Skip to main content

Applying for SSL Certificates

Introduction

This page provides instructions for campus IT employees who need to apply for Secure Socket Layer (SSL) certificates.

NOTE:  While most SSL certificate applicants need SSL certificates for web servers, as documented throughout this page, these instructions apply to other IT resources as well, for example, stogage appliances and network appliances.

Help

This page is authored by the NC State University Security and Compliance (S&C) Cybersecurity Operations (CyberSecOps) team, and you can reach us with questions or concerns as noted throughout this page.

SSL Certificate Types

For details about certificate types:

This standard, single-host SSL certificate fits most use cases.

Certificate approvals: Distributed approval personnel or S&C CyberSecOps can approve these certificates.

This certificate supports multiple Common Names. For example: ncsu.edu and www.ncsu.edu, or all the SSL virtual hosts served off of one machine.

Limit: No more than 100 names per certificate

Certificate approvals: Distributed approval personnel or S&C CyberSecOps can approve these certificates.

This wildcard certificate allows you to begin its name with an asterisk (*) so that it can be used with multiple hosts.

NOTE: While this can make some things easier, use caution due to security concerns:

  • Because multiple servers share one private key, if one of them becomes compromised, they all become compromised.
  • S&C requires that all machines within the shared domain be well-protected at the same (highest) security level.
  • S&C must approve this type of certificate

Procedure

To apply for an SSL certificate:

Step 1: Generate a CSR (Certificate Signing Request)

  1. Go to the Comodo Knowledgebase website.
  2. Search for your web server type (for example, Windows, Apple or Linux).
  3. Follow the appropriate link for instructions to generate the Certificate Signing Request (CSR).

Step 2: Submit Your CSR

  1. After completing the previous section, request an InCommon access code for your department by sending an email to the S&C CyberSecOps team at certificates@ncsu.edu.
  2. When you receive the email with the InCommon access code, go to the InCommon Certificate Manager SSL Enrollment website.
  3. Enter the InCommon access code into the Access Code field.
  4. In the Email field, enter the email address to be associated with this certificate.
    • CAUTION:  For business continuity, we strongly recommend a departmental or support email alias, not a personal email address; renewal notifications will be sent to the address you enter here.
  5. Click Check Access Code.
    • The SSL Enrollment form opens.

Step 3: Complete the SSL Enrollment Form

  1. After completing the procedures from the preceding sections, complete the SSL Enrollment Form by updating the following fields:
    • Certificate Profile: Select an item from the drop-down menu.
      • NOTE: The most frequently used profile is the InCommon SSL Single General Profile.
        If you are not sure which profile to select, send an email to the S&C CyberSecOps team at certificates@ncsu.edu.
    • Certificate Term:  You cannot change this field; the maximum certificate term is 1 year.
    • CSR: Copy and paste your CSR into this text field (or click Upload CSR).
    • Common Name:  If this field did not auto-populate, click Get Common Name from CSR.
    • Renew: If you want to renew your certificate automatically, click the Auto-renew check box and specify the number of days before expiration that you want the auto-renew to occur.
    • Subject Alternative Names:  If you have alternate names for your web server, enter them here, comma-separated. For example, if you want the SSL certificate to be valid for multiple domain names, enter them here.
    • If you selected Auto-renew, you must set and confirm Annual Renewal Passphrase.  
      • CAUTION: If you lose the passphrase, you will not be able to revoke or renew your certificate.
    • External Requester: If an external party is requesting the certificate, you can enter one or more email addresses here, comma-separated.
    • Comments: Leave this field blank.
  2. Click Enroll.

Step 4: Install Your Certificate

When you receive your signed certificate, go to the Comodo Knowledgebase website to find instructions for installing it on your server. (Installation instructions tend to be located at the bottom of the server-type documentation, listed under Related Articles.)

Step 5: Add an External Domain Name (Optional)

Prerequisite: If you need to add a domain name external to NC State, it must be allowable, for example, a research center whose domain name ends in .org, such as http://www.ncseagrant.org.

Procedure: If you want to add a domain name, email the Help Desk to ask the S&C CyberSecOps team to add a new domain to your InCommon certificate license.

NOTES:

  • A certificate for an external domain will require approval from the person on record as the owner of the domain.
  • If this is your first request for a certificate for a non-NC State domain, InCommon may need 1 or 2 weeks to sign the certificate.