Applying for SSL Certificates
Introduction
This page provides instructions for campus IT employees who need to apply for Secure Socket Layer (SSL) certificates.
NOTE: While most SSL certificate applicants need SSL certificates for web servers, as documented throughout this page, these instructions apply to other IT resources as well, for example, stogage appliances and network appliances.
Help
This page is authored by the NC State University Security and Compliance (S&C) Cybersecurity Operations (CyberSecOps) team, and you can reach us with questions or concerns as noted throughout this page.
SSL Certificate Types
For details about certificate types:
InCommon SSL Single General Profile
This standard, single-host SSL certificate fits most use cases.
Certificate approvals: Distributed approval personnel or S&C CyberSecOps can approve these certificates.
InCommon SSL Multi Domain General Profile
This certificate supports multiple Common Names. For example: ncsu.edu and www.ncsu.edu, or all the SSL virtual hosts served off of one machine.
Limit: No more than 100 names per certificate
Certificate approvals: Distributed approval personnel or S&C CyberSecOps can approve these certificates.
InCommon SSL Wildcard Certificate
This wildcard certificate allows you to begin its name with an asterisk (*) so that it can be used with multiple hosts.
NOTE: While this can make some things easier, use caution due to security concerns:
- Because multiple servers share one private key, if one of them becomes compromised, they all become compromised.
- S&C requires that all machines within the shared domain be well-protected at the same (highest) security level.
- S&C must approve this type of certificate
Procedure
To apply for an SSL certificate:
- Step 1: Generate a CSR
- Step 2: Submit Your CSR
- Step 3: Complete the SSL Enrollment Form
- Step 4: Install Your Certificate
- Step 5: Add an External Domain Name (Optional)
Step 1: Generate a CSR (Certificate Signing Request)
- Go to the Comodo Knowledgebase website.
- Search for your web server type (for example, Windows, Apple or Linux).
- Follow the appropriate link for instructions to generate the Certificate Signing Request (CSR).
Step 2: Submit Your CSR
- After completing the previous section, request an InCommon access code for your department by sending an email to the S&C CyberSecOps team at certificates@ncsu.edu.
- When you receive the email with the InCommon access code, go to the InCommon Certificate Manager SSL Enrollment website.
- Enter the InCommon access code into the Access Code field.
- In the Email field, enter the email address to be associated with this certificate.
- CAUTION: For business continuity, we strongly recommend a departmental or support email alias, not a personal email address; renewal notifications will be sent to the address you enter here.
- CAUTION: For business continuity, we strongly recommend a departmental or support email alias, not a personal email address; renewal notifications will be sent to the address you enter here.
- Click Check Access Code.
- The SSL Enrollment form opens.
Step 3: Complete the SSL Enrollment Form
- After completing the procedures from the preceding sections, complete the SSL Enrollment Form by updating the following fields:
- Certificate Profile: Select an item from the drop-down menu.
- NOTE: The most frequently used profile is the InCommon SSL Single General Profile.
If you are not sure which profile to select, send an email to the S&C CyberSecOps team at certificates@ncsu.edu.
- NOTE: The most frequently used profile is the InCommon SSL Single General Profile.
- Certificate Term: You cannot change this field; the maximum certificate term is 1 year.
- CSR: Copy and paste your CSR into this text field (or click Upload CSR).
- Common Name: If this field did not auto-populate, click Get Common Name from CSR.
- Renew: If you want to renew your certificate automatically, click the Auto-renew check box and specify the number of days before expiration that you want the auto-renew to occur.
- Subject Alternative Names: If you have alternate names for your web server, enter them here, comma-separated. For example, if you want the SSL certificate to be valid for multiple domain names, enter them here.
- If you selected Auto-renew, you must set and confirm Annual Renewal Passphrase.
- CAUTION: If you lose the passphrase, you will not be able to revoke or renew your certificate.
- External Requester: If an external party is requesting the certificate, you can enter one or more email addresses here, comma-separated.
- Comments: Leave this field blank.
- Certificate Profile: Select an item from the drop-down menu.
- Click Enroll.
- NOTE: For CyberSecOps-managed certificates, the approval process is usually completed within 2 business days.
- For a more urgent request, send a request to the Help Desk.
- For domains external to NC State domains, see Step 5: Add an External Domain Name (Optional).
Step 4: Install Your Certificate
When you receive your signed certificate, go to the Comodo Knowledgebase website to find instructions for installing it on your server. (Installation instructions tend to be located at the bottom of the server-type documentation, listed under Related Articles.)
Step 5: Add an External Domain Name (Optional)
Prerequisite: If you need to add a domain name external to NC State, it must be allowable, for example, a research center whose domain name ends in .org, such as http://www.ncseagrant.org.
Procedure: If you want to add a domain name, email the Help Desk to ask the S&C CyberSecOps team to add a new domain to your InCommon certificate license.
NOTES:
- A certificate for an external domain will require approval from the person on record as the owner of the domain.
- If this is your first request for a certificate for a non-NC State domain, InCommon may need 1 or 2 weeks to sign the certificate.