Skip to end of metadata
Go to start of metadata

Requesting an SSL Certificate Domains:

We request SSL certificates for * domains through NCSA Security:


New Documentation from NCSA Security

See NCSA Certificate Requests for more detailed documentation.


  1. Online instructions for creating CSR don't yet explain how to do SHA2 certificates.  Below is how we're generating CSRs for 4k bit, SHA2 certs: 

    openssl req -nodes -newkey rsa:4096 -sha256 -keyout -out

    See for an example for requesting a SAN (subjectAltName) certificate so the cert works for multiple hostnames.

  2. Verify the CSR for any possible errors at
  3. Mail the CSR to to create a ticket

NCSA Security handles these directly with InCommon (rather than CITES), so the certs are identical to what we used to get through CITES.

Certificates are free and can last for up to 2 years.

Basically they just need us to supply them 4096 bit CSR request.  

Non-NCSA Domains:

We purchase SSL certificates for generic * domains through CITES:

  1. Instructions for creating CSR
  2. Form for submitting request

Here is a URL for additional information about their certificates:

Certificates are $38 for up to 2 years.

Basically they just need us to supply them 4096 bit CSR requests along with a University CFOP account and email contact.  

Karen Hartman says that we need to have the correct activity code as well, so before purchasing any certificate we are supposed to contact the business office to get the appropriate code.

Other Domains:

For non domains, apparently we can obtain those through NCSA Security if NCSA owns the domain name.  If not, we can continue to purchase SSL certificates through InstantSSL/Comodo.

Installing Intermediate Certificates

The InCommon SSL certificates from CITES always require the additional installation of an intermediate certificate:

The above intermediate certificate is signed by Comodo's CA Root certificate, which may also need to be installed: