skip to primary navigationskip to content


How to get TLS certificates for use within the University of Cambridge, from Information Services (UIS)

Transport Layer Security (TLS) is a way of securing Internet communications. It is used in the secure web browsing protocol, called HTTPS, but can also be used to secure any stream-based protocol and is used in the secure versions of SMTP, IMAP, POP, NNTP, LDAP, etc. Early versions of TLS were called the 'Secure Sockets Layer' (SSL) but all of these versions are now considered obsolete. While using similar techniques, TLS is unrelated to the Secure Shell (SSH) protocols.

TLS requires that the server (typically a web server) end of any communication has access to a public/private key pair and a cryptographic certificate linking these keys to the server's identity and to that of its operators. Clients (typically web browsers) need to be configured to 'trust' the entity that signed this certificate. If the server and clients are controlled by the same people then certificates can be created locally, but in general they need to be signed by an organisation that clients are pre-configured to trust. In practice this means dealing with one of several commercial 'Certification Authorities' (CAs).

Obtaining and renewing certificates from a commercial CA normally costs money, and can be time consuming since the CA should verify the identity of the server operator, their entitlement to use the server's host name, etc. To simplify this process, UIS maintains agreements with well known CAs under which UIS acts as a 'Registration Authority' (RA), able to approve certificate requests for servers within the University. This reduces or eliminates the cost to end users of obtaining a certificate, significantly reduces the administrative cost, and speeds-up the entire process. This scheme costs the University in both staff time and real money - some of the costs are recharged on a cost recovery basis but the majority of this cost is currently absorbed by UIS.

Last updated: July 2015