Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Security
Digital Certificate - Request a Single or Multi-Domain Server SSL Certificate
This article explains how to request an SSL certificate which can be used to secure network communications for a server.
IT Services provides free SSL certificates for any host in the uchicago.edu domain (e.g. itservices.uchicago.edu) or its subdomains (e.g. itservices.example.uchicago.edu) via the InCommon Certificate Service. The service provides SSL certificates for single domains or multiple domains (also known as a Subject Alternative Name or SAN certificate - up to 100 hostnames on a single IP address).
To request an SSL certificate generate a valid Certificate Signing Request (CSR) then submit that to the appropriate on-campus authority for approval, along with whatever metadata that authority requests. This document describes the process for submitting certificate requests to IT Services, which is the default certificate authority for campus. Authority for some campus domains (notably those related to UC Medical Center and Booth School) has been delegated to the relevant IT staff that support those organizations. If you are unsure where to submit your request then follow the procedure described below to submit to IT Services, who can direct you to the appropriate authority as needed.
1. Generate a Certificate Signing Request
For specifics on generating a request for your software please refer to your software documentation or the Comodo Knowledge Base for CSR Generation.
The CSR must meet the following requirements:
- the CSR must use a key length of 2048 bits
- the CSR must contain a Common Name (CN) with a hostname of your server
- all host and domain names in a CSR must be fully-qualified (e.g. yourhostname.uchicago.edu not yourhostname), valid in public DNS (e.g. not exchange-server.local), and, due to a bug in the Comodo system, listed in lower-case letters
Although it is a good practice to accurately enter correct and relevant information in the other fields (Country, State/Province, Locality, Organizational Unit, Organization, Email Address) as it will be retained in our records with the request, that information will be overwritten with standardized information when the certificate is issued. The standardized information is:
|Organizational Unit||OU||varies, depending on which authority on campus approves the certificate|
|Organization||O||University of Chicago|
2. Submit the Certificate Signing Request
Submit your request with required additional information via an online self-service form or via email.
All requests must include the following:
- Requester contact information:
- name of campus business unit (e.g. department, lab) responsible for the system using the certificate
- name of campus business owner (an individual) for the system that will use the certificate
- campus email address and phone number of the business owner of the system that will be using the certificate. The choice of email address is critical -- all communication from the Certificate Authority will use this email address. We strongly recommend using a shared or administrative email list rather than an individual's personal email.
- optional: name, email, and phone number of the organization technical contact (e.g. IT support department, group, person) who will be administering the server certificate if that is different than the business owner (can be non-university entity); or add name/email of specific person or group as appropriate for your situation
- Type of server: what server software the certificate will be used with (e.g. Apache, IIS) - this information facilitate getting you the most appropriate format (e.g. PEM, PKCS) for your certificate
- Term of certificate: certificate lifetime of 1, 2, or 3 years
Email your request to firstname.lastname@example.org with the following information:
- Certificate Signing Request (CSR) as an attached file or in the message body -- do NOT include the private key
- required information described above (contact information, server type, certificate term)
- state if request is for single or multi-domain certificate
- if you are requesting a certificate for multiple domains: list the additional names (i.e. Subject Alternative Names) in a comma-separated list - you do not need to add the SANs to the actual CSR but if you do add them to the CSR please note that in your email
- Browse to the Certificate Manager (CM) https://cert-manager.com/customer/InCommon/ssl?action=enroll
- Log in (see Screenshot: Certificate Manager Login):
- Access Code: ITS
- E-mail: requester email address (i.e. business owner) that will receive all correspondence including the certificate
- you MUST use a uchicago.edu email address (subdomains are OK)
- you SHOULD use a shared/administrative address that is not dependent on a particular individual
- Click Check Access Code
- Enter required certificate request and metadata (See Screenshot: Certificate Entry)
- Certificate Type: choose single or multidomain certificate type (see Screenshot: Certificate entry for multidomain certificate). If you choose multidomain a new field will appear – enter your additional domain names (Subject Alternate Names aka SANs) in the new textbox. If you are submitting a CSR that already includes the SANs you must choose multidomain before adding your CSR to the request.
- Common Name: do not enter text here, allow the system to autopopulate when you add the CSR
- Server Software: choose whatever is appropriate or OTHER.
- Certificate Term: 1, 2 or 3 years
- CSR: Add your certificate by copy/paste or upload. The CM should autopopulate the Common Name.
- Comments: include required contact information (you don't need to duplicate the requester email address here) as well as any additional information you want the certificate approver to know
- Enter optional metadata:
- Pass-phrase: necessary if you want to be able to use self-service to revoke or renew the certificate (if necessary IT Services can revoke without using the password)
- Select address fields to remove from the certificate: The default mailing address is that of IT Services. The details of the address in the certificate have no practical effect, but if you would like to remove the street address and postal code you can (city or state cannot be changed).
- Click Submit. The CM will notify IT Services of your request; you do not need to send an email request unless you have a question.
Certificate Validation, Approval, and Issuance
IT Services may call or email to ask for additional information to validate any request before approval. The CM system sends updates via email to the requester at various stages of the process. Once IT Services approves the request the Certificate Authority will review then issue it to you via email. If the CA has any questions about the certificate request we will work with them on your behalf for a resolution. Typically you will receive a signed certificate via email in 2-4 business days from the time your request is received and any necessary validation has been completed.
For more information about next steps please consult Digital Certificate - Install and Use a Server SSL Certificate. If you have questions email email@example.com.
How can I create a CSR in Microsoft IIS without removing the current certificate?
Please see the Comodo KB article How to create a CSR without removing your current certificate in IIS.
Can I rerun the Microsoft IIS Certificate Wizard after I submit my CSR to you?
Rerunning the Certificate Wizard will replace your pending request which will prevent installation of the certificate you receive. Do not rerun the Wizard until you install your certificate.