SSL/TLS certificates

Certificates

Indiana University is partnered with the InCommon Certificate Service to provide unlimited free V2 X.509 certificates to IU units for SSL/TLS web servers, code signing, and client or personal use with other services.

InCommon has introduced a new V2 certificate as a new intermediate certificate between InCommon and their partner company Sectigo. The process will remain essentially unaffected for users requesting new V2 certificates.

Requesting a certificate

You can request a certificate using the InCommon Certificate Manager website. You will be asked to provide a confirmation email address to receive an email containing an activation link. After completing the confirmation, you will prompted to specify an access code of "iucerts" and your IU e-mail address as the password.

Eligible domains

All IU domain names are eligible for certificates, including

• indiana.edu
• ipfw.edu
• iub.edu
• iu.edu
• iue.edu
• iuk.edu
• iun.edu
• iupuc.edu
• iupui.edu
• iusb.edu
• ius.edu

Non-IU domains are also supported as long as IU hosts the domain. Requests for certificates for these domains are subject to extra vetting and approval, by both the university and InCommon.

To request a certificate for a non-IU domain, send email to ca-admin@uiso.iu.edu specifying the domain you want a certificate for, and the UISO will initiate the process of validating it with InCommon. After the domain is validated, you can then request a certificate for a host in that domain using the Certificate Manager mentioned above.

Renewing a certificate

The InCommon Certificate Service doesn't offer certificate renewal; you must instead request a new certificate using the Certificate Manager mentioned above.

Re-downloading a certificate

You can re-download a previously created key using the Certificate Manager's Download page. You'll be prompted for the certificate ID, which was in the email the Certificate Manager sent you when it issued the certificate, and the certificate format you want.

Revoking a certificate

You can revoke a certificate by using the Certificate Manager's Revocation page. You'll be prompted for the certificate ID, which was in the email the Certificate Manager sent you when it issued the certificate, and the passphrase you used when you requested it.

Technical support

Technical support and troubleshooting help for InCommon certificates are available through InCommon. See their Support Information page for options.

“Unable to read the CSR”

If the Certificate Manager says it's "Unable to Read the CSR" when you request a certificate, it's likely you generated your request using keys with fewer than 2,048 bits. Try regenerating your keys and your request using 2,048-bit keys.

Extended validation certificates

Extended validation (EV) certificates are also available through this service by selecting "EV Certificate" on the Certificate Manager site. These certificates require more behind-the-scenes work to verify the identity of the requesting institution.

Requesting EV certificates

The process for obtaining an EV certificate is significantly longer, so please plan ahead.

1. Start by requesting an EV cert through the normal means. Record your order number; you'll need it later.
2. Download and complete the IU-Sectigo EV Certificate Request Form. (Sectigo Group is the certifying authority for InCommon certificates.) Complete only the Certificate Requester section, found on Page 2.
3. Send the completed form to Sectigo via email [docs@sectigo.com] or fax [1-866-446-7704]. You must include your order number, either in the body of the email or a fax cover sheet.

Organization name

For legal reasons, the organization name found on the EV certificate (displayed in the green browser indicator) must be the organization's full legal name, as listed in official records. For IU (or any of IU's domains), this is: "Indiana University" (as displayed above). Unfortunately, certificate authorities are unable to issue EV certificates bearing any other name—including those of a department, office, or service.

Multi-domain certificates

Multi-domain certificates (MDCs) are offered through this service. MDCs support up to 100 fully qualified domain names (FQDNs) or host  names.

Wildcard certificates

Wildcard certificates, when compromised by attackers, have the potential to be far more damaging to IU than standard certificates since they could be used to impersonate any FQDN in the domain of the wildcard, rather than just specific FQDNs to which standard certificates are issued. Placing copies of the wildcard certificates and their accompanying keypairs on multiple machines also increases the attack surface of the certificates. For this reason, wildcard certs

• cannot be used for one of IU's TLDs.
• must be limited to a period of 1 year.
• must be recreated with new keypairs, not renewed.
• may only be used when more than 100 FQDNs are involved. (If fewer than 100 FQDNs are needed, request a a Multi-Domain SSL certificate instead.)

Exceptions to restrictions on wildcard certificates

Exceptions to these restrictions require approval by the University Information Security Officer, who will ask the request the following:

• What host-level measures exist on the servers containing the private key for the wildcard certificate?
• What network-level measures protect these servers?
• Where else will the private key be stored?
• What people will have access to the private key?
• What is your response procedure in case the private key is compromised?
• How many FQDNs do you need the certificate to be valid for? What are they?
• How many servers do you plan on putting the wildcard certificate on?
• Where are these servers physically located?

Best practices relating to wildcard certificates

If you have been approved to use a wildcard certificate, the UISO recommends the following best practices: 

• • Develop a response procedure to respond to a compromise of the private key
  • Deploy the private key only where needed (e.g. not to every server you run, only those that need it, etc)
  • Limit access to the certificate to only those staff who need it
  • Leverage the IU Data Centers to enhance physical security

Code-signing certificates

Code-signing certificates are available through this service. The process of obtaining one is unique and must be initiated by the UISO. If you need a code-signing certificate, please send a request via email to ca-admin@uiso.iu.edu. The UISO will initate a code-signing certificate request, and you will receive an email message from InCommon or Sectigo explaining your next steps.

Client/personal certificates

NOTE: Due to enhanced security features in Exchange Online, you should no longer use digital signatures at IU. Follow the appropriate instructions to remove your certificates.

Client certificates, also known as S/MIME certificates or personal certificates, are available through this service. Pursuant to applicable policy, including but not limited to IT-07, IU reserves the right to decrypt email messages that have been encrypted using InCommon Client Certificates to comply with policy, law, or enforceable requests for information.