How to obtain a new GlobalSign certificate or renew an existing one

Note: If the certificate has already expired, it cannot be renewed; a new certificate must be issued.

In this article:

Step-by-Step instructions

  1. Create a 2048-bit private key using the appropriate utility on your computer. Examples of private key creation can be found at Globalsign's website or see the Open SSL example below.

    Note: This step is not necessary if renewing a GlobalSign certificate unless your web server insists on creating a new key:

  2. If you have an existing private key from previous certificate creation, you can reuse that, as the key is not tied to a particular Certificate Signing Request (CSR). Please keep in mind that your private key must be kept secure, and it must not be accessible to visitors in your web space. You must back it up in a secure location.

  3. If the private key is lost, you will have to create a new key and regenerate your certificates.

  4. Create a CSR for your server using the private key from the previous step, following Globalsign's instructions or this OpenSSL example.

    1. The hostname for the certificate should be of the form

    2. A number of data fields in the CSR are common to all Waterloo certificates and must be used. The common field values you should use in creating your CSR are:

      • C=CA

      • ST=Ontario

      • L=Waterloo

      • O=University of Waterloo

      • CN=the full name of your server as seen by clients (e.g.,

  5. In a web browser, go to the GlobalSign UWaterloo self-service page.

  6. Enter all information in the form, and enter your CSR in the box. In particular, note the following about the form fields:

    1. Products: OrganisationSSL or IntranetSSL. If the certificate is for public (generally, meaning available to off-campus people) or for large groups of unmanaged clients (generally, meaning an audience including undergraduate students) then use the OrganisationSSL option. If it is an internal-only service, or if the primary users are faculty and/or staff, then use the IntranetSSL option.

    2. Get the Green Bar: This is for Extended Validation certificates. Always choose no.

    3. New or Trade-in Certificate: if you have an existing GlobalSign certificate for your server, select Renewal. For all other cases, select New.

    4. Include Subject Alternative Names (SAN): a SAN is a way of having multiple hostnames associated with the same certificate. If you do not know whether you require SAN support, you probably don't and should not check this box.

      1. After selecting this box, additional options will appear. Select those appropriate to your application and enter any requested addresses and names.

      2. If you have questions about SAN support, please email UW/IST Certificate Authority for assistance.

        • Activate Standard Unified Communications (UC) Support

        • Secure Additional Subdomains

        • Secure Internal IP Addresses

        • Secure Additional Domain Names

    5. Contact Information: The information provided here must include University of Waterloo phone numbers and email addresses. Requests using off-campus contact information will be denied.

      1. Enter details for the technical contact for the certificate in the contact information fields.

      2. Use the name of the server's administrator. We recommend that departments use a dedicated email address of the form rather than an individual staff member's email address.

      3. The phone number should be in the form +1-519-888-4567 ext. 33333.

  7. Submit the form by clicking on the Continue button at the bottom of the page.

  8. Verify the information on the confirmation page that is displayed.

  9. Select "I Agree", "Back", or "I Do Not Agree"

  10. If you selected "I Agree", a page will be displayed that gives you an order number. The request will be forwarded to IST Security Certificate Authority staff for approval. This approval usually takes one business day. However, it may take longer if we have to verify your request.

  11. The new certificate will be sent directly to you via email once your request has been approved. Install it on your application, following GlobalSign's installation instructions.

  12. Note that you may need to download and install GlobalSign's intermediate certificate as well. Instructions to do this are included with the installation instructions. GlobalSign has background documentation on intermediate certificates.

Requests will normally be processed in one business day. However, if there are errors or incomplete information in your request, delays may occur.


OpenSSL example

If you require assistance with the following instructions or any aspect of obtaining and using SSL certificates, please email the UW/IST Certificate Authority.

To create a private key called using OpenSSL, use the following command using your own server in place of

openssl genrsa -out 2048

Certificate Signing Request example

Use the name of your own server, instead of, to name the files. The required University of Waterloo location fields can be specified on the command line, as in this example:

openssl req -new -key -out -subj /C=CA/ST=Ontario/L=Waterloo/O=University\ of\ Waterloo/

The CN field identifies your server and must contain your full server name.

Need help?

Contact UW/IST Certificate Authority.

Article feedback

If you’d like to share any feedback about this article, please let us know.