Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Security
Digital Certificate - Request a Single or Multi-Domain Server SSL Certificate
This article explains how to request an SSL certificate for single or multiple domains which can be used to secure network communications for a server.
IT Services provides free SSL certificates for any domain name (including non-.edu domains) controlled by a University entity (division, department, school, lab, etc.) via the InCommon Certificate Service. More information about types of certificates or validating a domain name for use with SSL certificates is available elsewhere in the Knowledge Base:
- Digital Certificate - Overview of Available Digital Certificates
- Digital Certificate - Validate a Domain Name for Use with InCommon Certificate Service
To request a single or multiple domain SSL certificate generate a valid Certificate Signing Request (CSR) then submit that to the appropriate on-campus authority for approval, along with whatever metadata that authority requests. Authority for some campus domains (notably those related to UC Medical Center and Booth School) has been delegated to the relevant IT staff that support those organizations. This document describes the process for submitting certificate requests to IT Services, which is the default certificate authority for campus. If you are unsure where to submit your request then contact your IT support staff or follow the procedure described below to submit to IT Services, who can direct you to the appropriate authority as needed.
1. Generate a Certificate Signing Request
For specifics on generating a request for your software please refer to your software documentation or the Comodo Knowledge Base for CSR Generation.
The CSR must meet the following requirements:
- the CSR must use a key length of 2048 bits
- the CSR must contain a Common Name (CN) with a hostname of your server
- if you are requesting a certificate that will be valid for multiple domains you can add up to 99 additional hostnames (aka Subject Alternate Names, or SANs) in the CSR itself OR simply note the domains in the relevant area of the self-enrollment form -- in either please case read the instructions for "Submit the Certificate Signing Request" carefully
- all host and domain names in a CSR must be fully-qualified (e.g. yourhostname.uchicago.edu not yourhostname), valid in public DNS (e.g. not exchange-server.local), and, due to a bug in the Comodo system, listed in lower-case letters
Although it is a good practice to accurately enter correct and relevant information in the other fields (Country, State/Province, Locality, Organizational Unit, Organization, Email Address) that information will be overwritten with standardized University information when the certificate is issued.
2. Submit the Certificate Signing Request
Submit your request via the self-enrollment request form. Note that requests lacking required information may be delayed in processing.
- Browse to the Certificate Manager (CM) https://cert-manager.com/customer/InCommon/ssl?action=enroll
- Log in (see Screenshot: Certificate Manager Login):
- Access Code: ITS
- Email: requester email address (i.e. business owner) that will receive all correspondence including the certificate
- you MUST use a uchicago.edu email address (subdomains are OK, e.g. email@example.com)
- you SHOULD use a shared/administrative address that is not dependent on a particular individual (e.g. firstname.lastname@example.org not email@example.com)
- Click Check Access Code
- Enter required certificate request and metadata (See Screenshot: Certificate Entry)
- Certificate Type: choose single or multidomain certificate type (see Screenshot: Certificate entry for multidomain certificate). If you choose multidomain a new field will appear – enter your additional domain names (Subject Alternate Names aka SANs) in the new text box. If you are submitting a CSR that already includes the SANs you must choose multidomain before adding your CSR to the request.
- Common Name: do not enter text here, allow the system to auto-populate when you add the CSR
- Server Software: choose whatever is appropriate or OTHER --this information facilitates getting you the most appropriate format (e.g. PEM, PKCS) for your certificate
- Certificate Term: 1, 2 or 3 years
- CSR: Add your certificate by copy/paste or upload. The CM should auto-populate the Common Name.
- Comments: include required contact information for the business owner as well optionally any additional you want the certificate approver to know, such as contact information for the technical contact
- name and phone number of the relevant campus business owner -- either a unit (e.g. department, lab) or an individual that is responsible for the system/service using the certificate -- you do not need to add the email address here as the email address should match what you used to log in (see step 2)
- optional: name, email, and/or phone number of the organization technical contact (e.g. IT support department, group, person) who will be administering the server certificate if that is different than the business owner (can be non-university entity); or add name/email of specific person or group as appropriate for your situation
- Pass-phrase: necessary if you want to be able to use self-service to revoke or renew the certificate (if necessary IT Services can revoke without using the password)
- Select address fields to remove from the certificate: The default mailing address is that of IT Services. The details of the address in the certificate have no practical effect, but if you would like to remove the street address and postal code you can (city or state cannot be changed).
Certificate Validation, Approval, and Issuance
IT Services may call or email to ask for additional information to validate any request before approval. The CM system sends updates via email to the requester at various stages of the process. Once IT Services approves the request the Certificate Authority will review then issue it to you via email. If the CA has any questions about the certificate request we will work with them on your behalf for a resolution. Typically you will receive a signed certificate via email in 2-4 business days from the time your request is received and any necessary validation has been completed.
For more information about next steps please consult Digital Certificate - Install and Use a Server SSL Certificate and read the instructions in the "Enrollment" email you receive from cert-manager.com. If you have questions about the process or difficulty using the self-enrollment request form please email firstname.lastname@example.org.
How can I create a CSR in Microsoft IIS without removing the current certificate?
Please see the Comodo KB article How to create a CSR without removing your current certificate in IIS.
Can I rerun the Microsoft IIS Certificate Wizard after I submit my CSR to you?
Rerunning the Certificate Wizard will replace your pending request which will prevent installation of the certificate you receive. Do not rerun the Wizard until you install your certificate.