Edit WYSIWYGattachfile Attach PDF Raw View►More Actions▼More Actions


Restore topic to revision: You will be able to review the topic before saving it to a new revision

Copy text and form data to a new topic (no attachments will be copied though).
Name of copy:
You will be able to review the copied topic before saving

Rename/move topic... scans links in all public webs (recommended)
Rename/move topic... scans links in SSLCerts web only
Delete topic... scans links in all public webs (recommended)
Delete topic... scans links in SSLCerts web only

Revision Date Username Comment
2015 Apr 2014 - 12:29ChristopherBongaarts(minor) add revocation section 
1912 Dec 2013 - 14:35ChristopherBongaartsadd note about compatibility view (thanks to swovtech) 
1817 Sep 2013 - 10:28ChristopherBongaartsupdate departmental delegation section 
1728 Dec 2011 - 16:23ChristopherBongaartswarn against using chrome for code signing certs 
1621 Dec 2011 - 14:56ChristopherBongaarts 
1517 Nov 2011 - 13:43ChristopherBongaartsremove delay note, add multi-domain, update code signing certs, additional domains, end of Thawte  
1427 Jun 2011 - 15:50ChristopherBongaartslink to comodo ssl analyzer 
1322 Jun 2011 - 09:43ChristopherBongaartsAttached file comodoint.crt

Attached file incommonint.crt

Changed properties for attachment incommonint.crt

update EV cert info

intermediate ca certificate links; recommend cert expiration monitoring 
1214 Jun 2011 - 07:23ChristopherBongaartsAddress field omission OK; update on delays; OU=PlatinumSSL; client cert availability 
1119 Apr 2011 - 11:54ChristopherBongaartsrearrange certificate DN fields to minimize confusion for IIS admins

Intermediate cert notes 
earlier first

Render style:     Context:


 History: r20 < r19 < r18 < r17 < r16
You are here: UMWiki>SSLCerts Web>WebHome (15 Apr 2014, ChristopherBongaarts)

SSL Certificates at the University of Minnesota

The University subscribes to the InCommon Federation's SSL Certificate service, which provides unlimited certificates for a flat yearly fee. InCommon has contracted with Comodo to provide the actual certificate management and signing.

Requesting Certificates

To request a certificate, first generate a Certificate Signing Request (CSR) on your web server. The instructions to accomplish this are specific to the web server software you're running. Comodo has CSR generation guides for many popular web servers. NOTE: A minimum 2048-bit RSA key is now required for all certificate requests.

Next, go to the InCommon certificate enrollment site to request your certificate. You'll need to enter a umn.edu email address (a departmental account or support address rather than a specific person is usually a good idea) and an access code to proceed to the enrollment form.

Here are some tips for completing the form:

  • Leave the Common Name field blank, and use the "Get Common Name from CSR" button under the CSR field to fill it in for you after you've pasted your CSR.
  • Uncheck the Address fields for a cleaner certificate Subject, if desired.
  • In the Comment field, please include the name, Internet ID/email address and phone number of someone who can provide approval for the request. If you use a departmental or support address to request the cert, it is helpful if you also include the specific person who is making the request here. We currently contact this person to ensure that they actually submitted it.

After you submit the form, we (the UMN SSL certificate administrators) will be notified so we can approve your request. After it is approved and the certificate is signed by the CA (which usually takes only a couple minutes), you will get email with links to pick up the certificate (and the intermediate CA cert(s)).

TIP If you have an expired certificate you need replaced, send email to sslcerts@umn.edu to request that we expedite your request. For best results, use a URGENT subject line.

Installing Certificates

Note that our vendor's CA uses an intermediate certificate that will need to be installed on your web server to avoid untrusted certificate warnings in browsers. For IIS admins, download the PKCS#7 Base64 format certificate, and the import process should automatically install the intermediate for you. Apache admins should put the intermediate CA certificate in a separate file and use the SSLCertificateChainFile configuration directive to point at it. For other servers, consult the documentation for your web server software.

Here are the intermediate certificates for download, in case you've lost the notification email. Choose the correct intermediate based on the Issuer of your server certificate (or the issuance date).

To verify that you have the intermediate installed correctly, you can use Comodo's SSL Analyzer. If it is correctly installed, the "Trusted by Microsoft" and "Trusted by Mozilla" tests will report "Yes". If it is not, you will get an error message.

When your certificate nears its expiration date, you will get email notifications of the impending expiration starting 30 days prior. To be on the safe side, we recommend that systems and/or application administrators monitor their services for SSL certificate expiration as well.

Revoking Certificates

If you need to revoke a certificate (e.g. if you have replaced a cert that was on a heartbleed-vulnerable server), you can use the InCommon Certificate Service revocation form. The fields you need to enter should be included in the email you received when the cert was issued. If that doesn't work, or you no longer have the issuance email, you can send email to sslcerts@umn.edu with the certificate Common Name (server name) and some means of identifying the specific certificate to revoke, such as Order Number, expiration date, or certificate serial number.

