Indiana University is partnered with the InCommon Certificate Service to provide unlimited free X.509 certificates to IU units for SSL/TLS web servers, code signing, and client or personal use with email and other services.
Requesting a certificate
You can request a certificate using the InCommon Certificate Manager website. Specify an access code of "iucerts" and your IU e-mail address as the password.
All IU domain names are eligible for certificates, including
Non-IU domains are also supported as long as IU hosts the domain. Requests for certificates for these domains are subject to extra vetting and approval, by both the university and InCommon.
To request a certificate for a non-IU domain, send email to firstname.lastname@example.org specifying the domain you want a certificate for, and the UIPO will initiate the process of validating it with InCommon. After the domain is validated, you can then request a certificate for a host in that domain using the Certificate Manager mentioned above.
Renewing a certificate
The InCommon Certificate Service doesn't offer certificate renewal; you must instead request a new certificate using the Certificate Manager mentioned above.
Re-downloading a certificate
You can re-download a previously created key using the Certificate Manager's Download page. You'll be prompted for the certificate ID, which was in the email the Certificate Manager sent you when it issued the certificate, and the certificate format you want.
Revoking a certificate
You can revoke a certificate by using the Certificate Manager's Revocation page. You'll be prompted for the certificate ID, which was in the email the Certificate Manager sent you when it issued the certificate, and the passphrase you used when you requested it.
Technical support and troubleshooting help for InCommon certificates are available through InCommon. See their Support Information page for options.
“Unable to read the CSR”
If the Certificate Manager says it's "Unable to Read the CSR" when you request a certificate, it's likely you generated your request using keys with fewer than 2,048 bits. Try regenerating your keys and your request using 2,048-bit keys.
Extended validation certificates
Extended validation (EV) certificates are also available through this service by selecting "EV Certificate" on the Certificate Manager site. These certificates require more behind-the-scenes work to verify the identity of the requesting institution.
Requesting EV certificates
The process for obtaining an EV certificate is significantly longer, so please plan ahead.
- Start by requesting an EV cert through the normal means. Record your order number; you'll need it later.
- Download and complete the IU-Comodo EV Certificate Request Form. (Comodo Group is the certifying authority for InCommon certificates.) Complete only the Certificate Requester section, found on Page 2.
- Send the completed form to Comodo via email [email@example.com] or fax [1-866-446-7704]. You must include your order number, either in the body of the email or a fax cover sheet.
For legal reasons, the organization name found on the EV certificate (displayed in the green browser indicator) must be the organization's full legal name, as listed in official records. For IU (or any of IU's domains), this is: "Indiana University" (as displayed above). Unfortunately, certificate authorities are unable to issue EV certificates bearing any other name—including those of a department, office, or service.
Multi-domain certificates (MDCs) are offered through this service. MDCs support up to 100 fully qualified domain names (FQDNs) or host names.
Wildcard certificates, when compromised by attackers, have the potential to be far more damaging to IU than standard certificates since they could be used to impersonate any FQDN in the domain of the wildcard, rather than just specific FQDNs to which standard certificates are issued. Placing copies of the wildcard certificates and their accompanying keypairs on multiple machines also increases the attack surface of the certificates. For this reason, wildcard certs
- cannot be used for one of IU's TLDs.
- must be limited to a period of 1 year.
- must be recreated with new keypairs, not renewed.
- may only be used when more than 100 FQDNs are involved. (If fewer than 100 FQDNs are needed, request a a Multi-Domain SSL certificate instead.)
Exceptions to restrictions on wildcard certificates
Exceptions to these restrictions require approval by the University Information Security Officer, who will ask the request the following:
- What host-level measures exist on the servers containing the private key for the wildcard certificate?
- What network-level measures protect these servers?
- Where else will the private key be stored?
- What people will have access to the private key?
- What is your response procedure in case the private key is compromised?
- How many FQDNs do you need the certificate to be valid for? What are they?
- How many servers do you plan on putting the wildcard certificate on?
- Where are these servers physically located?
Best practices relating to wildcard certificates
If you have been approved to use a wildcard certificate, the UISO recommends the following best practices:
- Develop a response procedure to respond to a compromise of the private key
- Deploy the private key only where needed (e.g. not to every server you run, only those that need it, etc)
- Limit access to the certificate to only those staff who need it
- Leverage the IU Data Centers to enhance physical security
Code-signing certificates are available through this service. The process of obtaining one is unique and must be initiated by the UISO. If you need a code-signing certificate, please send a request via email to firstname.lastname@example.org. The UISO will initate a code-signing certificate request, and you will receive an email message from InCommon or Comodo explaining your next steps.
Client certificates, also known as S/MIME certificates or personal certificates, are available through this service. Pursuant to applicable policy, including but not limited to IT-07, IU reserves the right to decrypt email messages that have been encrypted using InCommon Client Certificates to comply with policy, law, or enforceable requests for information.