Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Security

Digital Certificate - Validate a Domain Name for Use with InCommon Certificate Service

This article explains how to request that a network domain name be validated so that digital certificates can be provided for it via the InCommon Certificate Service.

Through the Incommon Certificate Service, the University can provide free SSL certificates for any domain name (including non-.edu domains) controlled by a University entity (division, department, school, lab, etc.). The prerequisite is that the domain must pass an industry-standard process known as Domain Control Validation (DCV). Before any SSL certificate can be issued by Comodo (the Certificate Authority) to a University entity, we must demonstrate that the domain name is affiliated with the University and under the University entity's administrative control. This is a common-sense precaution to prevent misuse of certificates by third parties. DCV must be completed prior to issuing a certificate for a new domain and then annually.

This requirement affects:

  1. all new SSL certificate applications and certificate renewals
  2. only the registered High Level Domain (HLD) not subdomains (e.g. if uchicago.edu is validated then example.uchicago.edu does not need to be validated separately)

The process can be completed using any one of three supported methods:

  1. Email - InCommon will email a validation code to an address associated with the domain through its whois record (or one of a preset list of common administrative addresses) and the recipient must paste that code into a confirmation web page
  2. DNS CNAME - a CNAME record specified by InCommon must be added to the authoritative DNS server for the domain
  3. HTTP - a text file provided by InCommon must be added to the root directory of a web server for the domain

InCommon provides documentation detailing all of these methods.

If you would like to add a new domain to the InCommon system so that we can provide SSL certificates for you please note that DCV requires participation of the domain administrator and the campus Registration Authority Officers (IT Security).

Step 1: Verify that the Registrant Name listed in whois demonstrates an affiliation with the University of Chicago. Note in particular that domains protected by registration privacy services will be denied.

  1. Check your whois listing using the whois command from any unix-derived system or use one of many web services such as whois.domaintools.com
  2. If the Registrant Organization in the whois listing does not demonstrate a University affiliation and have University-related contact information, then update with your domain registrar

Step 2: Please initiate the DCV process by emailing certs@uchicago.edu the following information:

  1. in the email Subject please indicate 'new domain' or 'DCV'
  2. domain name requested (as noted above, we only need to know the High-Level Domain, not all subdomains so the domain you provide likely should have only one dot in it e.g. example.net not sub.example.net)
  3. which of the supported DCV methods described above (Email, DNS, HTTP) you prefer to use - if you choose email, please indicate what address to use
  4. new domains: name of the University entity requesting the domain and both phone and email contact information
  5. new domains (optional): which Departmental Registration Authority the new domain should be delegated to once approved - if you work with an existing DRAO, please note that in the request, otherwise, or if you are unsure how to answer the question, by default certificates for new domains will be approved by IT Services which is in most cases the appropriate choice

Step 3: IT Services will request the domain be validated by InCommon who will check the whois contact (see step 1) and then allow IT Services to proceed with the DCV method of choice (see step 2).

Step 4: IT Services will email instructions to the DCV requester on how to complete the Email, DNS, or HTTP step. Follow those instructions and reply when ready. IT Services will contact the Certificate Authority and finish the validation process. Once it is complete, you will receive an automated email from cert-manager.com. After you receive that email, you can request certificates for the newly validated domain.

This is a multi-step process. Please allow at least five business days for IT Services to handle the administrative aspects of your request (requesting DCV and delegating the approved domain). Any delay by the domain administrator in handling their part in the DCV process will add to that time.

If you have any questions about the process, please email certs@uchicago.edu.

See Also:




Keywords:security encryption x.509 ca cert x509 "certificate authority" comodo tls pki dcv whois   Doc ID:31498
Owner:James C.Group:University of Chicago
Created:2013-07-09 10:43 CSTUpdated:2015-07-01 09:12 CST
Sites:University of Chicago, University of Chicago - Sandbox
Feedback:  1   0