Applying for SSL Certificates
Introduction
This page provides instructions for campus IT staff applying for Secure Socket Layer (SSL) certificates.
NOTE: While most SSL certificate applicants need SSL certificates for web servers, as documented throughout this page, these instructions apply to other IT resources as well, for example, stogage and network appliances.
Help
The university’s Security and Compliance (S&C) Cybersecurity Operations (CyberSecOps) team owns this content, and you can reach us with questions or concerns as noted throughout this page.
SSL Certificate Types
For details about certificate types:
InCommon SSL Single General Profile
This standard, single-host SSL certificate fits most use cases.
Certificate approvals: Distributed approval personnel or S&C CyberSecOps can approve these certificates.
InCommon SSL Multi Domain General Profile
This certificate supports multiple Common Names. For example: ncsu.edu and www.ncsu.edu, or all the SSL virtual hosts served off of one machine.
Limit: No more than 100 names per certificate
Certificate approvals: Distributed approval personnel or S&C CyberSecOps can approve these certificates.
InCommon SSL Wildcard Certificate
This wildcard certificate allows you to begin its name with an asterisk (*) so that it can be used with multiple hosts.
NOTE: While this can make some things easier, use caution due to security concerns:
- Because multiple servers share one private key, if one of them becomes compromised, they all become compromised.
- S&C requires that all machines within the shared domain be well-protected at the same (highest) security level.
- S&C must approve this type of certificate
Procedure
To apply for an SSL certificate:
- Step 1: Generate a CSR
- Step 2: Submit Your CSR
- Step 3: Complete the SSL Enrollment Form
- Step 4: Install Your Certificate
- Step 5: Add an External Domain Name (Optional)
Step 1: Generate a CSR (Certificate Signing Request)
- Generate a CSR based on the web server type (for example, Windows, Apple or Linux).
- For assistance, visit the Sectigo What is a CSR website.
Step 2: Submit Your CSR
- After completing the previous section, request an InCommon access code for your department by sending an email to the S&C CyberSecOps team at certificates@ncsu.edu.
- When you receive the email with the InCommon access code, go to the InCommon Certificate Manager SSL Enrollment website.
- Log in with your NC State email address.
- Enter the InCommon access code into the Access Code field.
- In the Email field, enter the email address to be associated with this certificate.
- CAUTION: For business continuity, we strongly recommend a departmental or support email alias, not a personal email address; renewal notifications will be sent to the address you enter here.
- CAUTION: For business continuity, we strongly recommend a departmental or support email alias, not a personal email address; renewal notifications will be sent to the address you enter here.
- Click Check Access Code.
- The SSL Enrollment form opens.
Step 3: Complete the SSL Enrollment Form
- After completing the procedures from the preceding sections, complete the SSL Enrollment Form by updating the following fields:
- Certificate Profile: Select an item from the drop-down menu.
- NOTE: The most frequently used profile is the InCommon SSL Single General Profile. If unsure which profile to select, email the S&C CyberSecOps team at certificates@ncsu.edu.
- Certificate Term: You cannot change this field; the maximum certificate term is 1 year.
- CSR: Copy and paste your CSR into this text field (or click Upload CSR).
- Common Name: If this field did not auto-populate, click Get Common Name from CSR.
- Renew: If you want to renew your certificate automatically, click the Auto-renew check box and specify the number of days before expiration that you want the auto-renew to occur.
- Subject Alternative Names: If you have alternate names for your web server, enter them here, comma-separated and without spaces. For example: mail.ncsu.edu,www.ncstate.edu
- If you selected Auto-renew, you must set and confirm Annual Renewal Passphrase.
- CAUTION: If you lose the passphrase, you will not be able to revoke or renew your certificate.
- External Requester: If an external party is requesting the certificate, you can enter one or more email addresses here, comma-separated and without spaces.
- Comments: Leave this field blank.
- Certificate Profile: Select an item from the drop-down menu.
- Click Enroll.
- NOTE: For CyberSecOps-managed certificates, the approval process is usually completed within 2 business days.
- For a more urgent request, send a request to the Help Desk.
- For domains external to NC State domains, see Step 5: Add an External Domain Name (Optional).
Step 4: Install Your Certificate
When you receive your signed certificate, install it on your server.
Step 5: Add an External Domain Name (Optional)
Prerequisite: If you need to add a domain name external to NC State, it must be allowable, for example, a research center whose domain name ends in .org, such as http://www.ncseagrant.org.
Procedure: If you want to add a domain name, email the Help Desk to ask the S&C CyberSecOps team to add a new domain to your InCommon certificate license.
NOTES:
- A certificate for an external domain will require approval from the person on record as the owner of the domain.
- If this is your first request for a certificate for a non-NC State domain, InCommon may need 1 or 2 weeks to sign the certificate.