Quick Reference Guide

General Questions

• How many different certificate types are supported?
• Who is the Departmental Registration Authority Officer (DRAO) for my school or administrative unit?
• I don't have a DRAO assigned to my school or administrative unit.  Who do I contact?
• My server(s) are located in the University Data Centers.  Who do I contact to manage my certificate requests?
• Where can I find common troubleshooting support?
• Where can I submit my Certificate Signing Request (CSR)?
• Why am I getting the error message "Unable to read the CSR.  Please try again or contact support" when I try to submit my Certificate Signing Request (CSR)  to the InCommon Certificate Service?
• What kind of turnaround time can I expect?
• Where can I re-download my certificate?
• Where can I request a revocation of my certificate?
• Will I receive certificate expiration notices?
• What are Wildcard certificates?
• Are there any restrictions on the use of Wildcard certificates?
• What is an "Intermediate" Certificate?
• Which domains are eligible for certificates?
• Can I get a certificate for a host in a non-northwestern.du domain?
• Do I have to use this service to request SSL Certificates?
• Can I get a developer (code-signing) certificate to sign my nifty-keen Java applets or ActiveX controls?
• Where can I find additional support?

Departmental Registration Authority Officer (DRAO) Questions

• Where can I find support for the InCommon Certificate Service Manager Web interface?
• Will I receive certificate expiration notices?
• Will I receive certificate approval request notices?
• Where can I find additional support?

General Questions

How many different certificate types are supported?

The InCommon SSL Certificate Service makes the following products available:

• Standard SSL/TLS Server certificates
• Multi-Domain Certificates supporting up to 100 Subject Alternative Names (SAN)
• Wildcard certificates (restrictions apply)
• Code Signing certificates
• Client certificates (email)

Who is the Departmental Registration Authority Officer (DRAO) for my school or administrative unit?

Refer to the list of DRAOs to find contact information for the person(s) responsible for administering SSL Certificate requests for your area. Each University school or administrative unit is allowed a maximum of two DRAO’s.
TDNext permission is required to access the internal IT KB article: Departmental Registration Authority Officers (DRAOs)

I don't have a Departmental Registration Authority Officer (DRAO) assigned to my school or administrative unit.  Who do I contact?

If a DRAO is not listed for your school or administrative unit, contact the Northwestern IT Support Center with your request. Northwestern IT will attempt to work with the Technology Leader for your area to identify a DRAO designate.  If you do not have a DRAO and your server(s) is located in the University Data Center, please go to the next question.

My server(s) is located in the University Data Centers.  Who do I contact to manage my certificate requests?

Northwestern IT handles all SSL Certificate requests for a server(s) housed in the University Data Center.  Submit a support request to the Northwestern IT Support Center for processing.

Where can I find common troubleshooting support?

Technical support and troubleshooting is being provided by the vendor, Comodo, via Web support, e-mail, and telephone.
Choose from one of the following support options:

1. Web Support
   • Search the Comodo Knowledge Base and Forum archives before submitting a support ticket.
   • You can also download the Web documentation.
2. E-mail support (available 24x 7)
   • support@comodo.com
   • A support ticket is created automatically from the e-mail if you are a registered user.
   • An auto responder replies to the request with the corresponding ticket number or, if you are not a registered user, a request to register.
3. Telephone support (available Monday through Friday, 4 AM to 8 PM Eastern)
   • (703) 637-9361
   • Select Option 1 - Enterprise Solutions Support, then select Option 2 - Certificate Manager or Digital Certificate Support

Where can I submit my Certificate Signing Request (CSR)?

Contact your appropriate Departmental Registration Authority Officer (DRAO) for CSR processing details. Depending on your department, server owners may be able to self-enroll for certificates.  View the InCommon SSL Certificate request workflow (jpg).

Why am I getting the error message "Unable to read the CSR.  Please try again or contact support" when I try to submit my Certificate Signing Request (CSR)  to the InCommon Certificate Service?

You must use at least a 2048-bit key when generating your CSR. If you comply with this requirement, then something else may have occurred during the CSR creation to cause the error.  Please see the Comodo Knowledge Base for assistance.

What kind of turnaround time can I expect?

While most requests can be met within 24 hours, the vendor guarantees a 48-72 hour turnaround time on all requests. Therefore, please plan accordingly. Certificates are not issued outside of normal business hours.

Where can I re-download my certificate?

Go to https://cert-manager.com/customer/InCommon/ssl?action=download

You will be prompted for:

• Your Certificate ID (which was in the e-mail received when your certificate was issued)
• SSL certificate format desired (Binary, Base64)

Where can I request a revocation of my certificate?

To request a revocation of your certificate, you must contact the Departmental Registration Authority Officer (DRAO) for your school or administrative department for certificate revocation. Refer to the list of DRAOs to find the representative for your area.

Will I receive certificate expiration notices?

Yes. You will receive an auto-generated e-mail from the InCommon Certificate Services Manager 60 days prior to the certification expiration date. If no action is taken, additional e-mails will be sent 30 days and 10 days prior to the expiration date and daily for five days prior to the certificate expiration date. 

What are Wildcard certificates?  

A Wildcard SSL Certificate secures your Web site URL and an unlimited number of its sub-domains. The Wildcard SSL Certificate works the same way as a regular SSL certificate and undergoes the same validation processes.

