About the UO SSL Certificate Service
Information Services, via the InCommon Certificate Service, provides unlimited organization validation (OV) SSL/TLS certificates to University of Oregon departments and units. This program is centrally funded by Information Services and is provided at no additional cost to campus units.
SSL organization validation (OV) certificates and code signing certificates are now available via InCommon. As the service matures the service offering will expand to include extended validation (EV) SSL/TLS certificates. Additional service component, as they are added, will be announced to the campus community.
Certificate Classes Explained
Using self-signed certificates is less secure and not advisable. SSL is built on trust between a certificate authority and the SSL clients. If your certificate is self-signed, it gives the client machines no reason to trust that the proceeding connection is authentic. It will result in browser warning messages that the user must accept before proceeding to the website.
If you are currently using self-signed certificates in your production environment please request an OV SSL certificate to replace any self-signed certificates in use.
Subject Alternative Names (SANs)
Certificates are usually issued for a single domain name. We also have the ability to add aliases to a certificate, so the certificate will validate for multiple names. For example, a webserver may host multiple websites.
CSRs should have an RSA (3072-bit or better) or ECDSA (P256 or better) key pair with a SHA256 (or better) hash. Instructions on how to generate a CSR are available below.
To make the CSR process as painless as possible, we offer the following advice for generating CSRs on the following platforms:
A Powershell script to create a CSR for Windows/IIS/RDP can be found on ISFiles:
For a more complex CSR, the Certificates MMC snap-in can be used. Please let us know if you would like assistance with the MMC method.
Verify that you have a supported version of OpenSSL (https://www.openssl.org/policies/releasestrat.html).
Follow the instructions here, but use '4096' in place of '2048': https://support.rackspace.com/how-to/generate-a-csr-with-openssl/
If you have any Certificate questions, please don't hesitate to contact us at email@example.com.
Verifying a Certificate Signing Request (CSR)
After you have generated a CSR, you can verify it at either link below:
Submitting a Certificate Request
Step 1: Send an email to firstname.lastname@example.org with the following information (Please have the Subject line contain the words "SSL certificate request for Hostname.uoregon.edu" for our ease of handling purposes):
Java Web Server (Javasoft / Sun)
Microsoft IIS 5.x and later
Step 2: When the request has been approved, InCommon will send you an email with instructions on how to retrieve the certificate. This email will originate from the InCommon Certificate Services Manager, using email address email@example.com.
Below are the expected times for completion of work upon receipt of a service request. Some types of service requests, such as adding a new domain, have dependencies that need to be in place prior to submitting a request. Please allow for time in project timelines to accommodate for any dependency requirements.
Installing an SSL Certificate
Instructions on how to install SSL certificates on common platforms are available below.
Verifying an SSL Certificate
After you install your certificate, you can verify it here: https://sslanalyzer.comodoca.com/. Other online resources for testing SSL certificates and webserver SSL configuration are available below.
For questions or comments regarding the UO SSL Certificate Service, please use the contact information below: