IT Services provides free SSL (X.509) digital certificates via the InCommon Certificate Service.
IT Services offers SSL certificates for any host in the uchicago.edu domain (e.g., its.uchicago.edu), its subdomains (e.g., its.example.uchicago.edu), or, by prior arrangement, any domain outside uchicago.edu that is affiliated with and controlled by the University. Certificates are signed and issued by Sectigo, a leading Certificate Authority recognized by all prominent web browsers and email applications.
Secure Sockets Layer (SSL) is a protocol that provides secure communication on the internet for web browsing, email, and other data transfers. E-commerce transactions and CNetID authentication are two examples of data transactions that require SSL encryption per University policy. In modern implementations SSL is more accurately referenced as Transport Layer Security (TLS); however, the SSL name is more commonly used.
X.509 is a standard for identification and secured data exchange using modern digital cryptography. An X.509 certificate can identify any person, object, or information. An SSL certificate is a specialized type of X.509 certificate used for identifying servers and securing data using SSL. An SSL certificate is issued for a specific Internet hostname such as www.uchicago.edu.
An SSL certificate that is signed by a valid certificate authority:
Any domain name (including non-.edu domains) that is administered by the University of Chicago is eligible. Please see the related article Validate a Domain Name for Use with InCommon Certificate Service for details.
The InCommon Certificate Service offers multiple possible methods for requesting and managing certificates: manual submission, ACME, REST API, or Sectigo Network Agent.
Units that have been delegated authority for their domains determine which options are available to their users. All other units can request certificates from IT Services.
Please see the relevant Knowledge Base (KB) articles for the type of certificate you want to request:
Please also see Install and Use a Server SSL Certificate.
The Automatic Certificate Management Environment (ACME) protocol automates interactions between certificate authorities and their users' servers. ACME is commonly referenced using its most popular implementation: Let's Encrypt. The University's InCommon Certificate Service provides its own ACME-based option, which uses External Account Binding (EAB) built on its existing Domain Control Validation methods, in contrast to Let's Encrypt.
The following articles provide the concepts and workflows needed for ACME to function in the the InCommon Certificate Service. If your unit has its own DRAOs please contact them directly regarding this option. All others can contact IT services via certs@uchicago.edu.
See Sectigo's documentation for their REST API. Please contact Information Security if you are interested in this option.
See Sectigo's documentation for Network Agents. Please contact Information Security if you are interested in this option.
IT Services can optionally delegate certificate-signing authority to interested departments or other organizational units that want to manage their own SSL certificates. Delegated certificate authority uses the existing InCommon infrastructure so it is simple to use and free. To learn more about this option please see Become a Department Authority for Approving SSL Certificates.
If you have questions that are not answered on this page please email certs@uchicago.edu.