Requesting a Virginia Tech SSL/TLS Certificate


Introduction

How do I request a Virginia Tech SSL/TLS certificate?

Instructions

To enroll for an InCommon TLS web server certificate:

  1. Generate a PEM encoded CSR (Certificate Signing Request).
    1. The method used for generating a CSR varies depending on the application which will be using the SSL/TLS server certificate. ***Please follow the directions provided with your application software to generate a CSR.*** Specify a key size of at least 2048 bits for RSA or 256 bits for ECC.
    2. ***The CN must be included on the CSR.*** The InCommon Certificate Authority (CA) requires the CN on the CSR. The InCommon CA will generate all other DN attributes for you, so default values for them are acceptable.
  2. For each SSL/TLS server certificate needed, login to the Certificate Manager to complete and submit the online request.
    1. Select InCommon TLS Web Server Certificates in the list of available certificates.
    2. Specify any additional DNS names (other than the CN on the generated CSR) in the Subject Alternative Name field.
    3. Specify an Email address to be used for notifications when the certificate is issued and/or nearing expiration.
    4. Upload the PEM encoded CSR by clicking Browse....
    5. Add any comments you may have for the request.
    6. Agree to the Terms of Use and click Submit Request.
  3. After submitting the request, the following checks are performed for approval of your request. Each name including the CN and all SANs must be approved before issuance of the certificate. Depending on the approval workflow, approvals will happen on the exact name or the third level domain, ignoring (ad|cloud|dynamic|ipv4|ipv6) third level domains. Any one or all approval workflows may be used for approval of the request. If for any reason an NL rejects a name, the entire request will be rejected.
    1. You have an entitlement for the domain of a requested name.
      (If you don’t have an entitlement, you may request your Domain Network Liaison (DNL) request these for you via ServiceNow. The NL should specify that the entitlement be for a specific name or a domain. You must have the entitlement before submitting the request.)
    2. You are the DNL for the domain of a requested name.
    3. You may choose to have an approval email sent to the DNL of a requested name and the DNL may choose to approve or reject that name.
    4. You may choose to place a security token a given url for the requested name.
  4. After each name has been been approved, an email will be sent to the email address provided in the request with instructions on how to download your certificate. You may also download the reverse order of the certificate (most common) from My Certificate Requests. If you encounter problems please contact Middleware for assistance at middleware-g@vt.edu
  5. To successfully complete the installation of your InCommon TLS server certificate, the certificate, private key, and trusted certificate CA chain certificates MUST be configured using the instructions provided by your software application or web server. The trusted certificate CA chain will be included in the email.