PHNET Digital Certificate Service Frequently Asked Questions (FAQ)
1) What is a digital certificate?
2) Why should we trust a PHNET digital certificate?
3) Why doesn't my browser recognize PHNET-issued digital certificates?
4) Who may obtain a PHNET Digital Certificate?
5) What are the steps for obtaining a PHNET Digital Certificate?
6) I have not received the Form(s) your system was supposed to e-mail me. What is wrong?
7) I e-mailed the Request Form I received from your system
but I did not get a reply? What is wrong?
8) I am sure I did not modify the Request Form. I merely
pressed the "Reply" button. What is wrong?
9) Why can we not make modifications, even slight ones,
to the Request Form you e-mailed us?
10) How can we modify our Digital Certificate information? How often can
we make modifications?
11) Who can request for modifications on our Digital Certificate information?
12) What if both our Technical and Administrative contacts
are no longer reachable?
13) What is a manual revision of Digital Certificate information and
how do we ask for one?
14) We lost/deleted the PHNET-issued Digital Certificate. What should
we do?
15) The private key to our Digital Certificate has been compromised. What
should we do?
16) We received a notice that our certificate will expire soon
but I know it should expire next year. What should I do?
17) What is a "reissue" of a digital certificate?
18) What is a "replacement" digital certificate?
19) We want to modify the information in the PHNET-issued certificate. What should we do?
20) We installed the PHNET-issued certificate but our Apache
Server generated this error message "SSLPassPhraseDialog builtin is not supported on Win32." What should we do?
21) I have other questions that are neither answered by
this FAQ nor by your certs.ph.net form. What should I do?
What is a digital certificate?
The Wikipedia
has a good basic explanation on this matter. You might also want to read
on the Public Key Infrastructure (PKI).
Why should we trust a PHNET digital certificate?
PHNET started the Internet in the Philippines in 1994. We have been the EDU.PH
DNS Registry since that time and have developed the technology, infrastructure,
and operations to vet the institutions registering under the EDU.PH domain.
We have ensured that only bona-fide educational institutions are registered under
the EDU.PH domain. There has never been a single complaint about a fake institution
ever having been registerd under the EDU.PH -- ever. We have more than a decade
of experience in this vetting process. We are using those very same resources
to ensure that the recipients of our digital certificates are who they claim to be.
You should trust PHNET because it a competent and honest company run by
competent and honest people.
Why doesn't my browser recognize PHNET-issued digital certificates?
The browsers (MS Internet Explorer, Firefox, Mozilla, Netscape, Safari, Opera, and the
like) are all pre-configured by their makers with a list of
certificate authorities
they recognize. PHNET is not on
that list because we don't have the money nor the marketing clout to get included
in those lists. Not being on the lists doesn't make PHNET any less trustworthy than
those on the lists. You should trust PHNET because of what you know about PHNET
rather than because it is on a pre-configured list or not.
All the browsers allow users to add to the pre-configured lists.
If you trust PHNET, you should configure your browser to trust PHNET's Root Authority
Digital Certificate. Your browser will then automatically trust the digital certificates
issued by PHNET. For Firefox users, here are the steps for configuring your browser to
trust PHNET as a Certificate Authority:
1. Download the PHNET Digital Certificate from here. Use the "Save Page As" function from the "File" menu of your browser. Just accept the default name "PHNET-CA-cert.pem" for the file. We will be using this file later.
2. Click on "Edit" and then "Preferences." This will pop-up the "Firefox Preferences"
Window.
3. Click on the "Advanced" option.
4. Click on the "Encryption" tab of the "Advanced" options.
5. Click on "View Certificates" which will pop-up the "Certificate Manager" window.
6. Click on the "Authorities" tab of the "Certificate Manager" window.
7. Click on the "Import" button.
8. Type in the directory and the filename where you saved the file "PHNET-CA-cert.pem"
in step 1.
9. Click on "Open" and the "Downloading Certificate" window will open.
10. Select "Trust this CA ..." for everything you want to trust PHNET for and then
click on "OK".
11. Click on "OK" to close the "Certificate Manager" window.
12. Click on "Close" to close the "Firefox Preferences" window.
The other browsers will have a similar method of installation. Look for the
"Certificate Manager" function in those browsers.
Who may obtain a PHNET Digital Certificate?
Any Philippine-based institution may request for a PHNET Digital Certificate.
What are the steps for obtaining a PHNET Digital Certificate?
1. Prepare the following documents:
a) A copy of the Department of Education or CHED or
TESDA certificate of recognition for the institution. For State educational institutions,
a copy of the certificate or legislation which founded/recognized
the institution.
b) A letter from the institution's president or
principal,
written in the school's letterhead, authorizing the representative to register
the domain in behalf of the institution. You may use this sample letter (PDF, PostScript) as your guide.
