PHNET Digital Certificate Service Frequently Asked Questions (FAQ)

1) What is a digital certificate?

2) Why should we trust a PHNET digital certificate?

3) Why doesn't my browser recognize PHNET-issued digital certificates?

4) Who may obtain a PHNET Digital Certificate?

5) What are the steps for obtaining a PHNET Digital Certificate?

6) I have not received the Form(s) your system was supposed to e-mail me. What is wrong?

7) I e-mailed the Request Form I received from your system but I did not get a reply? What is wrong?

8) I am sure I did not modify the Request Form. I merely pressed the "Reply" button. What is wrong?

9) Why can we not make modifications, even slight ones, to the Request Form you e-mailed us?

10) How can we modify our Digital Certificate information? How often can we make modifications?

11) Who can request for modifications on our Digital Certificate information?

12) What if both our Technical and Administrative contacts are no longer reachable?

13) What is a manual revision of Digital Certificate information and how do we ask for one?

14) We lost/deleted the PHNET-issued Digital Certificate. What should we do?

15) The private key to our Digital Certificate has been compromised. What should we do?

16) We received a notice that our certificate will expire soon but I know it should expire next year. What should I do?

17) What is a "reissue" of a digital certificate?

18) What is a "replacement" digital certificate?

19) We want to modify the information in the PHNET-issued certificate. What should we do?

20) We installed the PHNET-issued certificate but our Apache Server generated this error message "SSLPassPhraseDialog builtin is not supported on Win32." What should we do?

21) I have other questions that are neither answered by this FAQ nor by your certs.ph.net form. What should I do?


What is a digital certificate?

The Wikipedia has a good basic explanation on this matter. You might also want to read on the Public Key Infrastructure (PKI).
Back to Top

Why should we trust a PHNET digital certificate?

PHNET started the Internet in the Philippines in 1994. We have been the EDU.PH DNS Registry since that time and have developed the technology, infrastructure, and operations to vet the institutions registering under the EDU.PH domain. We have ensured that only bona-fide educational institutions are registered under the EDU.PH domain. There has never been a single complaint about a fake institution ever having been registerd under the EDU.PH -- ever. We have more than a decade of experience in this vetting process. We are using those very same resources to ensure that the recipients of our digital certificates are who they claim to be.

You should trust PHNET because it a competent and honest company run by competent and honest people.

Back to Top

Why doesn't my browser recognize PHNET-issued digital certificates?

The browsers (MS Internet Explorer, Firefox, Mozilla, Netscape, Safari, Opera, and the like) are all pre-configured by their makers with a list of certificate authorities they recognize. PHNET is not on that list because we don't have the money nor the marketing clout to get included in those lists. Not being on the lists doesn't make PHNET any less trustworthy than those on the lists. You should trust PHNET because of what you know about PHNET rather than because it is on a pre-configured list or not.

All the browsers allow users to add to the pre-configured lists. If you trust PHNET, you should configure your browser to trust PHNET's Root Authority Digital Certificate. Your browser will then automatically trust the digital certificates issued by PHNET. For Firefox users, here are the steps for configuring your browser to trust PHNET as a Certificate Authority:

1. Download the PHNET Digital Certificate from here. Use the "Save Page As" function from the "File" menu of your browser. Just accept the default name "PHNET-CA-cert.pem" for the file. We will be using this file later.

2. Click on "Edit" and then "Preferences." This will pop-up the "Firefox Preferences" Window.

3. Click on the "Advanced" option.

4. Click on the "Encryption" tab of the "Advanced" options.

5. Click on "View Certificates" which will pop-up the "Certificate Manager" window.

6. Click on the "Authorities" tab of the "Certificate Manager" window.

7. Click on the "Import" button.

8. Type in the directory and the filename where you saved the file "PHNET-CA-cert.pem" in step 1.

9. Click on "Open" and the "Downloading Certificate" window will open.

10. Select "Trust this CA ..." for everything you want to trust PHNET for and then click on "OK".

11. Click on "OK" to close the "Certificate Manager" window.

12. Click on "Close" to close the "Firefox Preferences" window.

The other browsers will have a similar method of installation. Look for the "Certificate Manager" function in those browsers.

Back to Top

Who may obtain a PHNET Digital Certificate?

Any Philippine-based institution may request for a PHNET Digital Certificate.
Back to Top

What are the steps for obtaining a PHNET Digital Certificate?

