Duke IT Security Logo just a line

Obtaining a Thawte digital certificate

Duke University and the Duke University Health System have established a relationship with Thawte (a ubiquitous provider of digital certificates) where we handle the authentication of certificate requests internally. In exchange, Thawte gives us a discount on their certificates and we can generally get new certificates in under an hour. Any certificate request to Thawte for a .duke.edu domain will be funneled through this service. To make it easier for first time University certificate requesters (note, Health System requestors should follow the instructions at the DUHS ISO Web Site), we've outlined all of the steps you will need to take below:

  1. To request certificates from Thawte, you will need to be set up as a Thawte "Technical Officer"
    1. If you have a Thawte personal email certificate, skip to step 2)
    2. Go to Thawte's Personal Email Certificate Registration page
    3. Follow the enrollment process (pictures: 1, 2, 3)
    4. When prompted for an email address, use a duke.edu email address
  2. Email the following to security@duke.edu
    1. the name of the certificate (the email address used in 1d))
    2. a fund code to charge the cost of the certificate to (Thawte will not allow Techical Officers to pay for certificates directly)
    3. the type of certificate you want (Web Server certificate, Code Signing Certificate, SuperCert, etc).
    4. whether the certificate is a new certificate or a renewal of an exisiting certificate
  3. Once we have this information, we will register you as a Thawte Technical Officer and purchase the requested certificate token(s). (Note: certificate tokens can be issued by any Technical Officer at Duke. Once you receive an email that the token has been purchased, please issue it within 2 weeks, or it will be refunded.)
  4. After being added, you can go to Thawte's sPKI page. (picture)
  5. On the left hand side of the screen, select "Account" (picture)
  6. Choose "Duke", the "Acme" account is a test account (picture)
  7. On the left hand side of the screen select "My Products" (picture)
  8. Under "My Products", select "Renew" or "Request" (picture)
  9. If requesting a new certificate
    1. You will need to create a CSR (certificate signing request) - Instructions can be found on Thawte's Web Server Certificate Support page.
    2. Select which type of certificate you want (usually a '1 year web certificate').
    3. Follow the instructions on the web site.
    4. You will be prompted to paste this CSR into Thawte's sPKI page at the appropriate time.
  10. If renewing
    1. Select which type of certificate you are renewing
    2. Enter the code for the renewal.
    3. Follow the instructions given on the web site.
  11. Once the request is made, it'll be approved by either the Campus or the Health System security offices.
  12. After the approval we'll do a TJV back to the fund code (provided in step 2b) to handle the money

That's it! When the certificate has been issued, you will receive an email with instructions on how to download it from Thawte's site.

The difference between a web server certificate and a web server super certificate:

The web server certificate allows users to connect at 128-bit, 56-bit, or 40-bit encryption levels, depending on the client's browser capability.

A web server super certificate will allow you to extend 128-bit encryption to all your clients, even if they use browsers limited to 40-bit or 56-bit encryption capabilities.