Information Technology Services

NAU is now participating in the InCommon Certificate Service, which will entitle campus staff to unlimited SSL, personal signing, encryption, and code signing PKI certificates.

How to Request

Please go to the Certificate Request SharePoint Site and add your CSR. If you have any questions email:  its-cert-request@xdl.nau.edu

Cost / Pricing

1 Year Certificate $75
2 Year Certificate $150
3 Year Certificate $225

Support Information

1. Where can I learn more about this program?
See the InCommon Certificate Service page. Note also the Support link on that page.

2. When is this program ready for campus?
We can issue certificates now.

3. What is the procedure for a campus unit to acquire SSL certs?
Submit your request to the Certificate Request SharePoint Site  (using a 2048-bit Private key) and ITS staff will handle the request and issue the certificate.

4. Does this system have the capability to do Subject Alternative Name (SAN) certificates where we can use one certificate with multiple DNS hostnames per IP address?
Yes, the following types of certificates are supported: Comodo EV SGC SSL (EV/SAN), Comodo EV Multi Domain SSL, InCommon Wildcard SSL Certificate, InCommon SSL, InCommon Intranet SSL (secure internal servers using either a full server name or a private IP address), InCommon Unified Communications Certificate (UCC/SAN), InCommon Multi Domain SSL, Corporate Secure Email Certificate.

5. What are the available lifetimes for certificates?
We can issue 1-, 2-, or 3-year certificates. Please be sure to indicate the lifetime in your request.

6. Will there be a charge for SSL certificates?
Yes, 1-year certificates will cost $75, 2-year certificates will cost $150, and 3-year certificates will cost $225.

7. How does Comodo handle certificate revocation lists (CRLs)?
See this Comodo KB article and also note that each certificate provisioned will have a X509v3 CRL Distribution Points entry for live access to the current CRL.

8. What is the major difference between UCC/SAN and Multi-Domain/SAN certificates (MDC)?
The main (and perhaps only) difference is that the MDC can have the Subject CN (or primary domain name) set to a group name: essentially a non-valid domain name. All of the requested FQDNs will appear as dnsName entries in the SubjectAltName (SAN) extension. The UCC certificate is identical in that the requested FQDNs are in the SAN field, but it also contains a valid FQDN as the CN in the Subject. Other than this, these two types of certificates appear to be functionally equivalent.

9. How do I generate a CSR and install the signed certificate?
For help with generating a CSR and other certificate issues, consult the Comodo Knowledge Base for your web-server type. Note that for UCC/SAN or Multi-Domain/SAN certificates the CSR you generate only needs to be for the single Common Name domain, aka the Primary Domain Name. Additional domains that you may require in the Subject Alternative Name will be added at the time of provisioning the certificate.

10. What information needs to be included in the CSR for a SAN certificate?
Optionally in the CSR itself, but required in the requesting e-mail, please list the primary Subject CN (fully-qualified DNS name, FQDN) required, and any additional CNs (as FQDNs) to be added to the SAN field of the provisioned certificate. For example, the request might be:

Please provision a Multi-Domain/SAN certificate as follows: myhost.nau.edu (primary), myhost-b1.nau.edu, myhost-b2.nau.edu; using the included CSR.

11. How do I create a CSR on Microsoft IIS servers?
Comodo does provide some KB articles dealing with several versions of IIS for CSR generation and installation of the certificates. See, for example, CSR Generation: Microsoft IIS 7.x, Certificate Installation: IIS 7.x, and Root and Intermediate Certificate installation via MMC

12. How about some help with non-Microsoft servers?
Comodo has an extensive support site. Please click here and enter CSR Generation in the search box. Several links will result which contain examples for CSR generation and installation.

13. What about other DNS domains such as anyplace.org? Can you issue certificates for such domains?
The NAU InCommon-Comodo CA is currently registered to issue certificates for the nau.edu domain and its DNS subdomains plus a few other domains that InCommon has approved following our request for authorization to issue certificates on behalf of the domain. We can request to add any other DNS domains which we control or own, and for which we can provide to InCommon:

1. evidence of ownership.
2. proof of  control of the DNS domain in question. For DNS domains that we do not own, this NAU InCommon-Comodo CA will not apply so standard certificate requesting procedures with an external CA will be necessary.