Information Security

InCommon Certificate Request Processes

Last modified 3/29/2022

For the step-by-step guidance for requesting or revoking certificates, please view the InCommon Certificate Request Procedures page.


Processes

Individual processes exist for requesting, renewing, and revoking SSL/TLS certificates.

New Common Name Certificate Request Process

  • Request Process

  1. The department requires a new SSL/TLS certificate.
  2. The department generates a new Certificate Signing Request (CSR).
  3. The department sends the CSR to the Information Security Office and notifies the ISO if existing certificates require revocation.
  4. The Information Security Office reviews the request and fulfills the request.
  5. The certificate manager emails the requesting team with pickup details.
  6. The original requester installs the certificate on the appropriate system(s).

Existing Certificate Renewal Process

  • Renewal Process

  1. An SSL/TLS certificate was previously requested and issued as part of a New Common Name Certificate Request or Existing Certificate Renewal Request.
  2. The issued certificate is 45 days from expiration.
  3. A Cherwell ticket or department email is automatically generated.
  4. The requesting team evaluates the need for a renewal or revocation.
    1. If revoke is chosen, jump to the Revocation Process below.
  5. The requesting team generates a new Certificate Signing Request (CSR).
  6. The requesting team notifies the Information Security Office of the decision to renew.
  7. The Information Security Office reviews the request and fulfills the request.
  8. The Information Security Office renewal ticket is closed.
  9. The original requester installs the certificate on the appropriate system(s).
  10. The Cherwell ticket in the requester's queue for renewal is closed.

Certificate Revocation Process

  • Revocation Process

  1. The department requires an SSL/TLS certificate be revoked.
  2. The department sends the revocation request to the Information Security Office.
  3. The Information Security Office reviews the request and fulfills the revocation request.
  4. The Cherwell ticket for renewal is closed.

New Code-Signing Certificate Request Process

  • Request Process

  1. The department requires a new code-signing certificate.
  2. The department sends a request to the Information Security Office.
  3. The Information Security Office reviews the request and fulfills the request.
  4. The certificate manager emails the requesting team with pickup details.

Issuance Constraints

  • Multi-domain certificates may be subject to additional scrutiny, especially when being generated for use by a vendor.
  • Wild card certificates are never given out for the root ISU domains. Wild card certificates given to vendors are subject to additional scrutiny. 
  • Certificates should only be utilized for a single service. Certificates being used to authenticate multiple systems not providing an identical service will be immediately revoked. An example of acceptable use for a certificate on multiple systems is a high availability cluster where all systems in the cluster provide an identical service.
  • SSL/TLS Certificates are valid for 1 year. This constraint is directly from the certificate authority and is immutable.
  • Any certificate or private key suspected to be compromised must be immediately reported for revocation. Contact a member of the Information Security Office directly to report suspected breaches of certificates or certificate private keys.

Further Reading

InCommon Certificate Request Procedures

Certificate Request Forms