SSL Certificates, Certificate Service FAQ
Certificate Service FAQ's
Q. What is a SAN certificate?
A. SAN stands for "Subject Alternate Name". SAN certificates allow for up to 20 fully qualified alternate domain names (FQDN’s) to be secured using a single certificate. SAN certificates can be requested via the InCommon Self-Service Web Portal.
Q. How do I generate a CSR for my SAN certificate?
A. If you use Windows Server, see How to Request a Certificate With a Custom Subject Alternative Name (external link) on Microsoft TechNet. Click here (external link) for more information about generating SAN CSR's in Unix/Linux.
Q. I want to add SAN’s to a certificate but my webserver software does not support adding them to the CSR. Can I still get them added?
A. Yes. Choose “InCommon Multi-domain SSL (SHA-2)” as your certificate type in the InCommon Self-Service Web Portal and add the SAN’s in the field provided. The SAN’s will be added by the CA when the certificate request is processed.
Q. Can a SAN certificate be used on multiple devices?
A. Yes, as long as they share the same web server OS version and private key. However, Security (external link) does not recommend doing this unless it is absolutely necessary (for example, an HA cluster).
Q. Can we add/remove FQDNs to an existing SAN certificate or can this only be done at the time of creation?
A. You can do this at any time by perfoming a certificate replacement or new certificate request via the InCommon Self-Service Web Portal.
Q. I notice there is no spot on the web request form to choose Wildcard certificates. How do I obtain one?
A. Security permits Wildcard SSL certificates (example: *.dept.illinois.edu) to be issued only in certain cases where there is a technical need and security concerns have been addressed. To obtain Wildcard certificates, please send email to email@example.com with a brief justification of why a Wildcard certificate is needed.
Q. Security has already approved me for a Wildcard certificate. How many levels of subdomains will this cover? Will it cover the base domain as well?
A. Wildcard certificates will only work for 1 level of subdomain, and the wildcard character (*) can only be on the left-most position. Example: *.dept.illinois.edu will only work for 1 level of subdomains of dept.illinois.edu. Wildcard certificates obtained through the InCommon program do not cover the same level, so if you need a certificate which covers dept.illinois.edu AND *.dept.illinois.edu , please request a Unified Communication Certificate and list dept.illinois.edu as the primary domain with *.dept.illinois.edu and dept.illinois.edu in the domains list.
Q: Why am I getting browser errors after installing my new certificate such as "This certificate cannot be verified up to a trusted certification authority", "The certificate is not trusted because the issuer certificate is unknown" or "This Connection is Untrusted” and/or server-side errors such as "Windows does not have enough information to verify this certificate", "keytool error:java.lan.Execption: Failed to establish chain from reply" and/or "The issuer of this certificate could not be found"?
A: The correct intermediate certificate chain must be installed per the information at SSL Certificates, Certificate Service
Q: How do I install this as a PKCS cert?
A: Although we typically issue certs in x.509 format, the InCommon interface gives us the ability to manually pull down other versions, such as PKCS #7. Email firstname.lastname@example.org to request this.
Q. There is no option on the web form to revoke a certificate. How do I request this?
A. Send email to email@example.com with the FQDN and expiration date of the certificate you want to revoke.
Q. I no longer need a certificate and I would like to disable the automated reminders from the old (non self-service) Jira system. How do I do this?
A. Forward the reminder email to firstname.lastname@example.org and request that notifications be disabled.
If you have other questions that are not covered here, please email to email@example.com.