Purchase a SSL Web Server Certificate

Secure the web content / application

The primary reason for using SSL (https://) is to keep sensitive information such as username/password and credit card information sent across the Internet encrypted so that only the intended recipient can understand it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. If it is not encrypted with an SSL certificate, any computer in between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects it from hackers and identity thieves. In addition to encryption, a SSL certificate also provides authentication. This means you can be sure that you are sending information to the right server.

Purchase a SSL Web Server Certificate

You will be charged for the cost of the SSL Certificate. The cost for a certificate is about HK$700 for 1 year (subjected to review every year).

You can submit a Software License Request in the Service Portal to ask CSC to help purchase an SSL web server certificate for your departmental web server(s). Upon receiving the request, you will be contacted to provide the Certificate Signing Request (CSR).

Purchase a SSL Wildcard Web Server Certificate

A wildcard certificate, for example *.cb.cityu.edu.hk, will secure www.cb.cityu.edu.hk, www2.cb.cityu.edu.hk, and any other subdomain of cb.cityu.edu.hk.

Advantages of SSL Wildcard Certificate

  • Secures unlimited sub-domains
  • Cheaper if securing many sub-domains
  • Easier to manage

Disadvantages of SSL Wildcard Certificate

  • Security issue: if you use one certificate and private key on multiple servers, it only takes one server to be compromised and all of the others will be vulnerable as well.
  • Mobile device compatibility: some mobile device operating systems may not recognize the wildcard character (*) and therefore cannot use a wildcard certificate.

The cost for a wildcard certificate is about HK$7,000 for 1 year (subjected to review every year).

Phasing out of SHA1 algorithm

Starting from 1 Jan 2016 no Certificate Authorities should issue SHA1 algorithm certificates and major browsers (IE, Chrome, Firefox) will not support SHA1 algorithm certificates after 01 Jan 2017. From now on all SSL certificates will be generated with SHA2 algorithm. Please make sure your server is compatible with SHA2 algorithm before procurement.

Generating the Certificate Signing Request (CSR)

Below are the steps to generate the Certificate Signing Request (CSR) for:

  • Microsoft Internet Information Server (IIS7 or above)
  • Microsoft Internet Information Server (IIS6)
  • Sun Java System Web Server
  • Apache web server

1. Microsoft Internet Information Server (IIS7 or above)

  1. In Internet Information Services Manager, double click on "Server Certificates".
  2. Click on "Create Certificate Request" on the right column of "Actions".
  3. Type in the following information with the exact wording except the Organization Unit and Common Name.
    • Common Name: www.cityu.edu.hk
    • Organization: City University of Hong Kong
    • Organizational Unit: Computing Services Centre
    • City/Locality: Kowloon Tong
    • State/Province: Hong Kong
    • Country/Region: HK
  4. Select bit length "2048" in the dropdown list and then click Next.
  5. Click Next and then type in a name for the certificate.
  6. Type in a filename to store the certificate request.
  7. Send the CSR file to e-Services Section of Computing Services Centre.

2. Microsoft Internet Information Server (IIS6)

  1. In Internet Information Services Manager, right click on the web server and select "Properties".
  2. Click on the tab "Directory Security".
  3. Click on "Server Certificate" button.
  4. Select "Create a new certificate".
  5. Click Next and type in a name for the certificate.
  6. Select bit length "2048" and click Next.
  7. Type in the following information with the exact wording except the Organization Unit and Common Name.
    • Organization: City University of Hong Kong
    • Organizational Unit: Computing Services Centre
    • Common Name: www.cityu.edu.hk
    • Country/Region: HK
    • State/Province: Hong Kong
    • City/Locality: Kowloon Tong
  8. Type in a filename to store the certificate request.
  9. Send the file to e-Services Section of Computing Services Centre.

3. Sun Java System Web Server (Sun One Web Server, iPlanet Web Server)

i) Creating a Certificate Trust Database (first time only)

A certificate database is a key-pair and certificate database installed on the host. In Sun Java System Web Server, each server instance has its own certificate/key pair referred to as a trust database.

A key-pair file contains both the public and private keys used for SSL encryption. When you create the key, you specify a password that you later use when you request the certificate and when you start a server that is using encrypted communications.

To create the certificate trust database:

  1. Access the Administration Server and click on the "Security" tab.
  2. Click on "Create Database".
  3. Type the password in Database Password.
  4. Re-type the password in Password (again).
  5. Click OK.

ii) Generating a Certificate Signing Request (CSR) for the web server

To generate a certificate request:

  1. Access the target web server and click on the "Security" tab.
  2. Click "Request a Certificate".
  3. In the form shown, specify if this is a new certificate or a certificate renewal.
  4. Click "CA Email Address" and type in your email address. The CSR will be sent to your email account.
  5. Type the password for your key-pair file (the same password specified when you created the trust database).
  6. Select bit length "2048".
  7. Type in the following information with the exact wording except those in purple:
    • Requestor name: Mr. Chan Tai Man
    • Telephone number: +852 34421122
    • Common Name: www.cityu.edu.hk
    • Email Address: so-easy@cityu.edu.hk
    • Organization: City University of Hong Kong
    • Organizational Unit: Computing Services Centre
    • Locality: Kowloon Tong
    • State or Province: Hong Kong
    • Country: HK
    Click the "OK" button and the CSR will be generated.
  8. Copy the CSR and send it to e-Services Section of Computing Services Centre.

4. Apache Web Server

  1. Install OpenSSL if not on the server yet and add it to PATH.
  2. Generate a private key:
    • cd <directory where key, csr, certificate will be stored>
    • openssl genrsa -out server.key 2048

    A 2048 bit RSA private key is generated and stored in server.key. Back up and well protect the key file. The purchased SSL certificate must be used together with this private key file.

  3. Generate the corresponding CSR:
    • openssl req -new -key server.key -out server.csr
    • Country Name: HK
    • State: Hong Kong
    • Locality: Kowloon Tong
    • Organization Name: City University of Hong Kong
    • Organizational Unit Name: Computing Services Centre
    • Common Name: www.cityu.edu.hk
    • Leave blank: Email Address, Challenge Password, Optional Company Name.

    The CSR is stored to file server.csr.

  4. Send the file to e-Services Section of Computing Services Centre.

Last modified: Feb 2025