SSL certificates provide two features for online services:
The Technology Services request portal gives you a way to request SSL Certificates to be generated for you, by us. Turnaround time is (max) 72 hours (3 business days). Support contact is: firstname.lastname@example.org
This refers to your ability as an IT Pro or campus solution steward to leverage such services as Let's Encrypt, AWS Certificate Services, cPanel, or others.
IT Pros and solutions stewards may use the Campus Monitoring Service to monitor their SSL certificates. See the guidance from the service to get started (Internal KB only)
A: Yes, as long as they share the same web server OS version and private key. However, we do not recommend doing this unless it is absolutely necessary (for example, an HA cluster).
A: No, this can only be done at the time of creation. The certificate will need to be re-generated to reflect the SAN FQDN changes desired.
Wildcard SSL certificates (example: *.application.unit.illinois.edu) may be requested, but they are normally only issued only in cases where there is a validated and appropriate technical need, and where security risks have been addressed. To obtain a wildcard certificate, please send email to email@example.com and cc firstname.lastname@example.org with a brief justification of why a wildcard certificate is needed.
Less effort or cost to maintain one cert: It is true that using one SSL certificate on one's entire infrastructure might be less effort to maintain. However doing so dilutes the first value of a certificate, host validation and authenticity, multiplied by the number of separate solutions or services using the certificate. It simultaneously creates a situation where if any one piece of infrastructure suffers a security incident, the entirety of that infrastructure would suffer impact. This risk is generally not acceptable, and therefore requests such as this are refused. This decision can only be overridden if all risk stakeholders (unit executives, legal, and/or data stewards, as determined per context) performs risk acceptance.
Code Signing certificates may be issued in cases where there is a technical need and security concerns have been addressed. Code-signing certificates can not be issued per-unit unfortunately. This means that all code signed with a UIUC Code Signing Certificate is signed by "University of Illinois at Urbana-Champaign". The risk is that mishandling could cause external entities to declare that all code signed by our fair institution should not be trusted. Because of this risk, the requesting entity should be ready to provide managed, controlled infrastructure to host the Code-Signing certificate.
To obtain a Code Signing certificate, please send email to email@example.com with a brief justification of why a Code Signing certificate is needed.
Certificate requests must have a key size of 2048 bits or higher. The self-service web interface will not accept CSRs with key sizes less than 2048-bit.
Our vendor and SSL Certificate Authority, Sectigo, will no longer offer two-year public certificates. This is in reaction to a defacto requirement recently set by Apple and Google, stating that any two-year TLS certificate issued after August 30, 2020 will be treated as "untrusted" in Chrome and Safari browsers.
Beginning August 19, 2020, the SSL Certificate Service will only process and issue one-year TLS certificates.
Please ensure that the email addresses given as contacts are correct and that they will accept incoming email from Sectigo (Comodo). It is highly recommended that role or service accounts (not personal accounts) are used as business contacts.
A: Some SSL clients require CA root or intermediate certificates to be obtained and installed. You can download such certificates from:
A: Although we typically issue certs in x.509 format, the InCommon interface gives us the ability to manually pull down other versions, such as PKCS #7. Email firstname.lastname@example.org to request this.
A: From the account of the authoritative contact on the existing certificate, send email to email@example.com with the FQDN and expiration date of the certificate you want to revoke. The Certificate Manager will call back, validate the action, and coordinate the revocation.
NOTE: The Certificate Manager cannot revoke SSL certificates that were not issued via the Sectigo/InCommon console.
A: The term "SSL" in this article is broadly used to refer to the best practice public-key cryptography. It is true SSL is deprecated and the latest version of TLS should be used whenever possible.
A: Select a certificate signing service depending on which hostnames are in your request.
If you have other questions that are not covered here, please email firstname.lastname@example.org.