1. Prepare the following documents:

    a) A copy of the Department of Education or CHED or TESDA certificate of recognition for the institution. For State educational institutions, a copy of the certificate or legislation which founded/recognized the institution.

    b) A letter from the institution's president or principal, written in the school's letterhead, authorizing the representative to register the domain in behalf of the institution. You may use this sample letter (PDF, PostScript) as your guide.

Those who already have an existing EDU.PH DNS registration may skip this step#1.

2. Properly fill up the form found in http://certs.ph.net/certs.html

3. Reply to the Request Form which will be e-mailed to you after you finish step (2). In the reply, you must copy the Certificate Signing Request (CSR) you have generated. This CSR comes from you, not from PHNET, and is generated using your own software. After we receive your valid reply, your request is classified as PENDING.

4. Within one week after step (3), submit the following by fax, snail-mail, or courier:

    a) The documents you prepared in step (1) for the insitution.

    b) Proof of payment of the registration fee (i.e. photocopy of the deposit slip, receipt, etc.). See http://certs.ph.net/payment.html for the details.  Please be sure that the proof of payment indicates the domain that was registered as PENDING in step (3).

NOTE: All PENDING requests are automatically deleted from our system, without any notice to anyone, after the seven-day period has expired.

Back to Top

I have not received the Form(s) your system was supposed to e-mail me. What is wrong?

Our system automatically e-mails the necessary Form(s) after a request is triggered through http://certs.ph.net/certs.html. If you have not received the Form(s) after a reasonable amount of time, the e-mail address you used is probably not reachable through the Internet.

Please ensure that the e-mail address you use is reachable through the Internet before doing anything else.

Back to Top

I e-mailed the Request Form I received from your system but I did not get a reply. What is wrong?

Our system automatically discards Request Forms which had been modified, no matter how slight the modification.  If you did not receive an e-mail acknowledgement from our system after a reasonable amount of time, this is most probably because the Request Form you sent us had been modified in some shape, form, or manner.
Back to Top

I am sure I did not modify the Request Form. I merely pressed the "Reply" button. What is wrong?

If you did not modify the Form, then your mail system probably did. Does your mail system use HTML format? Does it insert spaces or other characters to the e-mail you reply to? Does it automatically truncate or linewrap text after a certain length?

You must configure your mail system not to do any of the above. You can safely configure your client to linewrap after 79 characters.

For example, Yahoomail defaults to using HTML format and a width of 55 characters. E-mail sent to us using this default configuration will be rejected.

For Yahoo users, follow these steps to reconfigure the format of your out-going e-mail:

Yahoo mail sending format defaults to html. Follow these steps to change it to Plain Text

Back to Top

Why can we not make modifications, even slight ones, to the Request Form you e-mailed us?

When the Form has been modified, it is impossible for us to determine who made the modification and for what reasons.  It could have been your mailer making slight modifications or it could have been a third-party changing the important information.  To prevent the latter, we assume the worst and just invalidate Forms which had been modified -- no matter how slight..
Back to Top

How can we modify our Digital Certificate information? How often can we make modifications?

We must stress that the information in the issued certificate itself can not be changed. If any of the information in the certificate has to be modified, you must request for a replacement certificate. This will invalidate the old certificate and a new certificate, with the modified information, will be issued. A replacement fee will be charged.

The information about the certificate may be modified. These are the information on the technical/admin contacts, their contact information, and the like. You may modify these information as often as you need to. There are no charges for these modifications. To make the modifications, just follow these steps:

1. Properly fill up the form found in http://certs.ph.net/certs.html.

2. The generated Request Form will be e-mailed to the Technical and Administrative contact of the domain for verification. If you are neither the Technical nor the Administrative contact, you will not get the Request Form.  The person who generated the form will merely get an e-mail notice saying that  both the Technical and Administrative contacts had been sent the Form.

3. To approve the requested modification, either the Technical or the Administrative contact must e-mail back the Request Form generated in (1).  We only need the approval of one of the two contacts.

4. After we receive the Verification Request Form in (3), the requested modifications will immediately be placed in our database. 

Back to Top

Who can request for modifications on our Digital Certificate information?

Anyone can visit http://certs.ph.net and generate the necessary Request Form for revisions. However, only the Technical or Administrative contact of the domain can approve these requests.
Back to Top

What if both our Technical and Administrative contacts are no longer reachable?

