Knowledge Base

Request a Single or Multi-Domain Server SSL Certificate

KB00015371 1623 Views Updated 17-Feb-2025

IT Services provides free SSL/TLS certificates via the InCommon Certificate Service. These certificates can be used for any domain name (including non ".edu" domains) controlled by a University entity, for example, a division, department, school, lab, etc. More information about certificate types or domain name validation for SSL certificates is available in these articles:

To request a single or multiple-domain SSL certificate, you need to generate a valid Certificate Signing Request (CSR) and submit the CSR to the appropriate on-campus authority for approval, along with whatever metadata that authority requests. Authority for some campus domains, notably those related to the University of Chicago Medicine and Booth School of Business, is the responsibility of the local IT support unit for those organizations.

The following paragraphs describe the process for submitting certificate requests to IT Services, the default certificate authority for the University campus. If you are unsure where to submit your request, contact your IT support staff or follow the procedure described below to submit to IT Services. IT Services will direct you to the appropriate authority.

Generate a Certificate Signing Request (CSR)

For specific information on generating a Certificate Signing Request (CSR) for your software, please refer to your server software documentation.

The CSR must meet the following requirements:

  • The CSR must use a key length of 2048 bits.
  • The CSR must contain a Common Name (CN) with a hostname of your server that is a fully qualified domain name (e.g., yourhostname.uchicago.edu not yourhostname) and valid in public DNS (e.g., not exchange-server.local).
  • If you are requesting a certificate that will be valid for multiple domains, you may add up to 99 additional hostnames (subject alternate names, or SANs) in the CSR itself. Alternatively, you may simply note the domains in the relevant area of the self-enrollment form. In either case, read the Submission, Validation, and Issuance section of this article carefully.

Although it is a good practice to enter correct and relevant information in the other fields, these fields: Country, State/Province, Locality, Organizational Unit, Organization, and Email Address, that information will be overwritten with standard University information when the certificate is issued.

Sign-in to the Certificate Manager

  1. Browse to the Certificate Manager (CM).
  2. Complete the Email Confirmation process by providing your University email address and then following the instructions you receive. As this will require you to click a link or enter a URL. Please note that the link should be to the Sectigo website.
  3. After authentication, you will see a list of all previous certificates associated with your email address. To request a new certificate, select the  Enroll Certificate in the upper right.
  4. Enter Access Code: ITS on the Enroll with Access Code screen, then select Next.

Note: Please disregard the 'Select Enrollment Account' option. The Access Code should suffice for certificate enrollment.

Select Your Certificate Profile

Choose the Certificate Profile that corresponds to the type of certificate that you want. Unless you have a specialized requirement you most likely should use InCommon SSL for a certificate with a single hostname ("InCommon SSL") or multiple hostnames ("InCommon Multi Domain SSL"). 

ALERT: As of October 2024, InCommon has informed us that they will deprecate V2 and "customized for" profiles by January 25, 2025. Effective immediately, these profiles have been removed from our enrollment form. We advise you to use the equivalent profiles labeled "general."

Select the Certificate Term

The choices provided are the longest possible terms allowed by the Certificate Authority for that profile, typically one year. If you need a short-term certificate for testing purposes, please use the "Short Life" profile which is valid for 30 days.

Add your CSR

  1. Upload or paste in your CSR.
  2. Verify the auto-populated Common Name is what you want. If you are requesting a Multidomain certificate also verify that the Subject Alternate Names (SANs) are what you want. Unlike the Common Name you can edit the SANs to something that does not match the CSR (if, for example, you want to add SANs that are not in the CSR).

Add an External Requester

The Certificate Manager process relies on email communication to issue the certificate and to provide expiration warnings, so setting the correct contact email address is critical. You must use a uchicago.edu email address. Subdomains are OK, for example, example@department.uchicago.edu.

The system defaults to using the email address that you used to authenticate to the Certificate Manager, but you can override that default by adding a different email address to the External Requester field. There is a good reason that you may want to do that. Our standard is that the contact email address should be a shared or administrative email address that is not dependent on the availability of a single person. In other words, use a group email address such as yourteam@lists.uchicago.edu, not an individual's email like cnetid@uchicago.edu. If you provide a contact email for an individual instead of a shared account, it will delay your request as we contact you.

In summary, either the email address you used to authenticate to the Certificate Manager, or one you added to the External Requester, should be a group email address and not an individual person's email address.

Add a Comment

Optional: You can add a comment for your own reference.

Enable Auto Renew

Optional: If you enable Auto Renew and set the days before expiration, the Certificate Manager will email you a replacement certificate in the future.

Submission, Validation, and Issuance

Select Submit. The CM will notify IT Services of your request. You do not need to send an email request unless you have a question.

IT Services may call or email to ask for additional information to validate any request before approval. If the Certificate Authority has any questions about the certificate request, IT Services will work with them on your behalf for a resolution. The Certificate Manager system sends updates via email to the requester at various stages of the process. Typically, you will receive a signed certificate via email in 2-4 business days from the time your request is received and any necessary validation has been completed.

Installation of the Certificate and Certificate Chain

For more information about the next steps, please consult Install and Use a Server SSL Certificate and read the instructions in the Enrollment email you receive from cert-manager.com. If you have questions about the process or difficulty using the self-enrollment request form, please email certs@uchicago.edu.

Related Services