When your school's SSL certificate is due for renewal there are three options available to renew it.
Please ensure you have a process at your school to alert the relevant people when a certificate is approaching expiry.
Option 1: Update the certificate with one provided by the school
To proceed with this option please provide the following to the SEQTA Support team:
- The certificate and private key in PKCS#12 (.PFX format)
- The password for the PFX file can be sent via a one-time viewing system and the link added to the case. If it is urgent please also contact the Support team via phone (1300 498 642) and quote your ticket number to request prioritisation.
We will then upload the certificate to your school's SEQTA Server, including ensuring the .csr and .key are correct, and will send notification once complete.
Option 2: Renew or purchase a certificate for the school
To proceed with this option please provide the following to the SEQTA Support team:
- A purchase order number for supply of a "wildcard SSL certificate" issued for 1.5 hours at our hourly rate
- An email address from the list below. (This list is out of our control and is set by the Certificate Authority).
- admin@{school's domain name} (only available for renewals)
- administrator@{school's domain name}
- hostmaster@{school's domain name}
- webmaster@{school's domain name}
- postmaster@{school's domain name}
Once we have the above information, we will request the certificate, and a verification email will then be sent to the chosen address. The school then confirms domain ownership by clicking the link in the e-mail. We will then update onto the SEQTA server and supply the certificate in PKCS#12 (.pfx) format for use in other services and devices (eg: reverse proxy).
Option 3: Swap to using auto-renewing LetsEncrypt certificates
As we utilise HTTP-01 verification, LetsEncrypt’s various servers around the world will need to connect to your SEQTA sites to confirm ownership. This way we do not need anything from the school, such as credentials for DNS.
This means:
- Your SEQTA server must be available on port 80 (HTTP) from anywhere in the world.
There may be some high-risk countries you block, but the US, Europe, and SE Asian regions are required by LetsEncrypt themselves. - You can geoblock traffic on port 443 (HTTPS) as it's not used for verification.
- Additionally, no client data is transferred via plain HTTP as any request outside the “/well-known/” path is automatically forced (via HTTP 301 redirect) to its HTTPS equivalent.
- If you have a WAF, reverse-proxy, or other filter that also handles HTTP-01 LetsEncrypt, you may want to add a rule to forward the specific SEQTA hostnames and the path "/well-known/acme-challenge/*” to your SEQTA server so we can serve the required verification file.
- If you use wallboard displays or digital signage to display the SEQTA Notices, please contact our Support Team via the portal.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article