IAM
Space shortcuts

Log in to ASTRA
Manage UW Groups
Manage UW NetID Resources
Manage Certificates
Register/Update Shibboleth SP

IAM in Service Catalog

Access Management
Authentication
Directory Services
UW NetID
UW Directory
Microsoft Infrastructure

Page Tree

Child pages
  • Request a New Domain for InCommon CA Certificates
Skip to end of metadata
Go to start of metadata

Purpose

This page describes how to request a new UW domain be added to the InCommon Certificate Services. Note that all subdomains of washington.edu and uw.edu are pre-approved and this process isn't required for any of those subdomains (e.g. depts.washington.edu, pottery.uw.edu).

Prerequisites

To add new domains to the UW subscription for the InCommon Certificate Service you must fulfill these prerequisites:

  1. Your domain is already registered in DNS.
  2. If your domain is registered in UW DNS:
    1. You must be registered in UW DNS as a domain contact for your domain. See Managing DNS Names For Infrastructure Services Access.
  3. If your domain is registered elsewhere:
    1. You must be listed as a contact for the domain in a WHOIS lookup. The email address used to make the "add domain" request must be listed in the domain registration record.  As of 2018-05-25 this is a fairly loose requirement due to GDPR's impacts on WHOIS.  
    2. The domain must be owned by the University of Washington, and a clear relationship between your domain and the University of Washington must be evident from a WHOIS lookup. How clear this needs to be is subjective and is in the hands of InCommon administration. Typically, use of UW street addresses and UW email addresses for contacts is sufficient.  In some cases where a domain belongs to an academic consortium of which UW is a member (but doesn't own directly), we can have the domain approved if there is a clear link to UW based on a WHOIS lookup.  As of 2018-05-25 this is a fairly loose requirement due to GDPR's impacts on WHOIS.  
  4. You must review the Domain Control Validation (DCV) options and select a method (E-Mail, HTTP, or CNAME).  As of 2018-05-25 Email DCV is not recommended due to GDPR's impacts on WHOIS, and as of 2021-11-22 HTTP DCV is no longer available for wildcard domains.  
    1. If you select the E-Mail option you must provide the email address that you would like to use for the process.  Arbitrary email addresses cannot be used for DCV–the link above details which email addresses are accepted by InCommon.  

 Procedure

1. Email your request to iam-support@uw.edu like so:

Example: An email request to add a new domain

From: Requestor
To: iam-support@uw.edu
Subject: InCommon CA certs for superspuds.org

Please enable InCommon CA certificate requests for *.superspuds.org.
This is a DNS domain owned by our department. I would like to use the 
"E-Mail" DCV method and the following email address: admin@superspuds.org

2. The Identity and Access Management (IAM) team will verify the prerequisites above.

3. IAM will submit a request to add your domain to the InCommon Certificate Service.

4. InCommon will verify UW domain ownership by examining the WHOIS record for your domain. 

5. IAM will initiate the DCV process. If your domain is not registered in UW DNS we'll be coordinating with you directly to carry out DCV. The specific steps will depend on which DCV option you selected. If your domain is registered in UW DNS IAM will coordinate with the UW NOC as required.  

6. IAM will ensure that you're authorized to request InCommon CA certificates for the new domain from the UW Certificate Services website. If the domain is registered in UW DNS and you are designated as a DNS contact for the domain, authorization is automated. In other cases IAM will set up an authorization record for the domain.

7. Now you can Obtain a Certificate from the InCommon CA.

Have a question? Contact us at iam-support@uw.edu.