Introduction: Secure Web Servers and Web Certificates

Prerequisites to Getting MIT Web Certificates

Athena Users

Getting the Certificates

The MIT CA

Your Personal Certificate

Installing Certificates

Deleting MIT-Related Certificates

When You Connect to a Secure MIT Web Site

Certificates at MIT

Obtaining Certificates for Accessing Secure Web Services at MIT

Introduction: Secure Web Servers and Web Certificates

MIT continues to expand its online services and applications which are being delivered over the Web. These applications come from secure web servers that limit access to authorized users and protect transmission of sensitive data by encryption. Secure web servers, like other web servers, provide information and services through web browsers. Access to a secure server requires that you have what are called "web certificates" on your web browser.

Here are some of MIT's services that depend on web certificates.

• WebSIS lets students access their individual academic and financial records (including grades and class assignments), and update address and other personal information.
  
  
• Administrators can create requisitions, and view SAP-based financial and purchasing data via SAPweb.
  
  
• SAPweb Self-Service lets MIT employees access and update their personal information, benefits enrollment, MIT training opportunites, and other information.
  
  
• ECAT facilitates purchases of office supplies, computer equipment and software, lab supplies, maintenance supplies, and other items.
  

Read on for the steps to getting your MIT web certificates.

Prerequisites to Getting MIT Web Certificates

Before you can get MIT web certificates, make sure you have the following:

• Your valid MIT ID number.
• Your Kerberos username and password (same as for Athena, MITnet, Eudora email, or SAP).
• An MIT-supported browser installed on each computer for which you are getting certificates.

MIT personal web certificates are supported only on browsers which support x.509 digital certificates. The current recommended and supported browser versions are:

• Athena: Firefox 2.0.x
• Linux: Firefox 1.5.0.x
• Macintosh: Safari 3.0.x or Firefox 2.0.x
• Windows: Internet Explorer 7, Internet Explorer 6.0.2 with SP2, or Firefox 2.0.x

For the latest information on supported browsers, check Web Browsers at MIT.

[Back to top]

Athena Users

Your Mozilla certificate and preference files are stored in a Mozilla subdirectory in your Athena personal file system (~/.mozilla). This file system and everything in it follows you from workstation to workstation, so that on Athena you need only one set of certificates. Your .mozilla subdirectory is normally set so that only you have access to it, even if you set your home directory to be world-readable. For details on protecting your Athena directories, see Making Your Files Accessible, in Working on Athena.

[Back to top]

Getting the Certificates

To access MIT's secure web servers you actually need two different types of certificates: the MIT CA (Certification Authority), and your personal certificate. Getting these certificates is a two-step process, as follows.

If You Use Multiple Computers

You need both certificates for each computer from which you will access MIT's secure web servers. On Athena, you get certificates only once; they follow you to wherever you log into Athena.

If You Use Multiple Browsers on One Computer

You need to get both certificates for each browser you may use on a single computer. The typical combinations are Safari and Firefox on Macintosh; IE and Firefox on Windows.

Taking Over a Computer with Old Certificates

If you are taking over a computer that contains certificates for a previous user, you should delete the old certificate-related files before getting your own certificates.

[Back to top]

The MIT CA

The MIT CA (Certification Authority) authenticates the secure web server to your computer. MIT CAs are valid for several years. Note: Browsers come with a group of other certificate signers (also known as certificate authorities) pre-installed; you are adding the MIT Certification Authority to this group.

If you need to install the MIT CA, click the link below and follow the instructions, or see Installing MIT Certificates. If the MIT CA already exists on your computer, you will see a small window confirming such.

Get an MIT CA (Certification Authority)

[Back to top]

Your Personal Certificate

Your MIT personal certificate (also called a digital ID), authenticates you and your computer to the secure MIT web server. This personal certificate is "signed" by the MIT Certificate Authority and associates you with your Kerberos (same as Athena, Eudora, MITnet, SAP) username and password. It proves to the secure server that you are who you claim to be (although the server itself may be one with further restrictions as to who can access it).

MIT personal certificates are set to expire periodically. If you are getting a personal certificate on a system, including Athena, that you will be using for a shorter period of time, you can set the number of days the certificate is to be valid (if set to zero (0), the certificate is valid for about 3 hours).

To install the your personal certificate, click the link below and follow the instructions, or see Installing MIT Certificates. (Multiple personal certificates can coexist on your computer.)

• Get your MIT personal certificate

When Your Personal Certificate Expires

When your personal certificate expires, you will need to get a new one before you can continue to access the MIT secure web services for which you are authorized. For details, see Expiration of Personal Certificates.

[Back to top]

Installing MIT Certificates

The following pages give detailed instructions on installing both the MIT CA and a personal certificate.

• Internet Explorer 7 for Windows XP: Obtaining MIT Certificates
• Internet Explorer 7 for Windows Vista: Obtaining MIT Certificates
• Internet Explorer 6 for Windows: Obtaining MIT Certificates
• Safari 3 for Macintosh: Obtaining MIT Certificates
• Firefox 2.0.x: Obtaining MIT Certificates

[Back to top]

Deleting MIT-Related Certificates

You may find that you need to remove existing certificates from a computer. Among the reasons are:

• You are taking over, as sole user, a computer with certificates for a person no longer using the machine.
  
  
• You are taking over a shared computer with certificates for a person no longer using the machine.
  
  
• You obtained certificates with a certificate password, but you have forgotten that password and need to enter a new one and then obtain new certificates.
  
  
• You have reason to believe that your machine has been accessed or compromised by others and you need to get new certificates.
  

For details, see Deleting Certificates and Related Passwords.

[Back to top]

When You Connect to a Secure MIT Web Site

Now that you have both your MIT CA and personal certificates, and have set up a certificate, or browser, password, you are ready to access an MIT secure web server. The work of the certificates is generally "behind the scenes".

When you go to a secure server (either by clicking a link on a web page or entering the URL), you will be prompted for your certificate password. Type the password, click OK, and the secure web page will be displayed.

[Back to top]