How to obtain a X.509 certificate from the InCommon CA via the UW Certificate Services website.
To obtain a certificate from the InCommon CA you must fulfill these prerequisites:
For help establishing a DNS name and contact information in UW DNS, refer to Managing DNS Names For Infrastructure Services Access.
1. Generate your certificate signing request (CSR). The procedure to generate a CSR varies from platform to platform. Consult your platform documentation if you need assistance.
A valid CSR must contain the following (but is not in itself a CSR):
Example CSR:
-----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c 1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/ ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= -----END CERTIFICATE REQUEST-----
2. Browse to the UW Certificate Services website (authentication required): https://iam-tools.u.washington.edu/cs/
3. Test ownership of your DNS name(s) by clicking the "Verify DNS Ownership" link, entering your hostname in the "DNS name" box, and clicking the "Verify ownership" button. Refer to the prerequisites above if the test fails.
4. Click the "New InCommon certificate" link. This displays the "Request InCommon certificate" form.
5. Paste the contents of your CSR into the "CSR (PEM)" box.
6. Optional: Add subject alternative names to your request by entering them in the "AltNames" box.
Any subject alternative names added using this option will override those in your original CSR.
If you use wildcards (e.g. *.gca.uw.edu) in the subject alternative names, the cert Subject (CN) must not use a wildcard. Also, wildcards only apply one level below the domain specified. e.g. *.gca.uw.edu will match galaxy.gca.uw.edu but not giant.galaxy.gca.uw.edu. You could, however, add an additional subject alternative name for *.galaxy.gca.uw.edu. If you use a wildcard in the CN, any subject alternative names you specify will be ignored.
7. Select "SSL" as the Cert type.
8. Select the appropriate option from the "Server" menu.
9. Select the appropriate option from the "Number of servers" menu.
10. Select the desired option from the "Lifetime" menu.
11. Click the "Submit request" button. A valid CSR submission will indicate success.
If your selections above or the contents of your CSR are invalid, you may see an error message instead.
12. Wait for the certificate to be issued.
Turnaround time for InCommon/Comodo to sign requests is typically one hour.
13. UW Certificate Services will check the status of your request and notify you via email when your InCommon certificate has been issued.
Example: Email Notification
From: UW Certificate Services <somebody@urizen3.cac.washington.edu> Reply-To: help@uw.edu To: you@uw.edu Cc: jim1234@uw.edu, tim5678@uw.edu, slim90@uw.edu Subject: Certificate #1234 issued for www.spud.washington.edu Certificate #1234 for www.spud.washington.edu has been issued by InCommon. Certificate Details: Common name: www.spud.washington.edu Requested: Fri Aug 12 13:06:03 PDT 2011 by you Expires: Mon Aug 11 16:59:59 PDT 2014 InCommon ID: 56765 You may retrieve the certificate from the UW Certificate Service website: https://iam-tools.u.washington.edu/cs/cert?id=1234 ** Tip ** : UW Certificate Services determines ownership of certificate requests and sends email notifications based on contact information in DNS managed by UW-IT. You are receiving this message because you requested this certificate or because you're a registered DNS contact for the certificate's common name or one of its alternative names. Requests for changes to the contact list for your DNS name(s) should be emailed to netops@uw.edu.
14. Browse to the UW Certificate Services website (same location as step 2 above).
15. Locate your request by browsing the list under "Favorites" or by using the "Search" control to find certificates by common name (CN) or alternative names (altName).
16. Click any of the table cells in the row corresponding with your request to view your request.
17. Select and copy the PEM version of your certificate, download the PKCS7 bundle, or use the "Other download" option to retrieve your certificate.
The PKCS7 download option seems to work fine with recent Firefox, Chrome, and Safari browsers. The downloaded file will have a .pkcs7 extension. IE 8 and 9 may instead show the contents of the certificate in a browser window. Copy and paste this to a file with a .pkcs7 extension.
18. Install the certificate on your platform, using whatever methods it provides for this. Consult your platform documentation as needed.
You'll also need to install the InCommon intermediate certificates. Your certificate and the InCommon intermediate certificates will be included in one download if you choose PKCS7. You might need to download your server certificate and the intermediate certificates separately if you choose the PEM option. A link to the InCommon intermediate certificates is included on the Certificate Services download page.
19. That's it! If you encountered a problem please report it to iam-support@uw.edu.