The automatic revision system is dependent on the ability of either the Administrative or Technical contact of the domain to receive e-mail from PHNET so that one of them can approve a requested modification. The approving authority is either one of the two contact persons. If neither of these are reachable through their e-mail addresses, PHNET must manually intervene to effect the changes. We only intervene after an institution asks for a manual revision of Digital Certificate information.
Back to Top

What is a manual revision of Digital Certificate information and how do we ask for one?

Manual revisions of certificate information are done by the authorized PHNET administrator by manually modifying the certificate database. Institutions who need to modify their information but whose contact persons, as found in the PHNET database, are no longer reachable through e-mail should request for a manual revision. To effect a manual revision, the following steps must be followed:

1) Visit http://certs.ph.net/certs.html and click on the "Request for a PHNET Manual Revision" option. This will generate an Authorization Letter which will be e-mailed to you.

2) Cut and paste the Authorization Letter into your institution's letterhead. It must then be signed by the head of the institution.

3) Fax, snail-mail, or hand-deliver the Authorization Letter to PHNET.

4) Submit proof of payment. Visit http://certs.ph.net/payment.html for the details.

PHNET will verify that the request is bonafide and then make the necessary modifications.

As you can see, the procedure is a little tedious. To avoid it (and the payment associated with it), you must ensure that your current contact persons transfer their responsibilities to the new contact persons before they leave your employ.

 
Back to Top

We lost/deleted the PHNET-issued Digital Certificate. What should we do?

You should ask for a "reissue" of the certificate by visiting the "Request for Reissue ..." page in http://certs.ph.net/certs.hml.
Back to Top

The private key to our Digital Certificate has been compromised. What should we do?

You should ask for a "replacement" of the certificate by visiting the "Request for a Replacement ..." page in http://certs.ph.net/certs.hml. The replacement certificate will invalidate/revoke the certificate to be replaced. A new certificate will be issued with the same expiration date as the old certificate. PHNET charges a replacement fee for this service.
Back to Top

We received a notice that our domain will expire soon but I know it should expire next year. What should I do?

We probably goofed on our accounting.  Please immediately reply to the e-mail and say that we goofed.  Please include receipt numbers, etc to prove that we indeed goofed.  Without your reply, our system assumes that there are no problems and everything is correct. Your certificate will then automatically expire on that date.

When you send us a reply, it raises a red flag and allows us to double check our accounting to verify that we indeed goofed. If we did, we will make all the ncessary corrections and issue you a new certificate.  If we did not, we will say that we did not.  At any rate, you should receive an e-mail from us detailing the actions we have taken.

Back to Top

What is a reissue of a digital certificate.?

A "reissue" is just a copy of the same digital certificate we had issued. This is usually requested by institutions who inadvertently lost/deleted the certificate from their webservers. See FAQ#14.
Back to Top

What is a replacement of a digital certificate.?

A "replacement" is a new digital certificate to replace an old certificate. The old certificate is invalidated by PHNET by publishing it in the PHNET Certificate Revocation List. We then issue a replacement certificate with the same expiration date as the old, revoked certificate. A replacement is requested by institutions who believe that their old certificate has been compromised with the release of their private key. It is also the recourse of institutions who want to change the information in the certificate. See the related questions FAQ#15 and FAQ#10.
Back to Top

We want to modify the information in the PHNET-issued certificate. What should we do?

Ask for a replacement. See the related questions FAQ#15, FAQ#10 and FAQ#18.
Back to Top

We installed the PHNET-issued certificate but our Apache Server generated this error message "SSLPassPhraseDialog builtin is not supported on Win32." What should we do?

The problem is not with the PHNET-issued certificate but in your encrypted private key. Unfortunately, Apache for Windows does not support encrypted private keys. You will need to remove the password from the private key that you had created.

Assuming that your SSL software created a private key as "privatekey.pem", you can remove the private key by issuing the command:

   openssl rsa -in privatekey.pem -out newcert.key

Now, you should use this "newcert.key" file in your Apache configuration file as:

    SSLCertificateKeyFile /path/to/certs/newcert.key
Back to Top

I have other questions that are neither answered by your FAQ nor by your certs.ph.net form. What should I do?

E-mail all your questions to dns AT ph.net (replace the AT with the @ sign).  If the answers are neither in http://certs.ph.net nor in this FAQ, we will send you the answers ASAP.  We might even include them in this FAQ.  If they are found in either of these two resources, then will just tell you to RTFM or just politely say FAQ you.
Back to Top

Copyleft © 1999-2007 Philippine Network Foundation, Inc (PHNET) . All rights reserved.
Revised: October 18, 2007