The difference is that the Wildcard SSL Certificate extends to all of the sub-domains of your domain that you want to secure.

Are there any restrictions on the use of Wildcard certificates?

Yes. Wildcard certificates, when compromised by attackers, have the potential to be far more damaging to Northwestern than standard SSL certificates, since they could be used to spoof any host in the domain of the Wildcard. Placing copies of the Wildcard certificates and their accompanying keypairs on multiple machines also increases the attack surface of the certificates.

Therefore, the following restrictions apply:

• All Wildcard certificates must be requested through the Northwestern IT Support Center and are vetted by Northwestern IT Information Security Office.
• Must be limited to a period of one year
• Renewal Certificate Signing Requests must be created with new keypairs
• Northwestern IT-ISS/C will validate all wildcard cert request by collecting the following:
  • What host-level measures exist on the servers containing the private key for the Wildcard certificate?
  • What network-level measures protect these servers?
  • Where else will the private key be stored?
  • What people will have access to the private key?
  • What is your response procedure in case the private key is compromised?
  • How many servers do you plan on putting the Wildcard certificate on?
  • Where are these servers physically located?

What is an "Intermediate" Certificate?

An intermediate certificate is the certificate(s) that go between your site (server) certificate and a root certificate. The intermediate certificate(s) completes the chain to a root certificate trusted by the browser.

Using an intermediate certificate means that you must complete an additional step in the installation process to enable your site certificate to be chained to the trusted root, and not show errors in the browser when someone visits your web site.

Which domains are eligible for certificates?

All hostnames within the northwestern.edu domain are eligible for certificates through the InCommon agreement.

Can I get a certificate for a host in a non-northwestern.edu domain?

To ensure the University's compliance with the InCommon agreement, requests for certificates outside of northwestern.edu domains are subject to extra vetting and approval, by both the University and possibly InCommon.

To begin, contact your Departmental Registration Authority Officer requesting the domain to be added.  Northwestern IT will work with your DRAO to validate your domain with InCommon. After the domain is validated, you can then request a certificate for a host in that domain through the normal channel.

Do I have to use this service to request SSL Certificates?

No. Although University schools and administrative units are encouraged to take advantage of the unlimited SSL Certificate service sponsored by Northwestern IT, these groups may use other Certificate Authorities (CA) for issuing SSL Certificate(s), if desired. 

You can find the Northwestern IT-recommended CAs listed in Appendix B of the Server Certificate Policy.

Can I get a developer (code-signing) certificate to sign my nifty-keen Java applets or ActiveX controls?

Yes. Send email to the Northwestern IT Support Center at consultant@northwestern.edu with your department name as you would like it to appear in the OU field of the certificate, and an email address where an invitation to enroll will be sent. This email address will be included as a subjectAltName in the certificate, so it should probably reflect an departmental rather than a personal account.

Northwestern IT will request the invitation, which will be sent to the email address you provided. The invitation will include a link to page that will generate a private key and send a certificate request to InCommon. When the certificate is ready, you will receive another email with a link to pick it up. Be sure to use the same browser to pick up the certificate as you did to request it. Once you have picked up the cert, you can export the cert and private key if you want to use it on another computer.

All certs will have an Organization field of "Northwestern University," which is what most browsers will prompt with when asking users if they want to run your applet or control.

NOTE: Do NOT use the Chrome browser to request a code-signing cert. You will not be able to install the issued certificate. Use Firefox or IE instead. If using IE11, you may need to set cert-manager.com to use Compatibility View.

Where can I find additional support?

If you are experiencing difficulty accessing the InCommon Certificate Service, contact the Northwestern IT Support Center at 847-491-HELP (4357) or https://services.northwestern.edu/TDClient/30/Portal/Home/ for more support options.

Departmental Registration Authority Officer (DRAO) Questions

Where can I find support for the InCommon Certificate Service Manager Web interface?

Support options are available for administrative users (DRAOs) for the InCommon Certificate Service Manager (CSM) Web interface.

Choose from one of the following support options:

1. Online Demos
2. Consult the Administrator Guide before submitting a support ticket.
3. E-mail support (available Monday through Friday, 4 AM to 8 PM Eastern)
   • User must be listed as a DRAO for InCommon.
   • csmsupport@comodo.com
4. Telephone support (available Monday through Friday 4 AM to 8 PM Eastern)
   • Caller must be listed as a DRAO for InCommon.
   • (888) 256-2608
   • Select Option 1 - Enterprise Solutions Support, then select Option 2 - Certificate Manager or Digital Certificate Support

Any issues not covered by these support options should be directed to the inc-cert@incommon.org e-mail list. To join this list, send an e-mail to sympa@incommon.org with the following in the subject line: sub inc-cert FirstName LastName.

Will I receive certificate expiration notices?

Yes.  As a courtesy, you will receive an auto-generated e-mail from the InCommon Certificate Services Manager 60 days prior to a certification’s expiration date.  If no renewal action is taken by the certificate owner, you will receive another e-mail 10 days prior to the expiration date.

Will I receive certificate approval request notices?

Yes. As a DRAO, if you allow self-enrollment for your area, Approval Request notices will be sent via e-mail to all listed DRAOs for your department or administrative unit.

Where can I find additional support?

If you are experiencing difficulty accessing the InCommon Certificate Service, contact the Northwestern IT Support Center at 847-491-HELP (4357) or Submit a Support Request.