How to obtain a X.509 certificate from the InCommon CA via the UW Certificate Services website.
To obtain a certificate from the InCommon CA you must fulfill these prerequisites:
- For DNS names managed in UW DNS:
- The DNS name used for your certificate "common name" is registered in UW DNS.
- Any DNS names used for your certificate "subject alternative names" are registered in UW DNS.
- The UW NetID of the person submitting the certificate signing request (CSR) is registered in UW DNS as a contact for the common name and any subject alternative names in the CSR.
- For DNS names managed outside of UW DNS:
- The UW NetID of the person submitting the certificate signing request (CSR) is registered in the UW groups service as an owner for the common name and any subject alternative names in the CSR.
- Approval is required for DNS names outside of washington.edu and uw.edu. To add support for a domain you own, you can Request a New Domain for InCommon CA Certificates.
1. Generate your certificate signing request (CSR). The procedure to generate a CSR varies from platform to platform. Consult your platform documentation if you need assistance.
A valid CSR must contain the following (but is not in itself a CSR):
- Country = US
- State = WA (State = Washington is also accepted)
- O = University of Washington
- CN = your server's fully qualified domain name (e.g. www.spud.washington.edu)
- key length >= 2048
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
2. Browse to the UW Certificate Services website (authentication required): https://iam-tools.u.washington.edu/cs/
3. Test ownership of your DNS name(s) by clicking the "Verify DNS Ownership" link, entering your hostname in the "DNS name" box, and clicking the "Verify ownership" button. Refer to the prerequisites above if the test fails.
4. Click the "New InCommon certificate" link. This displays the "Request InCommon certificate" form.
5. Paste the contents of your CSR into the "CSR (PEM)" box.
6. Optional: Add subject alternative names to your request by entering them in the "AltNames" box.
Any subject alternative names added using this option will override those in your original CSR.
If you use wildcards (e.g. *.gca.uw.edu) in the subject alternative names, the cert Subject (CN) must not use a wildcard. Also, wildcards only apply one level below the domain specified. e.g. *.gca.uw.edu will match galaxy.gca.uw.edu but not giant.galaxy.gca.uw.edu. You could, however, add an additional subject alternative name for *.galaxy.gca.uw.edu. If you use a wildcard in the CN, any subject alternative names you specify will be ignored.
7. Select "SSL" as the Cert type.
8. Select the appropriate option from the "Server" menu.
9. Select the appropriate option from the "Number of servers" menu.
10. Select the desired option from the "Lifetime" menu.
11. Click the "Submit request" button. A valid CSR submission will indicate success.
If your selections above or the contents of your CSR are invalid, you may see an error message instead.
12. Wait for the certificate to be issued.
Turnaround time for InCommon/Comodo to sign requests is typically one hour.
13. UW Certificate Services will check the status of your request and notify you via email when your InCommon certificate has been issued.
Example: Email Notification
From: UW Certificate Services <firstname.lastname@example.org>
Cc: email@example.com, firstname.lastname@example.org, email@example.com
Subject: Certificate #1234 issued for www.spud.washington.edu
Certificate #1234 for www.spud.washington.edu has been issued by InCommon.
Common name: www.spud.washington.edu
Requested: Fri Aug 12 13:06:03 PDT 2011 by you
Expires: Mon Aug 11 16:59:59 PDT 2014
InCommon ID: 56765
You may retrieve the certificate from the UW Certificate Service website:
** Tip ** : UW Certificate Services determines ownership of certificate
requests and sends email notifications based on contact information in
DNS managed by UW-IT. You are receiving this message because you
requested this certificate or because you're a registered DNS contact
for the certificate's common name or one of its alternative names.
Requests for changes to the contact list for your DNS name(s) should be
emailed to firstname.lastname@example.org.
14. Browse to the UW Certificate Services website (same location as step 2 above).
15. Locate your request by browsing the list under "Favorites" or by using the "Search" control to find certificates by common name (CN) or alternative names (altName).
16. Click any of the table cells in the row corresponding with your request to view your request.
17. Select and copy the PEM version of your certificate, download the PKCS7 bundle, or use the "Other download" option to retrieve your certificate.
The PKCS7 download option seems to work fine with recent Firefox, Chrome, and Safari browsers. The downloaded file will have a .pkcs7 extension. IE 8 and 9 may instead show the contents of the certificate in a browser window. Copy and paste this to a file with a .pkcs7 extension.
18. Install the certificate on your platform, using whatever methods it provides for this. Consult your platform documentation as needed.
You'll also need to install the InCommon intermediate certificates. Your certificate and the InCommon intermediate certificates will be included in one download if you choose PKCS7. You might need to download your server certificate and the intermediate certificates separately if you choose the PEM option. A link to the InCommon intermediate certificates is included on the Certificate Services download page.
19. That's it! If you encountered a problem please report it to email@example.com.