NAU is now participating in the InCommon
Certificate Service, which will entitle campus staff to unlimited SSL, personal
signing, encryption, and code signing PKI certificates.
How to Request
Please go to the Certificate Request SharePoint Site and add your CSR. If you have any questions email:
Cost / Pricing
1 Year Certificate $75
3 Year Certificate $225
1. Where can I learn more about this
See the InCommon
Certificate Service page. Note also the Support
link on that page.
2. When is this program ready for
We can issue certificates now.
3. What is
the procedure for a campus unit to acquire SSL certs?
request to the Certificate
Request SharePoint Site (using a 2048-bit Private key) and ITS staff
will handle the request and issue the certificate.
4. Does this
system have the capability to do Subject Alternative Name (SAN) certificates
where we can use one certificate with multiple DNS hostnames per IP
Yes, the following types of certificates are supported:
Comodo EV SGC SSL (EV/SAN), Comodo EV Multi Domain SSL, InCommon Wildcard SSL
Certificate, InCommon SSL, InCommon Intranet SSL (secure internal servers using
either a full server name or a private IP address), InCommon Unified
Communications Certificate (UCC/SAN), InCommon Multi Domain SSL, Corporate
Secure Email Certificate.
5. What are the available lifetimes
We can issue 1-, 2-, or 3-year certificates.
Please be sure to indicate the lifetime in your request.
there be a charge for SSL certificates?
Yes, 1-year certificates
will cost $75, 2-year certificates will cost $150, and 3-year certificates
will cost $225.
7. How does Comodo handle certificate
revocation lists (CRLs)?
See this Comodo
KB article and also note that each certificate provisioned will have a
X509v3 CRL Distribution Points entry for live access to the current CRL.
8. What is the major difference between UCC/SAN and Multi-Domain/SAN
The main (and perhaps only) difference is
that the MDC can have the Subject CN (or primary domain name) set to a group
name: essentially a non-valid domain name. All of the requested FQDNs will
appear as dnsName entries in the SubjectAltName (SAN) extension. The UCC
certificate is identical in that the requested FQDNs are in the SAN field, but
it also contains a valid FQDN as the CN in the Subject. Other than this, these
two types of certificates appear to be functionally equivalent.
9. How do I generate a CSR and install the signed certificate?
For help with generating a CSR and other certificate issues, consult
Knowledge Base for your web-server type. Note that for UCC/SAN or
Multi-Domain/SAN certificates the CSR you generate only needs to be for the
single Common Name domain, aka the Primary Domain Name. Additional domains that
you may require in the Subject Alternative Name will be added at the time of
provisioning the certificate.
10. What information needs to be
included in the CSR for a SAN certificate?
Optionally in the CSR
itself, but required in the requesting e-mail, please list the primary Subject
CN (fully-qualified DNS name, FQDN) required, and any additional CNs (as
FQDNs) to be added to the SAN field of the provisioned certificate. For
example, the request might be:
Please provision a Multi-Domain/SAN
certificate as follows: myhost.nau.edu (primary), myhost-b1.nau.edu,
myhost-b2.nau.edu; using the included CSR.
11. How do I create
a CSR on Microsoft IIS servers?
Comodo does provide some KB
articles dealing with several versions of IIS for CSR generation and
installation of the certificates. See, for example, CSR
Generation: Microsoft IIS 7.x, Certificate
Installation: IIS 7.x, and
Root and Intermediate Certificate installation via MMC
How about some help with non-Microsoft servers?
Comodo has an
extensive support site. Please click here
and enter CSR Generation in the search box.
Several links will result which contain examples for CSR generation and
13. What about other DNS domains such as
anyplace.org? Can you issue certificates for such domains?
NAU InCommon-Comodo CA is currently registered to issue certificates for the
nau.edu domain and its DNS subdomains plus a few other domains that InCommon
has approved following our request for authorization to issue certificates on
behalf of the domain. We can request to add any other DNS domains which we
control or own, and for which we can provide to InCommon:
- proof of control of the DNS domain in question. For
DNS domains that we do not own, this NAU InCommon-Comodo CA will not apply so
standard certificate requesting procedures with an external CA will be