Documentation:UBC Content Management System/SSL Certificate
|Welcome to the support documentation for the|
UBC CMS Service.
|UBC Collab Theme|
As of March 21st 2018 all new domain-mapped sites on UBC CMS need to run on HTTPS. This means that your domain will need an SSL certificate on our platform. This is due to several browser vendors now marking sites as ‘not secure’ if they are using HTTP under certain circumstances and, as of June 2018, they will mark ALL sites that use HTTP as not secure.
What is an SSL Certificate
Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. See more here.
What is https
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) for secure communication over a computer network, and is widely used on the Internet. See more here.
Wild card certificate
In computer networking, a wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain. The principal use is for securing web sites with HTTPS, but there are also applications in many other fields. Compared with conventional certificates, a wildcard certificate can be cheaper and more convenient than a certificate for each subdomain. See more here.
Wildcard certificates on CMS
UBC CMS already contains several wildcard and standalone SSL Certificates. If the domain you wish to use is of the form <something>.ubc.ca or <something>.<something>.ubc.ca then there is a good chance that we already have an SSL certificate for you to use.
Some of the wild cards currently on CMS: *.ubc.ca, *.med.ubc.ca, *.denistry.ubc.ca, *.arts.ubc.ca,
*IMPORTANT Please note: The *.ubc.ca wild card cert will not cover the www subdomain. This means www.<something>.ubc.ca is not covered by the *.ubc.ca wildcard.
How to get an SSL certificate
Do it yourself
If you know that your UBC subdomain is currently not covered by the certificates that we have on UBC CMS then UBC IT can help you acquire one and have it placed onto UBC CMS. You need to follow steps 1 through 6 (inclusive) at https://confluence.it.ubc.ca/display/ITSecurity/how+to+obtain%2C+deploy+and+verify+an+X.509+certificate
These steps will generate everything we need from you in order to have your site running on HTTPS. Now you need to send us those files. Zip them up, and then add them to UBC Workspace, with a password. Send an email to email@example.com - which will generate a ServiceNow ticket - with a link to the file and share the password with us. We’ll also need to know which domain this is for, in that email.
Once we have that info, we can then speak with the systems team that runs the piece of hardware where the certificates need to reside. They will install the certificate on your behalf.
If it’s a non UBC domain (i.e. yourdomain.com rather than yourdomain.ubc.ca) then you will need to purchase a certificate from https://www.gandi.net/en/security (you need the ‘Standard’ certificate) and then you will need to provide to us (via WorkSpace) the Certificate and the private key used to generate that certificate.
Please note that you will need to provide the "key" with the certificate so do not lose or delete this file.
Request a certificate
You can also contact UBC security at security[a]ubc.ca for requests or questions about SSL certificates.
Please note that you will need to provide the "key" with the certificate so please ensure that it is included in the package you receive with the request.
How to get your CMS website on to https
Things to know before you start the process:
- How to acquire a SSL certificate.
- Who is your websites Domain Name System (DNS) manager? Basically someone who can configure your websites domain. Most likely it's UBC IT. See more here.
- The whole process can take up to 1 - 2 weeks.
Please follow the steps below:
- First you will need to determine whether you need a certificate or if your website is already covered by a wildcard certificate on UBC CMS. If your website is covered please proceed to step 3.
- Aquire a certificate and submit it to CMS Support. CMS support will then place the certificate onto CMS. Note: this can take 2 - 4 business days.
- Contact your DNS manager, and request that your domain's TTL is changed to 300.
- Once the certificate is in place and it has been roughly 2 business days after the TTL switch, schedule with your DNS manager to switch your domains ip address to point to 126.96.36.199, and, at the same time, schedule with CMS support to run a https migration tool.
- Verify the website is OK.