InCommon Certificate Service for VCU

Where can I learn more about this program?

The University has an agreement with InCommon that allows for unlimited SSL PKI certificates included in one fixed annual fee. It is the University’s one certificate source for all University servers.

Details about this program can be found on the InCommon Certificate Service page.

What is the available lifetime of the certificates?

We can only issue a 1-year term certificate(s).
For those interested in a longer term, there is an auto renewal option available at your request when you submit.
Certificate notifications will be sent in 30, 15, 7, and 3-day intervals to ensure server administrators are able to request a certificate renewal.

What is the cost of the campus unit if any?

There is no direct cost to individual campus units as VCU Technology Services has paid the InCommon-Sectigo CA institutional fee.

Departmental Certificate Administrator (DCA) FAQ

What is DCA?

The DCA is the individual who has been approved by a TS Director to manage specific VCU domains for the university through InCommon.

How can I sign up to become a DCA?

If you are interested in performing the DCA function for your unit and are a member of the VCU Technology Services organization, please forward your request along with the contact information to your department director. The request should then be forwarded to the NOC (UCCNOC@VCU.EDU). Please note the specific domains you will be managing.

What is expected of a DCA?

The primary responsibility that a DCA has when issuing or renewing a certificate is to verify that requests for certificates are legitimate. If the DCA does not personally know the person making the certificate request and their business need for the certificate, due diligence would be expected in tracking down a responsible person within the DCA's unit who can vouch for the legitimacy of the request. Maintain a record of requests and their confirmations, such as email correspondence, for the duration of the certificate renewal period. Another requirement is to learn to use the InCommon CSM administrative tool for managing certificates, as documented in the InCommon CA CSM RAO Admin Guide.

What are the policies for following best practices for a DCA?

It is encouraged that wildcards not be issued. There are more servers at risk if the private key is compromised. Now that we can generate certs on-demand with no additional cost, there is less need to use wildcard certs.

What about other DNS domains such as anyplace.org? Can you issue certificates for such domains?

The VCU InCommon-Sectigo agreement is currently registered to issue certificates for the VCU.EDU domain and its DNS sub-domains only. We can only manage DNS domains, which we control our own. For DNS domains that we do not own, this InCommon-Comodo Certificate Authority will not apply. These “external” certificate requests will have to be processed by a different CA.

What is the procedure for a campus unit to acquire an SSL certificate?

A Certificate Signing Request (CSR) is the first step toward requesting an SSL/TLS certificate.
It may be necessary to have the certificate and key in a certain format as required per server type (e.g., Windows pkcs7 to .pem vs Linux X509).
Incommon / Sectigo requires a minimum 2048-bit key pair however; 4096 is recommended.
After creation of your CSR a request for InCommon Certificates is made by opening an IT Support Ticket. (The request for the certificate is under Web Development & Hosting/Web Security/InCommon Certificate.)
Include an “organizational email” address if one is available, in addition to the individual email for certificate requests.
The VCU University Computer Center Network Operations Center will handle the request and issue the certificate.
We have also implemented the InCommon-Sectigo CA Service's ability to delegate PKI administration to approved Technology Services Staff as "Departmental" authorities. These Departmental authorities are referred to as Department Registration Authority Officer SSL Certificate (DRAO SSL) on the InCommon site. See the DCA FAQ section below for details. This distributed administrative model has been implemented in coordination with Technology Services Management.

Subject Alternative Name Certificates (SAN)

Multiple DNS names are to use the Subject Alternative Name (SAN) certificate option to combine the names into a single certificate.
Example: If you started with a single name certificate and need to add an additional name then you would create a new CSR for a SAN certificate which should include all names. Example: https://support.f5.com/csp/article/K11438.

Certificates that need to be on the F5

It is the server administrators’ responsibility to monitor certificate expiration dates and submit certificate renewal requests.
For sites fronted on the F5, (load balancer / university web proxy): After you have received the new certificate please notify Network Services via a IT Support Ticket.
The original certificate email from the CA must be forwarded to the assigned engineer and the key must be shared via VCU File locker Email is not a secure means of key sharing please do not send keys via email.

How do I generate a CSR and install the signed certificate?

If you are a web server maintainer and would like to generate a CSR, consult the Sectigo Knowledge Base for your webserver type. Note: InCommon-Sectigo requires a minimum 2048-bit key pair however; 4096 is recommended.

Otherwise, please submit an IT Support ticket under the category "Security -> InCommon Certificate."