InCommon Certificates Since 2008, CSU has been a member of the InCommon Federation, an organization of participating institutions which provides global cloud-based and local collaboration tools to connect millions of users and hundreds of educational institutions, research organizations, and commercial resource providers. See InCommon: Federation Operating Practices and Polices (2023) for more information. Applicable to: CSU System, Fort Collins, Pueblo, Spur IT Staff, System Administrators Prerequisites Administratively managing an SSL certificate requires: Practical knowledge for configuring SSL Certificates in your application Administrative access to system that hosts SSL certificate for app/website VPN/Campus connection to submit requests through InCommon - Certificate Request Access to the email where SSL certificate requests are sent for department InCommon Certificate Requests Request and install an InCommon SSL (TLS) Certificate on your web server or application to encrypt communications between users and your web server, keep user data private and secure, document website ownership, and build user trust. If you’re familiar with the request process, click the link below to fill out the InCommon Request form directly. For a detailed explanation of the full certificate process, please continue reading our step-by-step guide. Request InCommon Certificate After you've completed the form, you can view your submitted SSL certificate requests at My Certificate Requests. Steps to Request and Install InCommon Certificates 1) CSR Generation Follow the instructions by Comodo to create a Certificate Signing Request (CSR) in your web server or application. 2) InCommon Certificate Request Log in with your NetID and complete the InCommon Certificate Request form, which validates the CSR and sends the CSR details and your contact information to the CSU Certificate Administrators. After submission, you can view your request at the InCommon My Certificate Requests page. 3) Certificate Issued A CSU Certificate Administrator will submit your CSR to the InCommon Federation Manager. Certificates are usually requested, issued, and sent via email within 24 hours. 4) Download Certificate Look for an email message from the Certificate Services Manager that your certificate is ready. Click the appropriate link to download your certificate. 5) Install Certificate Follow the instructions by Comodo to install the certificate onto your web server or application. 6) Check Configurations Check the configuration of your web server, including the security of your certificate installation, with the GlobalSign SSL Server Test.Results include a letter grade and links to explain and fix issues. An "A" rating or better is required for SSL certificates issued by the InCommon Federation on publicly-accessible websites. Read more: Understanding the Endpoint Encryption Score. Related Articles CSU Certificate Request Form InCommon: About the InCommon Certificate Service My Certificate Requests Understanding the InCommon SSL Certificate Chains

Intermediate SSL Certificates Most Certificate Authorities today protect their root certificate by only signing a few certificates. These “intermediate” certificates are then used to sign individual server certificates, thus protecting the root certificate from compromise through excessive use. Applicable to: CSU System, Fort Collins, Pueblo, Spur IT Staff, System Administrators What do I do with an intermediate certificate? Both the Root CA (Certificate Authority) certificate and the Intermediate certificate should be installed on the server, along with the server certificate that was created with the Certificate Signing Request. What does a client's web browser do with an intermediate certificate? When the browser requests a page protected by SSL, the server presents the “trust path” which describes the chain of signing relationships from the server through the intermediate to the root. If all three certificates are on the server, AND the root certificate is trusted by the client (if they are “in the browser”), AND the public keys embedded in the certificates match the public keys contained in the browser’s list, THEN the browser happily authenticates the server. Chain of Trust The chain of trust for basic InCommon/Sectigo SSL certificates uses the InCommon RSA Server CA 2 intermediate certificate: USERTrust RSA CA (the root, expires in January 2038, may also be shown as USERTrust RSA Certification Authority) InCommon RSA Server CA 2 (the intermediate, expires in November 2032) End-Entity Certificate (your server) How do I install an intermediate certificate? The installation process will vary based on your operating system and web server software; in some cases you may receive a bundle that includes all three certificates in one file. Follow the installation instructions for your server. Related Articles InCommon: About the InCommon Certificate Service Understanding the InCommon SSL Certificate Chains