IT Services provides free SSL certificates for any host in the uchicago.edu domain (e.g. its.uchicago.edu) or its subdomains (e.g. its.example.uchicago.edu) via the InCommon Certificate Service. The service currently provides various types of certificates including wildcard SSL certificates.
Note: Due to the increased risk associated with these certificates, they have more rigorous request validation and hosting requirements. Most servers can and should use single or multi-domain server certificates.
Eligibility for Wildcard Certificate
- Request must have a rationale for why a wildcard certificate is more suitable than a multi-domain SSL certificate (e.g. certificate needed for more than 100 domains). In most cases, IT Security will recommend a multi-domain certificate
- All aspects of the certificate management (e.g. hosting) must be performed by a professional IT group that agrees to the hosting, communication, and revocation policies specified by IT Security
- Wildcard certificates are typically only issued for subdomains of uchicago.edu, (e.g., *.example.uchicago.edu), rather than the top-level domain
- Renewal requests must be created with a new keypair
How to Request a Wildcard SSL Certificate
To request an SSL certificate, generate a valid Certificate Signing Request (CSR) for the wildcard domain (e.g., *.example.uchicago.edu) then email the CSR as well as supporting information to IT Services staff. Your request will be validated and if appropriate signed by IT Security.
1. Generate a Certificate Signing Request
For specifics on generating a request for your software please refer to your software documentation or the Comodo Knowledge Base for CSR Generation.
The CSR must meet the following requirements:
- The CSR must use a key length of 2048 bits
- The CSR must contain the following fields:
| Field name |
Abbreviation |
Example |
Notes |
| Country |
C |
US |
Two-letter ISO country code |
| State/Province |
ST |
Illinois |
Must be spelled out in full; no abbreviations |
| Locality |
L |
Chicago |
Your city |
| Organizational Unit |
OU |
IT Services |
Your administrative unit (e.g. department name). |
| Organization |
O |
University of Chicago |
|
| Common Name |
CN |
*.example.uchicago.edu |
|
| Email Address |
emailAddress |
example@uchicago.edu |
The email address of the administrator(s) of the system using the certificate. |
2. Submit the Certificate Signing Request
Email your request to certs@uchicago.edu with the following information:
- Certificate Signing Request (CSR) as an attached file or in the message body (DO NOT include the private key)
- Information about the requested certificate
- Please provide:
- The subdomain for which you are requesting a wildcard certificate
- A statement why you are requesting a wildcard certificate rather than a multi-domain certificate
- A description of the server(s) that will host the certificate and private key, including the server's role in your infrastructure and any relevant campus IPs
- The name of the IT organization that will manage the certificate
- Contact information
- Requestor contact info: name, campus email, campus phone number, and campus postal mailing address of the organizational business owner (e.g. department, lab) of the system that will be using the certificate
- Optional: technical support contact info: name, email, and phone number of the organization technical contact (e.g. IT support department, group, person) who will be administering the server certificate if that is different than the business owner
- Optional: add names of specific contact people within the organizations listed, as appropriate for your situation
Please note that critical communication, including delivery of the signed certificate, will go to the requestor's contact email address, so IT Security requires the use of a shared departmental/organization address (e.g., info@example.uchicago.edu) rather than an individual's account. The requestor must provide campus-specific contact information, although the technical support contact can be a third party (e.g. a vendor).
- IT Security will contact the technical contact by phone if provided, or the requestor contact to review the eligibility and the requirements.
- IT Security will email a document describing the requirements and procedures to the requestor's contact email address. A management representative of the requesting organization must reply to that message to agree to the policies.
Typically you will receive a signed certificate via email in 1 or 2 business days from the time your request is received and any necessary validation has been completed.
Questions on the wildcard SSL certificate service, including questions on eligibility and requirements, are welcome. Direct all communication including requests to certs@uchicago.edu.