CertiNext Provisioning Guide

Body

Login url: Login | InCommon - CERTInext

Select SSO and click Sign in with your institution

Then click on Access through your institution 

Search for Northwestern University and select it from the list. The application will remember your institution for future sign-ins

You will then be redirected to the Northwestern WebSSO login page to sign in with your NetID credentials.

Uploaded Image

Uploaded Image (Thumbnail)

 

Certificate types

Just like sectigo, certinext has a lot of cert types. Actually it has many more than sectigo. The two types you’ll probably need are:

InCommon DV SSL Certificate

InCommon DV SSL Certificate UCC

InCommon DV SSL Certificate Wildcard UCC

Note the UCC at the end. The version without UCC are for a single domain only no sans.  

The InCommon DV SSL Certificate UCC option can be used for most standard SAN certificate requests. If you need a wildcard certificate, select the option that includes "Wildcard" in its name. While wildcard certificates are requested less frequently, this option is available when needed.

There are also OV certificate options that can be used, as long as they are associated with Org ID: 8229645.

 

Quick overview of the manual certificate request process.

(Accurate as of the date of this article and subject to change due to frequent platform updates).

In the top left corner of the dashboard there is a new certificate button. 

Uploaded Image (Thumbnail)

Now we fill out the menus.  

Group is the imported departments from sectigo. Most should look familiar. This will let us associate the cert to the requestor’s department. The Northwestern University is the top level group everything roles up to. 

CA Source will be emSign (that’s the certinext CA backend)

Product is the SSL cert type. Typically InCommon DV SSL Certificate UCC

Uploaded Image

The next screen is the upload csr screen.

The next screen is for contact details. The cert emails go to whoever is in the Certificate Download Delegation section.

Then just fill out until you get to the submit button.

The certs should show up under certificates – orders.

Once issued you should be able to do any management with the actions button on the right of the cert.  

 

ACME 

Currently all api/acme credentials must be associated to a user account in certinext, group, and a single product (certificate type). They also can’t be edited after creation currently. Both have feature request for changes submitted with certinext. No eta yet.

As a workaround, consider creating a service account or distribution list (DL) that cannot be used to log in but can be assigned to these credentials.

Creating ACME credential

Intergrations -> apis

Click on the create api credentials button in the top right.

Choose type: ACME

CA Connector: emSign

Identifier: Enter a descriptive name to help identify the credential..

User: Select the appropriate user account (see the recommendation above).

Groups: Select your current group name.

Product: Choose the appropriate cert type. InCommon DV SSL Certificate UCC will allow for single domain and san certs in one profile.  

Then click generate button.

You’ll be taken back to the list and you should see the new credential and there will be a view hyperlink to show you the details you’ll need for the acme agent logins.

Uploaded Image

One more thing to note: The InCommon login option is what integrates with our SSO and MFA enforcement. If your session times out, you may be redirected back to the general login page, which will not work for our environment. 

At the bottom of the page, there is a link for InCommon members that will redirect users to the appropriate login page. This link is highlighted in the screenshot below.  

Uploaded Image

Details

Details

Article ID: 2937
Created
Fri 7/17/26 8:45 AM
Modified
Fri 7/17/26 11:25 AM