Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Security
Digital Certificate - Request a Single or Multi-Domain Server SSL Certificate
This article explains how to request an SSL certificate which can be used to secure network communications for a server.
IT Services provides free SSL certificates for any host in the uchicago.edu domain (e.g. itservices.uchicago.edu) or its subdomains (e.g. itservices.example.uchicago.edu) via the InCommon Certificate Service. The service provides SSL certificates for single domains or multiple domains (also known as a Subject Alternative Name or SAN certificate - up to 100 hostnames on a single IP address).
To request an SSL certificate generate a valid Certificate Signing Request (CSR) then submit that to the appropriate on-campus authority for approval, along with whatever metadata that authority requests. This document describes the process for submitting certificate requests to IT Services, which is the default certificate authority for campus. Authority for some campus domains (notably those related to UC Medical Center and Booth School) has been delegated to the relevant IT staff that support those organizations. If you are unsure where to submit your request then follow the procedure described below to submit to IT Services, who can direct you to the appropriate authority as needed.
1. Generate a Certificate Signing Request
For specifics on generating a request for your software please refer to your software documentation or the Comodo Knowledge Base for CSR Generation.
The CSR must meet the following requirements:
- the CSR must use a key length of 2048 bits
- the CSR must contain a Common Name (CN) with the exact fully-qualified domain name of the server (or in the case of multi-domain certificate the primary domain name of the server), e.g. yourhostname.uchicago.edu
Although it is a good practice to accurately enter correct and relevant information in the other fields (Country, State/Province, Locality, Organizational Unit, Organization, Email Address) as it will be retained in our records with the request, that information will be overwritten with standardized information when the certificate is issued. The standardized information is:
|Organizational Unit||OU||varies, depending on which authority on campus approves the certificate|
|Organization||O||University of Chicago|
2. Submit the Certificate Signing Request
Please email your request to firstname.lastname@example.org with the following information:
- Certificate Signing Request (CSR) as an attached file or in the message body -- do NOT include the private key
- Information about the requested certificate
- if you are requesting a certificate for a single domain: provide the fully-qualified hostname
- if you are requesting a certificate for multiple domains: list the primary hostname then list the additional names (i.e. Subject Alternative Names) in a comma-separated list (all names should be fully-qualified) - you do not need to add the SANs to the actual CSR
- server type - what server software the certificate will be used with (e.g. Apache 2, IIS 7) - this will facilitate getting you the most appropriate format for your signed certificate
- certificate term - certificate lifetime of 1, 2, or 3 years
- requester contact info: name, campus email, campus phone number, and campus postal mailing address of the organizational business owner (e.g. department, lab) of the system that will be using the certificate
- optional: technical support contact info: name, email, and phone number of the organization technical contact (e.g. IT support department, group, person) who will be administering the server certificate if that is different than the business owner
- optional: add names of specific contact people within the organizations listed, as appropriate for your situation
Please note that critical communication, including delivery of the signed certificate, will go to the the requester's contact email address, so we recommend using a shared departmental/organization address (e.g. email@example.com) rather than an individual's account whenever possible. The requester must provide campus-specific contact information, although the technical support contact can be a third party (e.g. a vendor). IT Services may call or email to ask for additional information to validate any request before signing the request.
Typically you will receive a signed certificate in 2-4 business days from the time your request is received and any necessary validation has been completed.
For more information please consult Digital Certificate - Overview of Available Digital Certificates or email firstname.lastname@example.org.
How can I create a CSR in Microsoft IIS without removing the current certificate?
Please see the Comodo KB article How to create a CSR without removing your current certificate in IIS.
Can I rerun the Microsoft IIS Certificate Wizard after I submit my CSR to you?
Rerunning the Certificate Wizard will replace your pending request which will prevent installation of the certificate you receive. Do not rerun the Wizard until you install your certificate.