Those who already have an existing EDU.PH DNS registration may skip this step#1.
2. Properly fill up the form found in http://certs.ph.net/certs.html
3. Reply to the Request Form which will be e-mailed to you after you
finish step (2). In the reply, you must copy the Certificate Signing
Request (CSR) you have generated. This CSR comes from you, not from
PHNET, and is generated using your own software. After we receive your valid reply,
your request is classified as PENDING.
4. Within one week after step (3), submit the following by fax, snail-mail,
or courier:
a) The documents you prepared in step (1) for the
insitution.
b) Proof of payment of the registration fee (i.e.
photocopy of the deposit slip, receipt, etc.). See http://certs.ph.net/payment.html
for the details. Please be sure that the proof of payment indicates
the domain that was registered as PENDING in step (3).
NOTE: All PENDING requests are automatically deleted from our
system, without any notice to anyone, after the seven-day period has expired.
I have not received the Form(s) your system was supposed to e-mail me. What is wrong?
Our system automatically e-mails the necessary Form(s) after a request is
triggered through http://certs.ph.net/certs.html. If you have not received the Form(s) after
a reasonable amount of time, the e-mail address you used is probably
not reachable through the Internet.
Please ensure that the e-mail address you use is reachable through
the Internet before doing anything else.
I e-mailed the Request Form I received from your system
but I did not get a reply. What is wrong?
Our system automatically discards Request Forms which had been modified,
no matter how slight the modification. If you did not receive an
e-mail acknowledgement from our system after a reasonable amount of time,
this is most probably because the Request Form you sent us had been modified
in some shape, form, or manner.
I am sure I did not modify the Request Form. I merely
pressed the "Reply" button. What is wrong?
If you did not modify the Form, then your mail system probably did. Does
your mail system use HTML format? Does it insert spaces or other characters
to the e-mail you reply to? Does it automatically truncate or linewrap
text after a certain length?
You must configure your mail system not to do any of the above.
You can safely configure your client to linewrap after 79 characters.
For example, Yahoomail defaults to using HTML format and a width
of 55 characters. E-mail sent to us using this default configuration
will be rejected.
For Yahoo users, follow these steps to reconfigure the format of your
out-going e-mail:
- Go to "Mail Options" of your E-mail Account
- Go to "Personalization"
- Click on "General Preferences"
- Select "Screen Width (Composing Plain Text Mail)"
- Set the counter to 80 characters rather than the default 55
- Save the changes
Yahoo mail sending format defaults to html. Follow these steps to change it to Plain Text
- When you hit the reply button, you will see a reply page. On the right of
the Subject header, you will see either Plain Text or Rich Text.
If you see Rich Text, you are already on "Plain Text" format and do not
need to do anything else.
- Click on the word "Plain Text". A warning message will appear saying that the message
will be converted into plain text and that all formatting will be lost
- Click "Ok" to proceed with the conversion. The mail sending format will now be in plain text format
Why can we not make modifications, even slight ones, to
the Request Form you e-mailed us?
When the Form has been modified, it is impossible for us to determine who
made the modification and for what reasons. It could have been your
mailer making slight modifications or it could have been a third-party
changing the important information. To prevent the latter, we
assume the worst and just invalidate Forms which had been modified -- no
matter how slight..
How can we modify our Digital Certificate information? How often can we
make modifications?
We must stress that the information in the issued certificate
itself can not be changed. If any of the information in the certificate has
to be modified, you must request for a replacement certificate. This will
invalidate the old certificate and a new certificate, with the modified
information, will be issued. A replacement fee will be charged.
The information about the certificate may be modified. These
are the information on the technical/admin contacts, their contact
information, and the like. You may modify these information
as often as you need to. There are no charges for these modifications.
To make the modifications, just follow these steps:
1. Properly fill up the form found in http://certs.ph.net/certs.html.
2. The generated Request Form will be e-mailed to the Technical and
Administrative
contact of the domain for verification. If you are neither the Technical
nor the Administrative contact, you will not get the Request Form.
The person who generated the form will merely get an e-mail notice saying
that both the Technical and Administrative contacts had been
sent the Form.
3. To approve the requested modification, either the Technical or
the Administrative contact must e-mail back the Request Form generated
in (1). We only need the approval of one of the two contacts.
4. After we receive the Verification Request Form in (3), the requested
modifications will immediately be placed in our database.
Who can request for modifications on our Digital Certificate information?
Anyone can visit http://certs.ph.net and
generate the necessary Request Form for revisions. However, only the Technical
or Administrative contact of the domain can approve these requests.
