SIDEBAR
»
S
I
D
E
B
A
R
«
SSL and Digital Humanities
May 21st, 2013 by Tim Watts

We now have proper SSL certificates signed by JANET (actually by Comodo, and shows as TERENA in the browser) for all 3 of our domains:

  • *.cch.kcl.ac.uk
  • *.cerch.kcl.ac.uk
  • *.dighum.kcl.ac.uk

Those are “wildcard” certificates and will thus work for any single subdomain – but not multiple subdomains – be warned projects that are starting to take forms of blah.project.dighum.kcl.ac.uk – you should take this into consideration).

Now, we have a very clever way of deploying this such that servers with many VHOSTs (or sites) can always give a “green padlock” in the client’s browser (or at least an absence of warnings about bent SSL certificates). This method is called TLS/SNI and assumes the user has a modern browser (IE 6 is not supported for instance). TLS/SNI allows the client to tell the server what VHOST it wants (host part of the URI) BEFORE the SSL session is started. Thus the server can pick the correct certificate to use.

This scheme can be extended arbitrarily – so projects needing a project specific domain , for example www.digipal.eu AS WELL AS a local set of names, eg digipal.dighum.kcl.ac.uk can be set up with all relevant certificates.

However, unless I receive guidance to the contrary, it will be assumed that the project should fund the purchase of project specific SSL certificates at a cost of £80/year. The project MUST NOT attempt to actually buy the certificate – DDH core systems support will arrange this for you via a Mantis/JIRA ticket. These things are fiddly to get right and have to be set up uniformly.

There’s no cost of course for the core departmental domain SSL certs – these are available on request.

For the gory implementation details, please see the latter part of this confluence doc

SIDEBAR
»
S
I
D
E
B
A
R
«
»  Substance:WordPress   »  Style:Ahren Ahimsa