The University has an agreement with InCommon that allows for unlimited SSL PKI certificates included in one fixed annual fee. It is the University’s one certificate source for all University servers. Details about this program can be found on the InCommon Certificate Service page.
Requests for InCommon Certificates are made by opening an IT Support Ticket. The request for the certificate can be found under Web Development & Hosting/Web Security/InCommon Certificate. The VCU University Computer Center Network Operations Center will handle the request and issue the certificate. We have also implemented the InCommon/Sectigo CA Service's ability to delegate PKI administration to approved Technology Services Staff as "Departmental" authorities. These Departmental authorities are referred to as Department Registration Authority Officer SSL Certificate (DRAO SSL) on the InCommon site. See the DCA FAQ section below for details. This distributed administrative model has been implemented in coordination with Technology Services Management.
We can issue 1 or 2-year certificates. The NOC will provision 2-year certificates unless requested otherwise.
The VCU InCommon-Sectigo agreement is currently registered to issue certificates for the VCU.EDU domain and its DNS sub-domains only. We can only manage DNS domains, which we control our own. For DNS domains that we do not own, this InCommon-Comodo Certificate Authority will not apply. These “external” certificate requests will have to be processed by a different CA.
There is no direct cost to individual campus units as VCU Technology Services has paid the InCommon-Sectigo CA institutional fee.
The DCA is the individual who has been approved by a TS Director to manage specific VCU domains for the university through InCommon.
The primary responsibility that a DCA has when issuing or renewing a certificate is to verify that requests for certificates are legitimate. If the DCA does not personally know the person making the certificate request and their business need for the certificate, due diligence would be expected in tracking down a responsible person within the DCA's unit who can vouch for the legitimacy of the request. Maintain a record of requests and their confirmations, such as email correspondence, for the duration of the certificate renewal period. Another requirement is to learn to use the InCommon CSM administrative tool for managing certificates, as documented in the InCommon CA CSM RAO Admin Guide.
It is encouraged that wildcards not be issued. There are more servers at risk if the private key is compromised. Now that we can generate certs on-demand with no additional cost, there is less need to use wildcard certs.
If you are a web server maintainer and would like to generate a CSR, consult the Sectigo Knowledge Base for your webserver type. Note: InCommon/Sectigo requires that you create 2048-bit key pairs.
Otherwise, please submit an IT Support ticket under the category "Security -> InCommon Certificate."
If you are interested in performing the DCA function for your unit and are a member of the VCU Technology Services organization, please forward your request along with the contact information to your department director. The request should then be forwarded to the NOC (UCCNOC@VCU.EDU). Please note the specific domains you will be managing.
This article was updated: 05/27/2020