uog logo
School of Physics and Astronomy – computing
phas it logo


School X.509 and OpenSSH certificates

You probably don't need to care about this page: only a relatively small number of technical users need the information here.

We run a local Certificate Authority, which creates certificates for local use – mainly for connecting securely to a subset of intranet machines. You probably don't need one of these certificates, but if you learn that you do, talk to Norman.

We also have an OpenSSH CA. See the notes at the bottom of the page.

The school signing certificates are:

You should install, in order, the Root CA certificate (marking it as trusted, when prompted), and then the Intermediate CA certificate. You can find these certificates, along with a few other useful ones, in a single zip file:

Note: these are different from the initial (2016) versions of these certificates, which were issued with a small but significant error.

Installing these server certificates – desktop machines §

Installing these server certificates – server machines §

The notes below describe installing the phas-ca-* files from the certificates bundle, but you may also want to install the UK e-Science certificates, too. See the README in the downloaded bundle.


# mkdir /etc/ssl/certs
# cp certificates/phas-ca* /etc/ssl/certs
# cd /etc/ssl/certs
# for f in phas-ca-*; do ln -s $f `openssl x509 -hash -in $f -noout`.0; done


# cp certificates/phas-ca* /etc/pki/ca-trust/source/anchors
# update-ca-trust extract

The certs will then appear in various files under /etc/pki/ca-trust/extracted/pem/. You may need some further configuration to let client applications use these. For example, an ldap.conf file needs a line:

tls_cacert /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Debian/Ubuntu: copy the two phas-ca-*.crt files into /usr/share/ca-certificates, adding the filenames to /etc/ca-certificates, and then running update-ca-certificates [instructions TBC].

Installing your personal certificate §

If you have a personal certificate, issued by the school, then you should install it as follows. Most people will not have such a certificate.

You will have received your certificate in the form of a .p12 file, along with a password which secures this file. When you import the certificate as described below, you have to unlock the .p12 file with this password.

You can discard the .p12 file and password after you have imported the key and certificate, because you should be able to export the key and certificate from within the certificate store at a later stage.

Creating your own key §

If you have a desperate urge to create your own key and have it signed, then first download the appropriate config file, and then create a key:

% openssl genrsa -aes256 -out fred-bloggs-key.key 2048

You will be asked to enter a password for the key. This is used only for protecting this key whilst you are waiting for it to be signed, and before you import the signed key into your key/certificate manager.

Create the CSR:

% openssl req -new -config user-csr.cnf -key fred-bloggs.key -out fred-bloggs.csr

Accept the defaults for each item except the CommonName field, where you should enter your own name when prompted. Then send the .csr file to Norman to be signed. After the signed certificate is returned, import both it and the key file (for which you have of course remembered the password) as above.

If you have any questions, contact Norman Gray.

OpenSSH CA §

We run an OpenSSH CA to provide SSH certificates for a few IT users. The CA key is here. If you need to know more about this, talk to Norman.