst.org) then you will need to generate a new csr.
  • Login to the members control panel and ensure that your email address is listed as a recipient for the hostmaster[at]mayfirst.org email address.
  • Order a 2 year RapidSSL certificate (two years means less admin to update it and RapidSSL because you only have to contend with one intermediate certificate).
  • When filling in the details of the certificate, choose the hostmaster email address for confirmation and for contact info for the certificate. For the rest of the requested information, enter our public contact info.
  • You will get an email asking for confirmation (click through the link) and then the certificate will be emailed to you.