Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Security
Digital Certificate - Install and Use a Server SSL Certificate
This article explains how to install and use an SSL certificate provided by the campus InCommon Certificate Service in order to secure network communications for a server.
IT Services provides free SSL certificates for any host in the uchicago.edu domain (e.g. itservices.uchicago.edu) or its subdomains (e.g. itservices.example.uchicago.edu) via the InCommon Certificate Service. Once you have requested an SSL certificate from the InCommon Certificate Service you will receive a signed certificate and a certificate chain via email. You must install those certificates in order to use them.
All certificates are delivered via email from Comodo. The originating domain is @cert-manager.com - please configure your spam filters accordingly. Keep the email from Comodo, as it contains information important to using and renewing your certificate. The email message from Comodo will contain links to download the signed certificate and the CA certificate chain in various formats.
The email message will recommend a particular format, based on the server software you reported you were using, but will provide links to alternative formats as well. Download the signed certificate in a format appropriate for your software and install.
The email message will also provide a link to the intermediate certificate, sometimes called a "chain certificate" or a "CA bundle". Your signed certificate is authorized by Comodo's root Certificate Authority, which is trusted by 99% of browsers; however these certificates are issued by one of Comodo's intermediate certificate authorities. This arrangement helps Comodo to secure the actual root CA. This is an increasingly common practice, and most commercial CAs now use intermediate certificates. Intermediate CA certificates are often not recognized by browsers, so a trust chain must be followed to establish the certificate's validity. Installing the certificate chain allows your server to send the client information to complete the trust chain from your server certificate to the root CA certificate that your browser already trusts. Without the certificate chain some users may see SSL errors that your certificate is signed by an untrusted authority.
Instructions are platform-specific so please refer to your software documentation or use instructions provided by Comodo:
- Microsoft IIS 7
- Exchange 2010 (certificate wizard) or Exchange 2010 (powershell)
- Tomcat (using keytool)
- Apache httpd (mod_ssl)
- Other platforms (full list of Comodo Knowledge Base for Certificate Installation articles)
Immediately after installing your new certificate check the install for common problems:
- Is your server using the correct SSL certificate? Check Common and Alternate Names, Dates of Validity, and Issuer Name.
- Is the SSL certificate chain installed? SSL certificate chain should include three certificates including your server certificate -- the other two certificates should include the Issuer "Comodo COMODO High-Assurance Secure Server CA" and an intermediate (AKA 'next') Issuer 'InCommon Server CA'.
Browsers sometimes cache SSL certificates so simply browsing to a web site is not the ideal way to verify your installation. Two alternate methods:
1. If your certificate is installed on a server that is reachable from off-campus then you can use free services that run immediate checks on a hostname you provide:
- Qualys SSL Server Test (check "Hidden" so that you do not show up in the public list)
- COMODO SSL Analyzer (does not provide certificate chain information so should be combined with another method)
2. System administrators familiar with the tool OpenSSL (which should include all unix or linux systems) can use client as described by InCommon to check their certificate. This method requires more effort for the system administrator but does work for systems that are not reachable by the off-campus SSL testing services.
When I try to install the certificate on IIS why does Windows report that there is no matching certificate request?
Most likely someone reran the IIS Certificate Wizard after you submitted the CSR. The Wizard replaced the pending CSR and private key so the certificate you are attempting to import does not match the new private key. The most direct solution is to start over: rerun the Wizard and resubmit your CSR. While you are waiting for your cert do not run the Wizard again.
Renew the Certificate
SSL certificates are valid for a period of one, two or three years depending on how they were requested. As a courtesy IT Services may send reminder notices prior to the certificate expiration but the organization requesting and using the certificate must take full responsibility for renewing certificates before their expiration. IT Services cannot be held accountable for expired SSL certificates.
The email message that you receive from Comodo with your signed certificate includes a "renew id" which you should retain for the future.
If you have questions please email email@example.com.