InCommon Certificate Service for VCU
Where can I learn more about this program?
The University has an agreement with InCommon that allows for unlimited SSL PKI certificates included in one fixed annual fee. It is the University’s one certificate source for all University servers. Details about this program can be found on the InCommon Certificate Service page.
What is the procedure for a campus unit to acquire SSL certificate?
Requests for InCommon Certificates are made by opening a Service Desk Ticket. The form for the request can be found under Security - InCommon Security Certificates. The VCU University Computer Center Network Operations Center will handle the request and issue the certificate. We have also implemented the InCommon/Sectigo CA Service's ability to delegate PKI administration to approved Technology Services Staff as "Departmental" authorities. These Departmental authorities are referred to as Department Registration Authority Officer SSL Certificate (DRAO SSL) on the InCommon site. See the DCA FAQ section below for details. This distributed administrative model has been implemented in coordination with the Technology Services Management.
What are the available lifetimes for certificates?
We can issue 1 or 2-year certificates. The NOC will provision 2-year certificates unless requested otherwise.
What about other DNS domains such as anyplace.org? Can you issue certificates for such domains?
The VCU InCommon-Sectigo agreement is currently registered to issue certificates for the VCU.EDU domain and its DNS sub-domains only. We can only manage DNS domains, which we control our own. For DNS domains that we do not own, this InCommon-Comodo Certificate Authority will not apply. These “external” certificate requests will have to be processed by a different CA.
What is the cost of the campus unit if any?
There is no direct cost to individual campus units as VCU Technology Services has paid the InCommon-Sectigo CA institutional fee.
Departmental Certificate Administrator (DCA) FAQ
What is a DCA?
The DCA is the individual who has been approved by a TS Director to manage specific VCU domains for the university through InCommon
What is expected of a DCA?
The primary responsibility that a DCA has when issuing or renewing a certificate is to verify that requests for certificates are legitimate. If the DCA does not personally know the person making the certificate request and their business need for the certificate, due diligence would be expected in tracking down a responsible person within the DCA's unit who can vouch for the legitimacy of the request. Maintain a record of requests and their confirmations, such as an email correspondence, for the duration of the certificate renewal period. Another requirement is to learn to use the InCommon CSM administrative tool for managing certificates as documented in the InCommon CA CSM RAO Admin Guide.
What are the policies for following best practices for a DCA?
It is encouraged that wildcards not be issued. There are more servers at risk if the private key is compromised. Now that we can generate certs on demand with no additional cost, there is less need to use wildcard certs.
How do I generate a CSR and install the signed certificate?
If you are a web server maintainer and would like to generate a CSR, consult the Sectigo Knowledge Base for your web server type. Note: InCommon/Sectigo require that you create 2048-bit key pairs.
Otherwise, please submit a Service Desk ticket under the category "Security -> InCommon Certificate".
How can I sign up to become a DCA?
If you are interested in performing the DCA function for your unit and are a member of the VCU Technology Services organization, please forward your request along with the contact information to your department director. The request should then be forwarded to the NOC (UCCNOC@VCU.EDU). Please note the specific domains you will be managing.
This article was updated: 07/22/2019