Departmental Certificate Administrators

The InCommon cert service allows for delegated administration, so designated people can submit and approve certificates for their department without intervention from OIT. Delegation can be set up for subdomains of umn.edu, individual hostnames, or non-umn.edu domains, provided you are eligible to request certificates for the requested namespace. Contact sslcerts@umn.edu if you are interested in using this functionality.

InCommon plans to eventually implement federated authentication, where you could log in with your University of Minnesota Internet ID and password instead of having to set up yet another set of credentials.

Frequently Asked Questions

(See also InCommon's Cert FAQ which includes browser/device support lists.)

My server has a "real" name; it's "oscar.meyer.umn.edu". My server also has an alias, it's "www.meyer.umn.edu". Which one should I use as the server name (commonName or CN) in my certificate request?

To prevent client browser warnings, you should use the name that users (and any links that refer to the site) will be actually using. In this case, you should probably use the "www.meyer.umn.edu" name.

If your server has more than one name (e.g. "www.meyer.umn.edu" and "meyer.umn.edu") you can request a Multi-Domain certificate. This allows you to list additional valid server names as subjectAlternativeNames in your certificate, which browsers will treat as valid.

When generating the certificate, my server asks me all kinds of embarrassing questions. How should I answer?

Here are the preferred answers:

  • commonName (CN) = (server name - see previous question)
  • organizationName (O) = University of Minnesota
  • organizationalUnitName (OU) = (department name - see below)
  • locality (L) = Minneapolis
  • stateOrProvinceName (ST) = Minnesota
  • country (C) = US

You can have zero or more organizationalUnitNames (OU) in your request. We recommend you put a department or coordinate campus name in this field. We further recommend that you spell out any abbreviations, especially if your site will be used by people outside your area. For example, use "OU=College of Liberal Arts", not "OU=CLA". You can have more than one OU field if you like. The CA will automatically add an "OU=Platinum SSL" as well.

For the private key length, 2048 bits is now the minimum for RSA keys.

Can I get a developer (code-signing) certificate to sign my nifty-keen Java applets or ActiveX controls?

Yes. Send email to sslcerts@umn.edu with your department name as you would like it to appear in the OU field of the certificate, and an email address where an invitation to enroll will be sent. This email address will be included as a subjectAltName in the certificate, so it should probably reflect an organizational rather than a personal account. We will request the invitation, which will be sent to the email address you provided. The invitation will include a link to page that will generate a private key and send a certificate request to InCommon. When the certificate is ready, you will receive another email with a link to pick it up. Be sure to use the same browser to pick up the certificate as you did to request it. Once you have picked up the cert, you can export the cert and private key if you want to use it on another computer.

All certs will have an Organization field of "University of Minnesota", which is what most browsers will prompt with when asking users if they want to run your applet or control.

ALERT! Do NOT use the Chrome browser to request a code-signing cert. You will not be able to install the issued certificate. Use Firefox or IE instead. If using IE11, you may need to set cert-manager.com to use Compatibility View.

Can I get one of those 128-bit SuperCerts (also known as Server Gated Cryptography (SGC) certificates)?

No, and there's little point in SGC certs, unless you have a lot of international visitors using browsers from the 90's (prior to the US lifting the restrictions on crypto export).

How about those Extended Validation (EV) certs that make your browser's address bar light up in neon colors?

EV certificates are now available through the InCommon program. Additional paperwork is required, so please ask us if you are interested.

We set up a web site named www.gopherbasketweavingrocks.com . Can we get an SSL certificate for it through this program?

We can add additional non-umn.edu domains to the program. Send the domains you wish to issue certs for to sslcerts@umn.edu and we will request they be added to our InCommon account. The InCommon admins will send mail to the WHOIS contacts for the domains and ask them to add a random CNAME record to prove they control the domain. Once the InCommon admins have verified the addition of the CNAMEs, they will activate the domains in our interface. At this point you will be able to request certificates under those domains.

How about client certificates?

Unlimited client certificates are included in the service. If your department would like to take advantage of these, please let us know.

Can I still get a certificate from Thawte?

Not through us. You will have to buy a certificate from them directly.

Contact Us

If you have further questions about SSL certificates or PKI in general, or if you just don't get the Oscar Meyer reference, send email to sslcerts@umn.edu .
Topic attachments
I Attachment Action Size Date Who Comment
elsecrt comodoint.crt manage 1.7 K 22 Jun 2011 - 09:10 ChristopherBongaarts Comodo intermediate CA certificate (for certs issued prior to Feb 1, 2011)
elsecrt incommonint.crt manage 1.7 K 22 Jun 2011 - 09:11 ChristopherBongaarts InCommon intermediate CA certificate (for certs issued on or after Feb 1, 2011)
Topic revision: r20 - 15 Apr 2014 - 12:29:08 - ChristopherBongaarts
 
UMWiki UMWiki
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding UMWiki? Send feedback