IAM in Service Catalog
How to obtain a X.509 certificate from the InCommon CA via the UW Certificate Services website.
To obtain a certificate from the InCommon CA you must fulfill these prerequisites:
For help establishing a DNS name and contact information in UW DNS, refer to Managing DNS Names For Infrastructure Services Access.
1. Generate your certificate signing request (CSR). The procedure to generate a CSR varies from platform to platform. Consult your platform documentation if you need assistance.
A valid CSR must contain:
2. Browse to the UW Certificate Services website (authentication required): https://iam-tools.u.washington.edu/cs/
3. Test ownership of your DNS name(s) by clicking the "Verify DNS Ownership" link, entering your hostname in the "DNS name" box, and clicking the "Verify ownership" button. Refer to the prerequisites above if the test fails.
4. Click the "New InCommon certificate" link. This displays the "Request InCommon certificate" form.
5. Paste the contents of your CSR into the "CSR (PEM)" box.
6. Optional: Add subject alternative names to your request by entering them in the "AltNames" box.
Any subject alternative names added using this option will override those in your original CSR.
If you use wildcards (e.g. *.gca.uw.edu) in the subject alternative names, the cert Subject (CN) must not use a wildcard. Also, wildcards only apply one level below the domain specified. e.g. *.gca.uw.edu will match galaxy.gca.uw.edu but not giant.galaxy.gca.uw.edu. You could, however, add an additional subject alternative name for *.galaxy.gca.uw.edu. If you use a wildcard in the CN, any subject alternative names you specify will be ignored.
7. Select "SSL" as the Cert type.
8. Select the appropriate option from the "Server" menu.
9. Select the appropriate option from the "Number of servers" menu.
10. Select the desired option from the "Lifetime" menu.
11. Click the "Submit request" button. A valid CSR submission will indicate success.
If your selections above or the contents of your CSR are invalid, you may see an error message instead.
12. Wait for the certificate to be issued.
Turnaround time for InCommon/Comodo to sign requests is typically one hour.
13. UW Certificate Services will check the status of your request and notify you via email when your InCommon certificate has been issued.
Example: Email Notification
From: UW Certificate Services <email@example.com> Reply-To: firstname.lastname@example.org To: email@example.com Cc: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org Subject: Certificate #1234 issued for www.spud.washington.edu Certificate #1234 for www.spud.washington.edu has been issued by InCommon. Certificate Details: Common name: www.spud.washington.edu Requested: Fri Aug 12 13:06:03 PDT 2011 by you Expires: Mon Aug 11 16:59:59 PDT 2014 InCommon ID: 56765 You may retrieve the certificate from the UW Certificate Service website: https://iam-tools.u.washington.edu/cs/cert?id=1234 ** Tip ** : UW Certificate Services determines ownership of certificate requests and sends email notifications based on contact information in DNS managed by UW-IT. You are receiving this message because you requested this certificate or because you're a registered DNS contact for the certificate's common name or one of its alternative names. Requests for changes to the contact list for your DNS name(s) should be emailed to email@example.com.
14. Browse to the UW Certificate Services website (same location as step 2 above).
15. Locate your request by browsing the list under "Favorites" or by using the "Search" control to find certificates by common name (CN) or alternative names (altName).
16. Click any of the table cells in the row corresponding with your request to view your request.
17. Select and copy the PEM version of your certificate, download the PKCS7 bundle, or use the "Other download" option to retrieve your certificate.
The PKCS7 download option seems to work fine with recent Firefox, Chrome, and Safari browsers. The downloaded file will have a .pkcs7 extension. IE 8 and 9 may instead show the contents of the certificate in a browser window. Copy and paste this to a file with a .pkcs7 extension.
18. Install the certificate on your platform, using whatever methods it provides for this. Consult your platform documentation as needed.
You'll also need to install the InCommon intermediate certificates. Your certificate and the InCommon intermediate certificates will be included in one download if you choose PKCS7. You might need to download your server certificate and the intermediate certificates separately if you choose the PEM option. A link to the InCommon intermediate certificates is included on the Certificate Services download page.
19. That's it! If you encountered a problem please report it to firstname.lastname@example.org.