Web Certificates: What They Are and How to Get Them

Joanne Costello

Recently, several Web services have been launched at MIT that 
require the use of Web certificates:

* The MIT Computer Connection, in partnership with NECX, has 
established MCC/Online for ordering computers over the Web.

http://web.mit.edu/ecat/mcc/

* WebSIS lets students access their financial and academic records, 
and update personal information.

http://student.mit.edu/ 

* Through SAPweb, administrators can view purchase-order 
information.

http://web.mit.edu/sapweb/

These services involve sensitive data, so it's critical to ensure that 
access is limited to authorized users and that data is secure when 
transmitted over the Internet. That's where Web certificates come in. 
They authenticate both user and Web server, and support the 
public/private key technology that encrypts data as it is sent.
 
To access a secure Web server, you need two types of certificates. A 
site certificate assures that the server you are connecting to is the 
one it claims to be, not an imposter. A personal certificate verifies to 
the server that you are who you claim to be; when you get a personal 
certificate, you also get a private encryption key. 
 
These two certificates are not paper documents. They are digital files 
stored as preferences in your Web browser. To get them, you must go through 
a multi-step, Web-based process.
 
Prerequisites
Before you can obtain Web certificates at MIT, you need

* an MIT ID number (the number on your MIT Card)

* a Kerberos username and password (the same as your Athena 
username and password or your MIT email username and password)

* Netscape 3.0 or higher (other Web browsers don't have the 
necessary security features)

If you don't have an MIT Card, call the MIT Card Office at x3-3475. If 
you don't have a username and password, call Athena User Accounts 
at x3-1325.
 
While not a prerequisite, it's a very good idea to set up a password 
for your Netscape browser, to protect your certificates from theft. 
You can find out how to do this preparatory step - and all the steps 
involved in getting Web certificates - in two Web-based files.

Step-by-Step Instructions
There's a quick summary of the steps for getting Web certificates at
There's a quick summary of the steps for getting Web certificates at

http://web.mit.edu/ist/help/cert/

A second document gives in-depth instructions and describes the 
technology behind certificates. It is located at

http://web.mit.edu/ist/help/cert/cert.html

You may want to print out the longer document before starting the 
process of getting Web certificates. It helps to have complete 
instructions handy.

Both documents include the links to the Web forms for getting 
certificates.
 
Things to Keep in Mind

* Netscape browser password. This password is not tied to your 
Kerberos password and, in fact, should be different. Once you set the 
browser password, you will be prompted to enter it before your 
personal certificate is sent to a secure Web server. If you forget this 
password, you will have to delete your certificates and get new ones.

* Site certificates. Netscape comes with a variety of site certificates, 
but you need to get a special one for use at MIT, called the "MIT 
Certificate Authority." Getting it adds it to the list of site 
certificates that Netscape recognizes. The "MIT Certificate Authority" 
keeps track of MIT's secure servers.
 
* Personal certificates. Your personal certificate is tied to your 
Kerberos password and to your browser. Even when you have a 
personal certificate, you may not be allowed access to specific secure 
servers.

* Multiple machines, multiple users. You must get a personal 
certificate and a site certificate for each machine on which you work. 
When more than one person uses the same machine and copy of 
Netscape, each person must get his or her own personal certificate.