SSL/TLS Certificate FAQs

SSL Certificate Frequently Asked Questions.

SSL Certificate Frequently Asked Questions

General
Requesting a Certificate
Installing a Certificate
Renewing a Certificate
  1. How soon can I renew an existing server certificate?
  2. When are renewal notices sent?
  3. How do I renew certificate?

General

  1. Who can order an SSL certificate? 

    In general, any UW Madison faculty and staff can request a certificate.  The certificate requester must also agree to the following:

    "I am responsible for running a service which uses this fully qualified domain name(s) and part of my responsibility as a employee of the UW Madison is to secure this domain. The sole purpose of my use of this certificate is for securing this domain(s) and not for malicious or other fraudulent purposes. If I suspect that the private key associated with this certificate is lost or compromised I will contact servercertificates@doit.wisc.edu and seek immediate revocation."

  2. How much does a certificate cost?

    DoIT's has absorbed the annual cost to issue SSL certificates. At this time, there is no cost to campus units.

    Additionally, free automatically renewable certificates are available via Let's Encrypt: https://kb.wisc.edu/sslservercerts/97607

  3.  Can I request a certificate for a domain other than wisc.edu or wisconsin.edu (DCV - Domain Control Validation)?

    Yes, however, you will need to go through DCV (Domain Control Validation).  This step requires that the owners of the domain have control of DNS.  Adding a new domain to Incommon will require CNAME DNS records that we will supply to the requestor(s) and entered by the requestor in DNS.  Once the DNS CNAMEs have been established and verified by Incommon we will notify you that you can proceed to submit your request via https://servercertificates.wisc.edu/

    The resulting certificate will be a DV (Domain Validated) certificate. Names that end with wisc.edu or wisconsin.edu are considered OV (Organization Validated) certificates, see below for EV (Extended Validation) certificates.

    NOTE: With Incommon you will have to renew DCV annually.


  4. How do I get support if I have a question or have trouble getting, ordering or installing a certificate?
    This article details support options.

Requesting a Certificate

  1. How do I create a CSR (Certificate Signing Request)?
    There are plenty of up to date instructions here: https://www.google.com/search?q=openssl+csr.
    We recommend 4096 bits at this time, CN (Common Name) is your website url (e.g. sitename.wisc.edu), O (organization) is University of Wisconsin-Madison, OU (Organization Unit, optional): OCIS, City or Locality (optional): Madison, State or Providence (optional): Wisconsin, Country (optional): US

  2. What types of certificates can I order? 
    We've described the types of SSL certificates that we can issue here.

  3. Can I use one certificate for multiple host names? 
    Yes, you can request a multi-domain certificate and include up to 100 subject alternative names (SAN) in the certificate. However, to make sure your request goes smoothly, we request that you contact servercertificates@doit.wisc.edu for requests containing 20+ SANs. This will make your request proceeds smoothly without delay.  A typical use of a SAN is to secure a web site called department.wisc.edu and include an alternate name of www.department.wisc.edu.
     
  4. Can I have a wildcard certificate, e.g..doit.wisc.edu, issued for a group of hosts? 
    Yes -- SSL/TLS Wildcard Certificates

  5. Can I have an extended validation (EV) server certificate? 
    EV certificates have been trending away from usage and most all popular browsers have dropped support.

    That said, EV certificates are available still in the InCommon/Comodo program but must be verified and ordered individually through Comodo.  It may take between 1-2 weeks to complete the EV certificate issuance process.  If you have a use case for a EV Certificate please contact servercertificates@doit.wisc.edu with your CSR (Certificate Signing Request) to start the process.


  6. My web server type isn't listed in drop down for web server type ... what should I select? or I selected the wrong web server type does this matter?
    This item is purely for statistical reporting and will not impact certificate generation. You can select anything from the drop down and processing will be the same.

Installing a Certificate

  1. Can I change certificate details, e.g. common name, of an existing certificate? 
    In order to change certificate content, you will need to submit a new CSR. Submit your new CSR via the UW Server Certificate Service.

  2. What happens if I lose my private key, e.g. forget a password, corresponding to my certificate? 
    You will need to submit a new CSR. Submit your new CSR via the UW Server Certificate Service.

  3. What happens if I did not receive the certificate via email or accidentally deleted it? 
    You can contact servercertificates@doit.wisc.edu to have the certificate information re-sent.

  4. Why do I get a "Certificate not trusted" error message after installing the certificate? 
    This is a common problem and is likely because you do not have the intermediate certificates installed on the server. See this article for why and how you need to install the intermediate certificates.

  5. How do I test that my certificates, including the intermediate certificate, is installed correctly? 
    This article describes how to test that the certificate trust chain is installed correctly.

  6. What is the Certificate trust chain for the InCommon certificates? 
    We've posted the root and intermediate certificates here and also included other commonly needed information about our organizationally and extended validation certificates.

Renewing a Certificate

    1. How soon can I renew an existing server certificate? 
      You can renew a certificate up to 90 days in advance of the certificate expiring. Please note that you will not lose any validity time when you renew.

    2. When are renewal notices sent? 
      Renewal notices are sent at 40, 30, 20, 10, 5, and 2 days out from expiration.

    3. How do I renew a certificate? 
      To renew a certificate, you can  submit a new CSR using the UW Server Certificate Service

      It is not recommended to request a renewal of an existing certificate because it will re-use your existing private key on the server.  Reusing the private key is considered bad practice.   Federal Common Policy is to expire private keys after a maximum of 3 years (has been since 2017 – reference Revised Certificate Policy (nist.gov) – Section 3.3.1)



    Keywords:
    server certificates ssl tls incommon comodo sectigo csr dcv domain control validation "certificate signing request" 
    Doc ID:
    18911
    Owned by:
    Jake S. in SSL Server Certificates
    Created:
    2011-06-19
    Updated:
    2024-02-05
    Sites:
    DoIT Help Desk, Identity and Access Management, SSL Server Certificates