IT Services provides free SSL/TLS certificates via the InCommon Certificate Service. These certificates can be used for any domain name (including non ".edu" domains) controlled by a university entity, for example, a division, department, school, lab, etc. For more information see the Overview of Available Digital Certificates.
This article describe the process for submitting certificate requests to IT Services, the default certificate authority for the University campus. Authority for some campus domains (such as those related to the University of Chicago Medicine, Booth School of Business, or Computer Science Departments) is the responsibility of the local IT support unit for those organizations. If you are unsure where to submit your request, contact your IT support staff or follow the procedure described below to submit to IT Services. IT Services will direct you to the appropriate authority.
You can requests certificates only for validated domains. This process must be completed prior to your request. See Validate a Domain Name for Use with InCommon Certificate Service.
For specific information on generating a Certificate Signing Request (CSR) for your software, please refer to your server software documentation.
The CSR must meet the following requirements:
Although it is a good practice to enter correct and relevant information in the other fields, these fields: Country, State/Province, Locality, Organizational Unit, Organization, and Email Address, that information will be overwritten with standard University information when the certificate is issued.
Choose the Certificate Profile that corresponds to the type of certificate that you want. Unless you have a specialized requirement you likely should use an InCommon SSL General profile.
The choices provided are the longest possible terms allowed by the Certificate Authority for that profile, typically one year. If you need a certificate for testing purposes, please use a "Short Life" profile.
The Certificate Manager process relies on email communication to issue the certificate and to provide expiration warnings, so setting the correct contact email address is critical. You must use a uchicago.edu email address. Subdomains are OK, for example, example@department.uchicago.edu.
The system defaults to using the email address that you used to authenticate to the Certificate Manager, but you can and usually should override that default by adding a different email address to the External Requester field. Our standard is that the contact email address should be a shared or administrative email address that is not dependent on the availability of a single person. In other words, use a group email address such as yourteam@lists.uchicago.edu, not an individual's email like cnetid@uchicago.edu. If you provide a contact email for an individual instead of a shared account, it will delay your request as we contact you.
In summary, either the email address you used to authenticate to the Certificate Manager, or one you added to the External Requester, should be a group email address and not an individual person's email address.
Optional: You can add a comment for your own reference.
Optional: If you enable Auto Renew and set the days before expiration, the Certificate Manager will email the requester a replacement certificate in advance of your certificate expiration.
Select Submit. The CM will notify IT Services of your request. You do not need to send an email request unless you have a question.
IT Services may call or email to ask for additional information to validate any request before approval. If the Certificate Authority has any questions about the certificate request, IT Services will work with them on your behalf for a resolution. The Certificate Manager system sends updates via email to the requester at various stages of the process. Typically, you will receive a signed certificate via email in 2-4 business days from the time your request is received and any necessary validation has been completed.
All certificates are delivered via email from Sectigo. The originating domain is @cert-manager.com. Keep the email from Sectigo, as it contains the necessary information for using and renewing your certificate. The email message from Sectigo will contain links to download the "signed certificate" and the "CA certificate chain" in various formats. Download the signed certificates in a format appropriate for your software then install them according to the documentation for that software.
Please do not overlook the certificate chain, sometimes called a "Chain Certificate" or a "CA bundle." Your signed certificate is authorized by Sectigo's root Certificate Authority, which is trusted by 99% of browsers; however, these certificates are issued by one of Sectigo's intermediate certificate authorities. This is a standard industry practice that helps Sectigo secure the actual root CA. Intermediate CA certificates are often not recognized by browsers, so a trust chain must be followed to establish the certificate's validity. When you install the certificate chain, it allows your server to send the client information to complete the trust chain from your server certificate to the root CA certificate your browser already trusts.
Immediately after you install your new certificate, verify that the SSL connection is trusted. Browsers sometimes cache SSL certificates so simply browsing a website is not the ideal way to verify your installation. Two alternate methods:
If you requested 'auto renew' during the initial certificate enrollment you should receive an email with a download link for a renewed certificate prior to expiration of the current certificate. As a courtesy IT Services may send automated reminder notices prior to the certificate expiration but the unit requesting and using the certificate must take full responsibility for renewing certificates before their expiration. IT Services cannot be held accountable for expired SSL certificates. The email message that you receive from Sectigo with your signed certificate includes a "renew ID" which you should retain for the future.
If you have questions please email certs@uchicago.edu.