SSL Certificates, Generating SSL Certificates with the InCommon console
For designated Sectigo (formerly Comodo) account holders, how-to generate certificates
The self-service pilot is over and we are no longer accepting applications for self-service users. Unfortunately, providing console access to the Sectigo/InCommon tool was not found to be a viable solution due to identity/group support scaling and supportability issues. Please see the SSL Certificates, Certificate Service for current options.
To log in to the web interface, visit: https://go.illinois.edu/comodo. Choose to sign in with "InCommon Federated Login."
Choose your campus, then continue to log in via Shibboleth with your UIUC AD credentials.
Navigating the Web Interface
The navigation bar at the top of the screen contains the main areas of the interface. Select the 3 lines icon in the upper-left corner then select "Certificates" and "SSL Certificates" after that.
Select the green plus sign to add a certificates, or select the inverted pyramid of lines to search for extant certificates (perhaps to renew a certificate you're authorized to renew).
If you do not see the domain that you need, you can either email email@example.com to request domains to be added, or you can file the requests for new domains in Certificate Manager by selecting the main menu, then "Domains", and then the green plus sign to request adding a new domain. No matter how you request the addition of new domains, please contact firstname.lastname@example.org to get the new domain approved by an admin.
Requesting a signed certificate
Once you have been approved to request a certificate for your domain, click on the green plus sign in the "SSL Certificates" section to request a new signed certificate:
In the wizard to request a signed certificate, select:
- "Manual creation of CSR", then click "Next" in the lower right-hand corner.
- Select the appropriate fields:
- Department: This should be your unit, university department, or college.
- Certificate Profile: InCommon SSL (SHA-2) (for a single-hostname certificate) or InCommon Multi Domain SSL (SHA-2) (for a multiple-hostname or "SAN" certificate) customized for your department.
- Certificate Term: 1 year
- Comments: This is left to your decision. This field is typically left blank and this can be filled in even after the certificate is issued.
- External Requesters: one or more email addresses used as contact points about this certificate. Don't forget to click the plus sign after adding email address(es) in or the form won't add in the addresses you specified.
- Paste in your CSR. Be sure that your CSR is at least 2048-bits and that you have access to the FQDN that the CSR is for. Click "Next" to proceed.
- The common name will auto-populate based on what is in your CSR. Click "Next" to proceed. Then choose your auto-renewal preference and click "OK".
Retrieving a signed certificate
Your certificate will then appear in the certificate list with a status of "Requested". In time the certificate should changed to become "Issued".
You will receive an email with a link to log in and download your new certificate as soon as it is ready. You can follow the directions there to fetch the certificate in multiple formats. You can also get the certificate from the Certificate Manager by checking only that certificate (leftmost column), selecting "View" from the row of buttons just above the column headers, and selecting the "Chain of Trust" tab in the certificate properties panel. Select the downward arrow to download any of the certificates from the root, through the intermediate certificates, to your end entity certificate, or select the two boxes icon to copy the desired certificate to your clipboard.
InCommon maintains a complete set of documentation on all the features available in the web interface as well as best practices on their website at https://www.incommon.org/certificates/repository/.
If you have a question that is not answered by the documentation, e-mail email@example.com for assistance.