Skip to end of metadata
Go to start of metadata

Requesting an SSL Certificate

ncsa.illinois.edu Domains:

We request SSL certificates for *.ncsa.illinois.edu domains through NCSA Security:

 

New Documentation from NCSA Security

See NCSA Certificate Requests for more detailed documentation.

 

  1. Online instructions for creating CSR don't yet explain how to do SHA2 certificates.  Below is how we're generating CSRs for 4k bit, SHA2 certs: 

    openssl req -nodes -newkey rsa:4096 -sha256 -keyout myserver.ncsa.illinois.edu.key -out myserver.ncsa.illinois.edu.csr

    See https://www.xsede.org/security/certificates/csr for an example for requesting a SAN (subjectAltName) certificate so the cert works for multiple hostnames.

  2. Verify the CSR for any possible errors at https://www.sslshopper.com/csr-decoder.html
  3. Mail the CSR to help+ca@ncsa.illinois.edu to create a ticket

NCSA Security handles these directly with InCommon (rather than CITES), so the certs are identical to what we used to get through CITES. Here is a URL for additional information about their certificates:

Certificates are free and can last for up to 2 years.

Basically they just need us to supply them 4096 bit CSR request.  

Non-NCSA illinois.edu Domains:

We purchase SSL certificates for generic *.illinois.edu domains through CITES:

  1. Instructions for creating CSR
  2. Form for submitting request

Here is a URL for additional information about their certificates:

Certificates are $38 for up to 2 years.

Basically they just need us to supply them 4096 bit CSR requests along with a University CFOP account and email contact.  

Karen Hartman says that we need to have the correct activity code as well, so before purchasing any certificate we are supposed to contact the business office to get the appropriate code.

Other Domains:

For non illinois.edu domains, apparently we can obtain those through NCSA Security if NCSA owns the domain name.  If not, we can continue to purchase SSL certificates through InstantSSL/Comodo.

Installing Intermediate Certificates

The InCommon SSL certificates from CITES always require the additional installation of an intermediate certificate:

The above intermediate certificate is signed by Comodo's CA Root certificate, which may also need to be installed: