UPKI Server Certificate Issuance Service

Basic Information

国立情報学研究所の UPKI電子証明書発行サービス を通じて uec.ac.jp およびそのサブドメインで利用可能なサーバ証明書を発行するサービスです. 発行されたサーバ証明書は,HTTPS など,TLS を用いる一般的な用途に利用できます.

New Certificate Issuance and Renewal Procedures

Hint

証明書の 更新時も新規発行と同じ手続き をお願いします. 新規発行時と同じFQDN等の正当性確認を行います.

  1. 申請 (Google フォーム)

次の役割の方を決め, 申請責任者の方ご自身のUECクラウドアカウントUPKIサーバ証明書申請フォーム から申請してください. 申請責任者以外の方からの申請は受理できません.

申請責任者:

申請および証明書の利用に関してすべての責任を負う 常勤の教職員

証明書管理者 (任意):

実質的な作業を行うまたは監督する 常勤の教職員. 3名まで指名可. 申請責任者が証明書管理者を兼ねる場合は不要

Caution

研究・教育 で利用する場合:

申請責任者証明書管理者 は共に 常勤の教職員 として下さい.

学生のサークル活動等 で利用する場合:

申請責任者 は組織を監督する立場の 常勤の 教職員(顧問や所管の職員)として下さい. 証明書管理者 は学生でも問題ありません.

申請責任者および証明書管理者以外の方が管理作業(データ作成やサーバへのインストールなど)を行うことは問題ありません. その際は申請責任者あるいは証明書管理者が作業内容を確認し,責任を持って管理してください.

申請に基づき, 情報基盤センターが FQDN (サーバ名) のドメイン管理者に FQDN の存在確認を行います. 存在確認後,申請内容を審査し, 結果を 申請責任者証明書管理者 と の UEC アカウント宛にメールにてご連絡します.

  1. Create a CSR (Certificate Signing Request) (user)

The administrator should create a key pair with a key length of 2048bits according to the procedure described in 事前準備〜証明書の申請から取得まで . Create a new key pair when updating. When you update, you also need to update the key. In addition, create a CSR using the key pair you have created.When creating a CSR, the Subject DN must be entered. Please enter the following information.

Caution

証明書 更新時 も,必ず 新しい 鍵ペア(秘密鍵,公開鍵) を作成してください. 既存の鍵ペアを 使いまわすことはできません.

Create a CSR using the key pair you created. You will need to enter a subject DN when creating a CSR. Enter the following.

Attribute Name

What to enter

C

JP

ST

tokyo

L

chofu

O

The University of Electro-Communications

CN

Server’s FQDN (host name)

Email

Blank (Specify in the next step.)

Hint

  • From July 26, 2022, the OU attribute of the subject DN has been abolished. CSR with OU attribute in subject DN will not be accepted, so please do not attach OU attribute.

  • To enter a blank field in OpenSSL, enter 「.」 (half-width period).

  1. Creating TSVs

Create a TSV file based on the CSR that you have just created, following the procedure described in 2.2.1.サーバ証明書 in the TSV作成ツール操作マニュアル.

  1. Access the TSVツール and click 作成開始.

  2. Select “TSVファイルの種別 (TSV file type) according to the following conditions, and press:guilabel:この内容で作成開始 (Start creating with this content).

Hint

The Revoked Certificate Serial Number that you enter when updating the server certificate must be either decimal or hexadecimal with “0x” prefix. For more information, see UPKI-FAQ サーバ証明書のシリアル番号を確認したい .

  1. Load the CSR file. In addition, please enter the missing information as follows to create the TSV.

    • The required fields are 利用管理者 Email and Webサーバソフトウェア名等.

    • Although 利用管理者氏名 and 利用管理者所属 are not required, they will be embedded in the body of the mail as the address of the mail sent from the application system, so please enter them as much as possible.

    • Please enter only one-byte characters for 利用管理者 Email.

    • 利用管理者氏名, 利用管理者所属, Webサーバソフトウェア名等 can be entered in both single-byte and double-byte characters.

    • You will receive an email notification of the issue to the email address you entered in the 利用管理者 Email field. Please make sure to enter an e-mail address that can be received.

    • Enter the name of the HTTP server or other software that uses the server certificate in Webサーバソフトウェア名等.

    • (Optional) To use certificates on multiple servers with different hostnames on the same computer and the same OS, specify dNSName as shown in the following example. dNSName=aaa.example.ac.jp,dNSName=bbb.example.ac.jp

  1. Sending TSV Files

Please send the TSV file generated in the previous step to the Information Technology Center by e-mail. You will be informed of the mailing address by the e-mail in 2.

Based on the TSV file submitted by the user,the person in charge at the Information Technology Center applies to the certificate issuing organization (certification authority) for issuance of the certificate. If there is an error in the TSV file, we will ask the user to correct it as appropriate.

  1. Download the server certificate and intermediate CA certificate. (User)

認証局にて申請が受理され,処理が完了すると, 手順 3. で TSV ファイルに入力した 利用管理者 Email に 通知が送られます.通知本文に, サーバ証明書中間CA証明書 のダウンロード リンクが埋め込まれていますので保存してください.

  1. Install the server certificate (User)

Please follow the サーバー証明書インストールマニュアル to install the server certificate and intermediate CA certificate on your server.After installation, check the expiration date of the server certificate using a browser.

7 (Renewal Only) Revocation of Old Certificate

サーバ証明書のインストールが完了したら,作業が完了したサーバのFQDNを 情報基盤センターにご連絡ください. TSVファイルの作成は不要 です.

precautions

Renewal of Certificates

When renewing a certificate, the existence of FQDNs and domain administrators are required as well as new applications. Please submit an application in accordance with the new issuance/renewal procedures for certificates.

After setting up the updated certificate on the server, you need to revoke the old certificate.Please contact the Information Technology Center after completing the replacement of the certificate. It is not necessary to create a TSV file.

Note

When renewing or revoking a server certificate, the 失効対象証明書シリアル番号 should be a decimal value. If the value is a hexadecimal number, an error will occur.

About the replacement of certificates

The Information Technology Center does not provide support for key pair generation or installation of server certificates.Please refer to the web pages of the National Institute of Informatics (NII) and the texts available on the Internet and do the work by yourself. In particular,please be sure to check UPKI電子証明書発行サービス(国立情報学研究所) .

If you want to use an SSL server certificate on a virtual domain server,

  • The SSL server certificate issued this time

  • The private key (server private key) used to create the TSV file

  • Intermediate certificate

Warning

Make sure to delete (cancel) the passphrase of the private key.

Please share the three points at UEC Disk ticket link and send the URL to support@cc.uec.ac.jp.

Certificate Expiration Date

The validity period of the server certificate is determined by the UPKI digital certificate issuing service of the National Institute of Informatics.Please note that the Information Technology Center will not be able to adjust the deadline.

Delay or Denial of Certificate Issuance

If you set a server name that could be used for phishing as the value of CN or SAN when creating a CSR,the issuance of the certificate will be delayed for legitimacy verification or, in some cases, disallowed.

The audit is conducted by a third-party certification authority.Please note that the Information Technology Center will not be able to provide reasons for delays or denials.

Certification authorities do not disclose their judgment criteria, but services that may be confused with widely popular services such as Google, Microsoft, and Amazon may be subject to delays or denials.

FAQ