Through the Incommon Certificate Service, the University can provide free Secure Sockets Layer (SSL) certificates for any domain name (including non ".edu" domains) controlled by a University entity (division, department, school, lab, etc.). The prerequisite is that the domain must pass an industry-standard process known as Domain Control Validation (DCV). Before any SSL certificate can be issued by Comodo (the Certificate Authority) to a University entity, it must demonstrate the domain name is affiliated with the University and under the University entity's administrative control. This is a common-sense precaution to prevent misuse of certificates by third parties. DCV must be completed prior to issuing a certificate for a new domain and then annually.

This requirement affects:

1. All new SSL certificate applications and certificate renewals.
2. Only the registered High-Level Domain (HLD), not subdomains (for example, if "uchicago.edu" is validated, then example.uchicago.edu does not need to be validated separately).

The process can be completed using any one of three supported methods:

1. Email: InCommon will email a validation code to an address associated with the domain through its whois record (or one of a preset list of common administrative addresses) and the recipient must paste that code into a confirmation web page.
2. DNS CNAME: A CNAME record specified by InCommon must be added to the authoritative Domain Name Servers (DNS) server for the domain.
3. HTTP: A text file provided by InCommon must be added to the root directory of a web server for the domain.

InCommon Certificate Manager provides documentation detailing all of these methods.

If you would like to add a new domain to the InCommon system so that SSL certificates can be provided for you, please note that DCV requires participation of the domain administrator and the campus Registration Authority Officers (Information Security).

Step 1: Verify that the Registrant Name listed in Whois Lookup demonstrates an affiliation with the University of Chicago. Note in particular that domains protected by registration privacy services will be denied.

1. Check your Whois listing using the whois command from any Unix-derived system or use one of many web services such as whois.domaintools.com.
2. If the Registrant Organization in the Whois listing does not demonstrate a University affiliation and have University-related contact information, then update with your domain registrar.

Step 2: Please initiate the DCV process by emailing certs@uchicago.edu the following information:

1. In the email Subject field, indicate New Domain or DCV.
2. Domain name requested (as noted above, only the High-Level Domain is needed, not all subdomains. So the domain you provide likely should have only one dot in it, for example, example.net, not sub.example.net.
3. Which of the supported DCV methods described above (Email, DNS, HTTP) you prefer to use. If you choose email, indicate what address to use.
4. New domains: Name of the University entity requesting the domain, and both phone and email contact information.
5. New domains (optional): Which Departmental Registration Authority the new domain should be delegated to once approved. If you work with an existing DRAO, note that in the request. Otherwise, or if you are unsure how to answer the question, by default certificates for new domains will be approved by IT Services, which is in most cases the appropriate choice.

Step 3: IT Services will request the domain be validated by InCommon, who will check the whois contact (Step 1) and then allow IT Services to proceed with the DCV method of choice (Step 2).

Step 4: IT Services will email instructions to the DCV requester on how to complete the Email, DNS, or HTTP step. Follow those instructions and reply when ready. IT Services will contact the Certificate Authority and finish the validation process. Once it is complete, you will receive an automated email from cert-manager.com. After you receive that email, you can request certificates for the newly validated domain.

This is a multi-step process. Allow at least five business days for IT Services to handle the administrative aspects of your request (requesting DCV and delegating the approved domain). Any delay by the domain administrator in handling their part in the DCV process will add to that time.

If you have any questions about the process, please email certs@uchicago.edu.