Any service accessible via SSL (https) must have an SSL certificate. This includes any web server with encrypted or "secure" content. An SSL (Secure Socket Layer) certificate is a signed electronic guarantee that a particular server is the server it claims to be. Certificates are used primarily (but not exclusively) for providing web pages via an encrypted connection. A certificate is signed by a Certificate Authority (CA) which ensures the integrity of the certificate.
A few Certificate Authorities such as Verisign, Thawte, and Terena are automatically trusted by SSL clients (including web browsers), so certificates signed by these companies are validated without user confirmation. Until recently C&CZ signed its own certificates but now all certificates of servers and web applications are signed by Terena (through SURFdiensten).
Obtaining a certificate
Because SSL certificates are used as proof of the validity of the web site or server, it is not possible to acquire a signed SSL certificate for just any domain name. The Certificate Authorities check if the person or organisation requesting a certificate is indeed the owner of the domain name for which the certificate is requested. Domain names registered through C&CZ are owned by the Radboud University. Therefore C&CZ can also request SSL Certificates for these domain names.
Heartbleed OpenSSL bug
Other organisations than C&CZ will also inform users about the need to change passwords due to this vulnerability. A few examples:
- The [http://www.ru.nl/ictservicecentrum/actueel/news/@938292/security-leak/ ISC about a.o. the RU password.
- The big Dutch banks let know that they do not use OpenSSL and thus not have been vulnerable to this bug. This looks not 100% correct.
- A list van Internet companies put together by the Dutch newspaper de Volkskrant.
- A overview of big Internet companies.