Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Security
Digital Certificate - Request a Wildcard Server SSL Certificate
This article explains how to request a wildcard SSL certificate which can be used in special cases to secure network communications for a server.
IT Services provides free SSL certificates for any host in the uchicago.edu domain (e.g. itservices.uchicago.edu) or its subdomains (e.g. itservices.example.uchicago.edu) via the InCommon Certificate Service. The service currently provides various types of certificates including wildcard SSL certificates. Due to the increased risk associated with these certificates, they have more rigorous request validation and hosting requirements. Most servers can and should use single or multi-domain server certificates.
Eligibility for Wildcard Certificate
- request must have a rationale for why a wildcard certificate is more suitable than a multi-domain SSL certificate (e.g. certificate needed for more than 100 domains) -- in most cases we will recommend a multi-domain certificate
- all aspects of the certificate management (e.g. hosting) must be performed by a professional IT group which agrees to the hosting, communication, and revocation policies specified by IT Security
- wildcard certificates are only issued for subdomains of uchicago.edu, e.g. *.example.uchicago.edu, rather than the top-level domain
- wildcard certificates are only issued for one-year terms and renewal requests must be created with new keypairs
Please note that free InCommon multi-domain SSL certificates (up to 100 domains) are available for 3-year terms with fewer verification and hosting requirements. IT Security makes the final decision on the eligibility of a request for a wildcard certificate.
How to Request a Wildcard SSL Certificate
To request an SSL certificate, generate a valid Certificate Signing Request (CSR) for the wildcard domain (e.g. *.example.uchicago.edu) then email the CSR as well as supporting information to IT Services staff. Your request will be validated and if appropriate signed by IT Security.
1. Generate a Certificate Signing Request
For specifics on generating a request for your software please refer to your software documentation or the Comodo Knowledge Base for CSR Generation.
The CSR must meet the following requirements:
- the CSR must use a key length of 2048 bits
- the CSR must contain the following fields:
|Country||C||US||Two-letter ISO country code|
|State/Province||ST||Illinois||Must be spelled out in full; no abbreviations|
|Organizational Unit||OU||IT Services||Your administrative unit (e.g. department name).|
|Organization||O||University of Chicago|
|Email Address||emailAddressfirstname.lastname@example.org||Recommended but not required. The email address, if present, should belong to the administrator(s) of the system using the certificate.|
2. Submit the Certificate Signing Request
Email your request to email@example.com with the following information:
- Certificate Signing Request (CSR) as an attached file or in the message body -- do NOT include the private key
- Information about the requested certificate
- the subdomain for which you are requesting a wildcard certificate
- a statement why you are requesting a wildcard certificate rather than a multi-domain certificate
- a description of the server(s) that will host the certificate and private key, including the server's role in your infrastructure and any relevant campus IPs
- the name of the IT organization that will manage the certificate
- requestor contact info: name, campus email, campus phone number, and campus postal mailing address of the organizational business owner (e.g. department, lab) of the system that will be using the certificate
- optional: technical support contact info: name, email, and phone number of the organization technical contact (e.g. IT support department, group, person) who will be administering the server certificate if that is different than the business owner
- optional: add names of specific contact people within the organizations listed, as appropriate for your situation
Please note that critical communication, including delivery of the signed certificate, will go to the the requestor's contact email address, so we require use of a shared departmental/organization address (e.g. firstname.lastname@example.org) rather than an individual's account. The requestor must provide campus-specific contact information, although the technical support contact can be a third party (e.g. a vendor).
- IT Security will contact by phone the technical contact, if provided, or the requestor contact to review the eligibility and the requirements.
- IT Security will email a document describing the requirements and procedures to the requestor contact email address. A management representative of the requesting organization must reply to that message to agree to the policies.
Typically you will receive a signed certificate via email in 1 or 2 business days from the time your request is received and any necessary validation has been completed.
Questions on the wildcard SSL certificate service, including questions on eligibility and requirements, are welcome. Direct all communication including requests to email@example.com.