IT Services provides free SSL/TLS certificates via the InCommon Certificate Service. These certificates can be used for any domain name (including non ".edu" domains) controlled by a University entity, for example, a division, department, school, lab, etc. More information about certificate types or domain name validation for SSL certificates is available in these articles:
To request a single or multiple-domain SSL certificate, you need to generate a valid Certificate Signing Request (CSR) and submit the CSR to the appropriate on-campus authority for approval, along with whatever metadata that authority requests. Authority for some campus domains, notably those related to the University of Chicago Medicine and Booth School of Business, is the responsibility of the local IT support unit for those organizations.
The following paragraphs describe the process for submitting certificate requests to IT Services, the default certificate authority for the University campus. If you are unsure where to submit your request, contact your IT support staff or follow the procedure described below to submit to IT Services. IT Services will direct you to the appropriate authority.
For specific information on generating a Certificate Signing Request (CSR) for your software, please refer to your server software documentation.
The CSR must meet the following requirements:
Although it is a good practice to enter correct and relevant information in the other fields, these fields: Country, State/Province, Locality, Organizational Unit, Organization, and Email Address, that information will be overwritten with standard University information when the certificate is issued.
Note: Please disregard the 'Select Enrollment Account' option. The Access Code should suffice for certificate enrollment.
Choose the Certificate Profile that corresponds to the type of certificate that you want. Unless you have a specialized requirement you most likely should use InCommon SSL for a certificate with a single hostname ("InCommon SSL") or multiple hostnames ("InCommon Multi Domain SSL").
The choices provided are the longest possible terms allowed by the Certificate Authority for that profile, typically one year. If you need a short-term certificate for testing purposes, please use the "Short Life" profile which is valid for 30 days.
The Certificate Manager process relies on email communication to issue the certificate and to provide expiration warnings, so setting the correct contact email address is critical. You must use a uchicago.edu email address. Subdomains are OK, for example, example@department.uchicago.edu.
The system defaults to using the email address that you used to authenticate to the Certificate Manager, but you can override that default by adding a different email address to the External Requester field. There is a good reason that you may want to do that. Our standard is that the contact email address should be a shared or administrative email address that is not dependent on the availability of a single person. In other words, use a group email address such as yourteam@lists.uchicago.edu, not an individual's email like cnetid@uchicago.edu. If you provide a contact email for an individual instead of a shared account, it will delay your request as we contact you.
In summary, either the email address you used to authenticate to the Certificate Manager, or one you added to the External Requester, should be a group email address and not an individual person's email address.
Optional: You can add a comment for your own reference.
Optional: If you enable Auto Renew and set the days before expiration, the Certificate Manager will email you a replacement certificate in the future.
Select Submit. The CM will notify IT Services of your request. You do not need to send an email request unless you have a question.
IT Services may call or email to ask for additional information to validate any request before approval. If the Certificate Authority has any questions about the certificate request, IT Services will work with them on your behalf for a resolution. The Certificate Manager system sends updates via email to the requester at various stages of the process. Typically, you will receive a signed certificate via email in 2-4 business days from the time your request is received and any necessary validation has been completed.
For more information about the next steps, please consult Install and Use a Server SSL Certificate and read the instructions in the Enrollment email you receive from cert-manager.com. If you have questions about the process or difficulty using the self-enrollment request form, please email certs@uchicago.edu.