IT Services provides free SSL certificates for any host in the uchicago.edu domain (e.g., its.chicago.edu) or its subdomains via the InCommon Certificate Service. Once you have requested an SSL certificate from the InCommon Certificate Service, you will receive a signed certificate and a certificate chain via email. All certificates come from a Certificate Authority (CA). You must install those certificates to use them.

Install the Signed Certificate and the CA Chain

All certificates are delivered via email from Sectigo. The originating domain is @cert-manager.com (please configure your spam filters accordingly). Keep the email from Sectigo, as it contains the necessary information for using and renewing your certificate. The email message from Sectigo will contain links to download the "signed certificate" and the "CA certificate chain" in various formats. Download the signed certificates in a format appropriate for your software then install them according to the documentation for that software.

Please do not overlook the certificate chain, sometimes called a "Chain Certificate" or a "CA bundle." Your signed certificate is authorized by Sectigo's root Certificate Authority, which is trusted by 99% of browsers; however, these certificates are issued by one of Sectigo's intermediate certificate authorities. This is a standard industry practice that helps Sectigo secure the actual root CA. Intermediate CA certificates are often not recognized by browsers, so a trust chain must be followed to establish the certificate's validity. When you install the certificate chain, it allows your server to send the client information to complete the trust chain from your server certificate to the root CA certificate your browser already trusts.

Verify the Certificate Was Installed Correctly

Immediately after you install your new certificate, verify that the SSL connection is trusted. Browsers sometimes cache SSL certificates so simply browsing a website is not the ideal way to verify your installation. Two alternate methods:

1. If your certificate is installed on a server that is reachable from off-campus then you can use free services that run immediate checks on a hostname you provide:

• Qualys SSL Server Test (Check Hidden so that you do not show up in the public list.)
• Comodo SSL Analyzer (Does not provide certificate chain information so should be combined with another method.)
  
  2. System administrators familiar with the tool OpenSSL (which is usually included on Unix or Linux systems) can use clients as described by InCommon to check their certificate. This method requires more effort for the system administrator but does work for systems that are not reachable by the off-campus SSL testing services.

Renew the Certificate

SSL certificates are valid for a period of up to one year. If you requested 'auto renew' during the initial certificate enrollment you should receive an email with download link for a renewed certificate prior to expiration of the current certificate. As a courtesy IT Services may send reminder notices prior to the certificate expiration but the organization requesting and using the certificate must take full responsibility for renewing certificates before their expiration. IT Services cannot be held accountable for expired SSL certificates. The email message that you receive from Sectigo with your signed certificate includes a "renew ID" which you should retain for the future.

If you have questions please email certs@uchicago.edu.