InCommon / Request an SSL certificate

Body

Objective

  • To provide instruction on requesting an SSL certificate for a web server through InCommon-Sectigo Certificate Service

Environment

  • Security
  • 12587: Certificate Services
  • InCommon-Sectigo Certificate Service

Procedure

  • Prior to making a certificate request, you must create a CSR (certificate signing request)
  • Certificate requests can be made using the InCommon Enrollment form
  • Miami is on a course to automate as much of our certificate generation and renewals as possible using ACME and certbot.  If you're part of IT and would like to participate in our automation effort please reach out to the appropriate group for the underlying operating system EO (Linux) or the Windows team (Windows Servers).  These groups will create, renew and distribute the certificate to your server for consumption so there is no need for you to create the CSR or submit the certificate request via InCommon
  1. Go to the InCommon Certificate Request Enrollment form
  2. Enter a group or departmental email, NOT your individual Miami email address, to receive a validation email for authentication to the enrollment form.  Individual email addresses will be rejected
  3. Open your email and either click the Confirm Authentication Request button or copy/paste the provided URL into your browser
  4. Select Enroll in the upper-right of the resulting page
  5. Enter Miami's access code (do not select an enrollment account, the access code is all should be entered)
  6. From the Certificate Type drop-down select one of the following options:
    • InCommon SSL (SHA-2) (customized for Miami University) — a single certificate for a fully qualified domain name
    • InCommon Wildcard SSL Certificate (SHA-2) (customized for Miami University)
    • InCommon Multi Domain SSL (SHA-2) (customized for Miami University) — multiple fully-qualified domains on a single certificate
  7. From the Certificate Term drop-down, select 1 year
  8. From the Server Software drop-down, select the appropriate option
    • If the server type is not listed, choose OTHER, and include additional information about the server in the Comments field
  9. Copy/paste or upload the CSR to the CSR field
  10. Enter the fully qualified domain name in the Common Name field
    • The request will not be submitted for review and approval if the common name is not the fully qualified domain name
  11. DO NOT use the pass-phrase section when submitting a certificate request or check the auto renewal box
  12. In the Comments field, enter a description of the server including the server name and service it provides:
    • Wildcard Certificate Requests
      • For the required field for servers, the number of servers in most cases will be one
      • The option for the Certificate Term field will be for two years only
    • Multi-domain Requests
      • After selecting InCommon Multi Domain SSL (SHA-2), the Subject Alternative Names option under the Common Name field will appear. This field (required) allows you to enter alternative domain names for a single certificate
  13. Once you have received and installed your certificate, submit a request for a Nagios alert to track the service, ensuring that you are alerted before the certificate expires

 

Notes

  • Best Practice: SSL/TLS certificate guidelines
  • Submitted requests may take up to four hours to be processed and validated by Sectigo. If you do not receive the email with the subject title "Enrollment Successful" within 24 hours of submitting your request, please contact Security Compliance and Risk Management office to have the request expedited. The certificate should then be issued within an hour of being expedited
    • If you have problems with an issued certificate and need to re-submit a CSR, email infosec@miamioh.edu; include the new CSR and the full common name instead of submitting a new certificate request using the InCommon enrollment form. The issued certificate will be replaced using the newly generated CSR
    • Once the certificate has been approved, you will receive an email with information on downloading the certificate
  • To ensure that all clients can verify the trust chain of the certificate, you must install the Intermediate CA Chains. See related articles for instructions on how to install Intermediate CA Chains
  • If you need help, submit a ticket to Sectigo Support/Ticket Requests. You will need the order number for the certificate in question: You will find it in the email you received with the certificate information (i.e., Order Number: XXXXXXX)
  • Additional Resources:

 

Details

Details

Article ID: 5799
Created
Wed 5/20/15 9:17 AM
Modified
Wed 10/16/24 12:06 PM
Can you resolve this issue yourself?
Yes! This is self-service with a smile.

Related Articles

Related Services / Offerings

Related Services / Offerings (1)