skip to primary navigationskip to content

Application process

Step 1:
Generate a public/private key pair and associated 'PKCS#10 Certificate Signing Request' (CSR). There are some general instructions on how to do this on QuoVadis web site. Keys for use in QuoVadis certificates must be at either 2048 (recommended) or 4096 bits long. Generate an RSA key pair.
To be acceptable under this scheme, the various items of information that can be included in a CSR for a particular type of certificate are either required (sometimes with a fixed value), optional, or prohibited. Requests that do not meet these conditions will be rejected. Items not mentioned here are prohibited.

Certificate fieldDV CertificateEV CertificateWildcard Certificate
Country/Region (C): GB
State/Province (ST): optional, if present must be Cambridgeshire
City/Locality (L): optional, if present must be Cambridge
Organization (O): optional, if present must be University of Cambridge
Organizational Unit (OU): optional, see below
Common Name (CN): exactly one host name required, see below
exactly one host name required, see below
exactly one host name starting '*' required, see below
Subject Alternative Name extension (SAN): optional, up to 49 additional host names, see below
optional, up to 9 additional host names, see below
optional, up to 9 additional host names, see below
Email address (emailAddress): optional, won't appear in the certificate
The host name or names by which the servers that will use the certificate will be accessed must be included in the request.
A single name must be included in the 'Common Name' *(CN) field and additional names may be included in the 'Subject Alternative Name' (SAN) extension field. The names must match the fully qualified host names under which the servers will operate - for a web server these must be the host names that will appear in URLs.
Wildcard certificates must contain a name starting '*.' in the CN, and may contain up to 9 additional names in the SAN extension field. In wildcard certificates it can often be useful to include the base domain in the SAN, so for example '*' in CN and '' in the SAN.
If present, the Organizational Unit should describe the University institution (department, college, etc.) running the server(s) described in the certificate.
Users of OpenSSL may want to use this configuration file with the 'openssl req' command, or this Python script (run with --help for instructions) to simplify the process. Otherwise, when using 'openssl req' note that you can omit a field without accepting a default by supplying a single dot as the value.
An appropriate CSR looks something like this:
Step 2:
Securely back up your private key and any associated pass-phrase. Loss or disclosure of your private key will render any related certificate useless.
Step 3:
Visit the TLS certificate administration site and request a new certificate - Raven authentication is required to access this site. Applications will not be accepted unless made by a recognised representative of the University organisation to which the server's host name is assigned.
Step 4:
If you are applying for a Wildcard certificate, obtain a purchase order and add it to your request on the administration site. Alternativly email it to , send it to 'TLS Certificates, University Information Services, Roger Needham Building, 7 J J Thomson Avenue', or hand it in to UIS Reception in the Roger Nedham Building. Remember to include VAT if necessary (see 'What is available?').

You can check the status of your request on the TLS certificate administration site, from where you will also be able to download your certificate when it is ready. Requests for certificates are normally completed in one or two working days - if you don't receive your certificate within this time then please contact .

See 'Installation and Deployment' for what to do with your certificate once you've received it and 'Renewal Process' for what to do when it eventually expires.

Last updated: April 2016