Digital Certificate - Request a Single or Multi-Domain Server SSL Certificate
This article explains how to request an SSL certificate for single or multiple domains which can be used to secure network communications for a server.
IT Services provides free SSL certificates via the InCommon Certificate Service. These can be used for any domain name (including non-.edu domains) controlled by a university entity, for example, a division, department, school, lab, etc. More information about certificate types or domain name validation for SSL certificates is available in these Knowledge Base articles:
To request a single- or multiple-domain SSL certificate, you need to generate a valid Certificate Signing Request (CSR) and submit the CSR to the appropriate on-campus authority for approval, along with whatever metadata that authority requests. Authority for some campus domains, notably those related to UC Medical Center and Booth School, is the responsibility of the IT staff that support those organizations.
This article describes the process for submitting certificate requests to IT Services, the default certificate authority for the university campus. If you are unsure where to submit your request, contact your IT support staff or follow the procedure described below to submit to IT Services. IT Services will direct you to the appropriate authority.
Part I: Generate a Certificate Signing Request
For specific information on generating a request for your software, please refer to your software documentation or the Comodo Knowledge Base for CSR Generation.
The CSR must meet the following requirements:
The CSR must use a key length of 2048 bits.
The CSR must contain a Common Name (CN) with a hostname of your server.
If you are requesting a certificate that will be valid for multiple domains, you may add up to 99 additional hostnames (subject alternate names, or SANs) in the CSR itself. Alternatively, you may simply note the domains in the relevant area of the self-enrollment form. In either case, read the Submit the Certificate Signing Request section of this article carefully.
all host and domain names in a CSR must be fully-qualified (e.g. yourhostname.uchicago.edu not yourhostname), valid in public DNS (e.g. not exchange-server.local), and, due to a bug in the Comodo system, listed in lower-case letters
Although it is a good practice to enter correct and relevant information in the other fields (Country, State/Province, Locality, Organizational Unit, Organization, Email Address, that information will be overwritten with standard university information when the certificate is issued.
Part II: Submit the Certificate Signing Request
Submit your request via the self-enrollment request form.
Note: requests lacking required information may be delayed in processing.
Browse to the Certificate Manager and log in.
Access Code: ITS
Email: requester email address, for example, the site owner.
Certificate Type: choose the single or multiple domain certificate type
If you choose multidomain, a new field will appear. Enter your additional domain names, also called Subject Alternate Names (SANs), in the new text box. If you are submitting a CSR that already includes the SANs you must choose multidomain before adding your CSR to the request.
Common Name: do not enter text here; the system will auto-populate this field when you add the CSR
Server Software: choose whatever is appropriate or Other. This information will help us provide you with the most appropriate format, for example, PEM or PKCS, for your certificate
Certificate Term: you may choose 1, 2 or 3 years
CSR: Add your certificate by copy/paste or upload. The Certificate Manager should auto-populate Common Name.
- Comments: include required contact information for the business owner as well optionally any additional you want the certificate approver to know, such as contact information for the technical contact
- name and phone number of the relevant campus business owner -- either a unit (e.g. department, lab) or an individual that is responsible for the system/service using the certificate -- you do not need to add the email address here as the email address should match what you used to log in (see step 2)
- optional: name, email, and/or phone number of the organization technical contact (e.g. IT support department, group, person) who will be administering the server certificate if that is different than the business owner (can be non-university entity); or add name/email of specific person or group as appropriate for your situation
- Pass-phrase: necessary if you want to be able to use self-service to revoke or renew the certificate (if necessary IT Services can revoke without using the password)
- Select address fields to remove from the certificate: The default mailing address is that of IT Services. The details of the address in the certificate have no practical effect, but if you would like to remove the street address and postal code you can (city or state cannot be changed).
Certificate Validation, Approval, and Issuance
IT Services may call or email to ask for additional information to validate any request before approval. The CM system sends updates via email to the requester at various stages of the process. Once IT Services approves the request the Certificate Authority will review then issue it to you via email. If the CA has any questions about the certificate request we will work with them on your behalf for a resolution. Typically you will receive a signed certificate via email in 2-4 business days from the time your request is received and any necessary validation has been completed.
For more information about next steps please consult Digital Certificate - Install and Use a Server SSL Certificate and read the instructions in the "Enrollment" email you receive from cert-manager.com. If you have questions about the process or difficulty using the self-enrollment request form please email firstname.lastname@example.org.
How can I create a CSR in Microsoft IIS without removing the current certificate?
Please see the Comodo KB article How to create a CSR without removing your current certificate in IIS.
Can I rerun the Microsoft IIS Certificate Wizard after I submit my CSR to you?
Rerunning the Certificate Wizard will replace your pending request which will prevent installation of the certificate you receive. Do not rerun the Wizard until you install your certificate.