SSL Certificates at the University of Minnesota
The University subscribes to the InCommon Federation
's SSL Certificate service
, which provides unlimited certificates for a flat yearly fee. InCommon has contracted with Comodo to provide the actual certificate management and signing.
Information on the SHA-2 signed certificate transition
To request a certificate, first generate a Certificate Signing Request (CSR) on your web server. The instructions to accomplish this are specific to the web server software you're running. Comodo has CSR generation guides
for many popular web servers. NOTE: A minimum 2048-bit RSA key is now required for all certificate requests.
Next, go to the InCommon certificate enrollment site
to request your certificate. You'll need to enter a
email address (a departmental account or support address rather than a specific person is usually a good idea) and an access code
to proceed to the enrollment form.
Here are some tips for completing the form:
- Leave the Common Name field blank, and use the "Get Common Name from CSR" button under the CSR field to fill it in for you after you've pasted your CSR.
- Uncheck the Address fields for a cleaner certificate Subject, if desired.
- In the Comment field, please include the name, Internet ID/email address and phone number of someone who can provide approval for the request. If you use a departmental or support address to request the cert, it is helpful if you also include the specific person who is making the request here. We currently contact this person to ensure that they actually submitted it.
After you submit the form, we (the UMN SSL certificate administrators) will be notified so we can approve your request. After it is approved and the certificate is signed by the CA (which usually takes only a couple minutes), you will get email with links to pick up the certificate (and the intermediate CA cert(s)).
If you have an expired certificate you need replaced, send email to firstname.lastname@example.org
to request that we expedite your request. For best results, use a URGENT
Note that our vendor's CA uses an intermediate certificate that will need to be installed on your web server to avoid untrusted certificate warnings in browsers. For IIS admins, download the PKCS#7 Base64 format certificate, and the import process should automatically install the intermediate for you. Apache admins should put the intermediate CA certificate in a separate file and use the SSLCertificateChainFile
configuration directive to point at it. For other servers, consult the documentation for your web server software.
Here are the intermediate certificates for download, in case you've lost the notification email. Choose the correct intermediate based on the Issuer of your server certificate (or the issuance date).
To verify that you have the intermediate installed correctly, you can use Comodo's SSL Analyzer
If it is correctly installed, the "Trusted by Microsoft" and "Trusted by Mozilla" tests will report "Yes". If it is not, you will get an error message.
When your certificate nears its expiration date, you will get email notifications of the impending expiration starting 30 days prior. To be on the safe side, we recommend that systems and/or application administrators monitor their services for SSL certificate expiration as well.
If you need to revoke a certificate (e.g. if you have replaced a cert that was on a heartbleed
-vulnerable server), you can use the InCommon Certificate Service revocation form
. The fields you need to enter should be included in the email you received when the cert was issued. If that doesn't work, or you no longer have the issuance email, you can send email to email@example.com
with the certificate Common Name (server name) and some means of identifying the specific certificate to revoke, such as Order Number, expiration date, or certificate serial number.
Departmental Certificate Administrators
The InCommon cert service allows for delegated administration, so designated people can submit and approve certificates for their department without intervention from OIT. Delegation can be set up for subdomains of umn.edu, individual hostnames, or non-umn.edu domains, provided you are eligible to request certificates for the requested namespace. Contact firstname.lastname@example.org
if you are interested in using this functionality.
InCommon plans to eventually implement federated authentication, where you could log in with your University of Minnesota Internet ID and password instead of having to set up yet another set of credentials.
Frequently Asked Questions
(See also InCommon's Cert FAQ
which includes browser/device support lists.)
My server has a "real" name; it's "oscar.meyer.umn.edu". My server also has an alias, it's "www.meyer.umn.edu". Which one should I use as the server name (commonName or CN) in my certificate request?
To prevent client browser warnings, you should use the name that users (and any links that refer to the site) will be actually using. In this case, you should probably use the "www.meyer.umn.edu" name.
If your server has more than one name (e.g. "www.meyer.umn.edu" and "meyer.umn.edu") you can request a Multi-Domain certificate. This allows you to list additional valid server names as subjectAlternativeNames in your certificate, which browsers will treat as valid.
When generating the certificate, my server asks me all kinds of embarrassing questions. How should I answer?
Here are the preferred answers:
- commonName (CN) = (server name - see previous question)
- organizationName (O) = University of Minnesota
- organizationalUnitName (OU) = (department name - see below)
- locality (L) = Minneapolis
- stateOrProvinceName (ST) = Minnesota
- country (C) = US
You can have zero or more organizationalUnitNames (OU) in your request. We recommend you put a department or coordinate campus name in this field. We further recommend that you spell out any abbreviations, especially if your site will be used by people outside your area. For example, use "OU=College of Liberal Arts", not "OU=CLA". You can have more than one OU field if you like. The CA will automatically add an "OU=Platinum SSL" as well.
For the private key length, 2048 bits is now the minimum for RSA keys.
Can I get a developer (code-signing) certificate to sign my nifty-keen Java applets or ActiveX controls?
Yes. Send email to email@example.com
with your department name as you would like it to appear in the OU field of the certificate, and an email address where an invitation to enroll will be sent. This email address will be included as a subjectAltName in the certificate, so it should probably reflect an organizational rather than a personal account. We will request the invitation, which will be sent to the email address you provided. The invitation will include a link to page that will generate a private key and send a certificate request to InCommon. When the certificate is ready, you will receive another email with a link to pick it up. Be sure to use the same browser to pick up the certificate as you did to request it. Once you have picked up the cert, you can export the cert and private key if you want to use it on another computer.
All certs will have an Organization field of "University of Minnesota", which is what most browsers will prompt with when asking users if they want to run your applet or control.
Do NOT use the Chrome browser to request a code-signing cert.
You will not be able to install the issued certificate. Use Firefox or IE instead. If using IE11, you may need to set
to use Compatibility View
Can I get one of those 128-bit SuperCerts (also known as Server Gated Cryptography (SGC) certificates)?
No, and there's little point in SGC certs, unless you have a lot of international visitors using browsers from the 90's (prior to the US lifting the restrictions on crypto export).
How about those Extended Validation (EV) certs that make your browser's address bar light up in neon colors?
EV certificates are now available through the InCommon program. Additional paperwork
is required, so please ask us if you are interested.
We set up a web site named
www.gopherbasketweavingrocks.com . Can we get an SSL certificate for it through this program?
We can add additional non-umn.edu domains to the program. Send the domains you wish to issue certs for to firstname.lastname@example.org
and we will request they be added to our InCommon account. The InCommon admins will send mail to the WHOIS contacts for the domains and ask them to add a random CNAME record to prove they control the domain. Once the InCommon admins have verified the addition of the CNAMEs, they will activate the domains in our interface. At this point you will be able to request certificates under those domains.
How about client certificates?
Unlimited client certificates are included in the service. If your department would like to take advantage of these, please let us know.
Can I still get a certificate from Thawte?
Not through us. You will have to buy a certificate from them directly.
If you have further questions about SSL certificates or PKI in general, or if you just don't get the Oscar Meyer reference, send email to email@example.com