What if both our Technical and Administrative contacts
are no longer reachable?
The automatic revision system is dependent on the ability of either the
Administrative or Technical contact of the domain to receive e-mail
from PHNET so that one of them can approve a requested modification.
The approving authority is either one of the two contact persons.
If neither of these are reachable through their e-mail addresses,
PHNET must manually intervene to effect the changes. We only
intervene after an institution asks for a manual revision of
Digital Certificate information.
What is a manual revision of Digital Certificate information and how do
we ask for one?
Manual revisions of certificate information are done by the authorized PHNET
administrator by manually modifying the certificate database. Institutions
who need to modify their information but whose contact persons,
as found in the PHNET database, are no longer reachable through e-mail
should request for a manual revision.
To effect a manual revision, the following steps must be followed:
1) Visit http://certs.ph.net/certs.html and click on the "Request for a PHNET Manual Revision" option. This will generate an Authorization Letter which
will be e-mailed to you.
2) Cut and paste the Authorization Letter into your institution's
letterhead. It must then be signed by the head of the institution.
3) Fax, snail-mail, or hand-deliver the Authorization Letter to
PHNET.
4) Submit proof of payment. Visit http://certs.ph.net/payment.html
for the details.
PHNET will verify that the request is bonafide and then make the necessary
modifications.
As you can see, the procedure is a little tedious. To avoid it (and
the payment associated with it), you must ensure that your current contact
persons transfer their responsibilities to the new contact persons before
they leave your employ.
We lost/deleted the PHNET-issued Digital Certificate. What should we do?
You should ask for a "reissue" of the certificate by visiting the "Request for Reissue ..." page in http://certs.ph.net/certs.hml.
The private key to our Digital Certificate has been compromised. What should we do?
You should ask for a "replacement" of the certificate by visiting the "Request for a Replacement ..." page in http://certs.ph.net/certs.hml.
The replacement certificate will invalidate/revoke the certificate to be replaced. A new
certificate will be issued with the same expiration date as the old certificate. PHNET
charges a replacement fee for this service.
We received a notice that our domain will expire soon
but I know it should expire next year. What should I do?
We probably goofed on our accounting. Please immediately reply to
the e-mail and say that we goofed. Please include receipt numbers,
etc to prove that we indeed goofed. Without your reply, our system
assumes that there are no problems and everything is correct. Your certificate
will then automatically expire on that date.
When you send us a reply, it raises a red flag and allows us to double
check our accounting to verify that we indeed goofed. If we did, we will
make all the ncessary corrections and issue you a new certificate.
If we did not, we will say that
we did not. At any rate, you should receive an e-mail from us detailing
the actions we have taken.
What is a reissue of a digital certificate.?
A "reissue" is just a copy of the same digital certificate we had
issued. This is usually requested by institutions who inadvertently lost/deleted
the certificate from their webservers. See FAQ#14.
What is a replacement of a digital certificate.?
A "replacement" is a new digital certificate to replace an old certificate.
The old certificate is invalidated by PHNET
by publishing it in the PHNET Certificate Revocation List. We then issue
a replacement certificate with the same expiration date as the old, revoked
certificate.
A replacement is requested by institutions who
believe that their old certificate has been compromised with the release
of their private key. It is also the recourse of institutions who want to
change the information in the certificate.
See the related questions FAQ#15 and FAQ#10.
We want to modify the information in the PHNET-issued certificate. What should we do?
Ask for a replacement. See the related questions FAQ#15, FAQ#10 and FAQ#18.
We installed the PHNET-issued certificate but our Apache
Server generated this error message "SSLPassPhraseDialog builtin is not supported on Win32." What should we do?
The problem is not with the PHNET-issued certificate but in your
encrypted private key. Unfortunately, Apache for Windows does not support
encrypted private keys. You will need to remove the password
from the private key that you had created.
Assuming that your SSL software created a private key as "privatekey.pem",
you can remove the private key by issuing the command:
openssl rsa -in privatekey.pem -out newcert.key
Now, you should use this "newcert.key" file in your Apache
configuration file as:
SSLCertificateKeyFile /path/to/certs/newcert.key
I have other questions that are neither answered by your
FAQ nor by your certs.ph.net form. What should I do?
E-mail all your questions to dns AT ph.net (replace the AT with the @ sign).
If the answers are neither in http://certs.ph.net
nor in this FAQ, we will send you the answers ASAP. We might even
include them in this FAQ. If they are found in either of these two
resources, then will just tell you to RTFM or just politely say FAQ you.
Copyleft © 1999-2007 Philippine Network Foundation, Inc (PHNET)
. All rights reserved.
Revised: October 18, 2007