SSL Certificates, Certificate Service FAQ

Certificate Service FAQ's

SAN Certificates

Q. What is a SAN certificate?

A. SAN stands for "Subject Alternate Name". SAN certificates allow for up to 20 fully qualified alternate domain names (FQDN’s) to be secured using a single certificate. SAN certificates can be requested via the InCommon Self-Service Web Portal

Q. How do I generate a CSR for my SAN certificate? 

A. If you use Windows Server, see How to Request a Certificate With a Custom Subject Alternative Name (external link) on Microsoft TechNet. Click here (external link) for more information about generating SAN CSR's in Unix/Linux.

Q. I want to add SAN’s to a certificate but my webserver software does not support adding them to the CSR. Can I still get them added?

A. Yes. Choose “InCommon Multi-domain SSL (SHA-2)” as your certificate type in the InCommon Self-Service Web Portal and add the SAN’s in the field provided. The SAN’s will be added by the CA when the certificate request is processed. 

Q. Can a SAN certificate be used on multiple devices?

A. Yes, as long as they share the same web server OS version and private key. However, Security (external link) does not recommend doing this unless it is absolutely necessary (for example, an HA cluster).

Q. Can we add/remove FQDNs to an existing SAN certificate or can this only be done at the time of creation?

A. You can do this at any time by perfoming a certificate replacement or new certificate request via the InCommon Self-Service Web Portal.


Wildcard Certificates

Q. I notice there is no spot on the web request form to choose Wildcard certificates. How do I obtain one? 

A. Security permits Wildcard SSL certificates (example: * to be issued only in certain cases where there is a technical need and security concerns have been addressed. To obtain Wildcard certificates, please send email to with a brief justification of why a Wildcard certificate is needed.

Q.  Security has already approved me for a Wildcard certificate. How many levels of subdomains will this cover? Will it cover the base domain as well? 

A. Wildcard certificates will only work for 1 level of subdomain, and the wildcard character (*) can only be on the left-most position.  Example: * will only work for 1 level of subdomains of Wildcard certificates obtained through the InCommon program do not cover the same level, so if you need a certificate which covers AND * , please request a Unified Communication Certificate and list as the primary domain with * and in the domains list. 


General Questions

Q: Why am I getting browser errors after installing my new certificate such as "This certificate cannot be verified up to a trusted certification authority", "The certificate is not trusted because the issuer certificate is unknown" or "This Connection is Untrusted” and/or server-side errors such as "Windows does not have enough information to verify this certificate", "keytool error:java.lan.Execption: Failed to establish chain from reply" and/or "The issuer of this certificate could not be found"? 

A: The correct intermediate certificate chain must be installed per the information at SSL Certificates, Certificate Service

Q: How do I install this as a PKCS cert?

A: Although we typically issue certs in x.509 format, the InCommon interface gives us the ability to manually pull down other versions, such as PKCS #7. Email to request this.

Q. There is no option on the web form to revoke a certificate. How do I request this?

A. Send email to with the FQDN and expiration date of the certificate you want to revoke.

Q. I no longer need a certificate and I would like to disable the automated reminders from the old (non self-service) Jira system. How do I do this?

A. Forward the reminder email to and request that notifications be disabled.


If you have other questions that are not covered here, please email to

Keywords:Certificate faq SAN csr web server error message wildcard security sectigo comodo incommon   Doc ID:54086
Owner:Cert M.Group:University of Illinois Technology Services
Created:2015-07-19 02:32 CDTUpdated:2019-04-01 13:50 CDT
Sites:University of Illinois Technology Services
Feedback:  0   0