InCommon Certificates

Since 2008, CSU has been a member of the InCommon Federation, an organization of participating institutions which provides global cloud-based and local collaboration tools to connect millions of users and hundreds of educational institutions, research organizations, and commercial resource providers.

See Colorado State University’s Participant Operation Practices (2008) and In Common: Federation Operating Practices and Polices (2018) for more information.

Steps to Request and Install InCommon Certificates

Request and install an InCommon SSL (TLS) Certificate on your web server or application to encrypt communications between users and your web server, keep user data private and secure, document website ownership, and build user trust.

If you’re familiar with the request process, click the link below to fill out the InCommon Request form directly. For a detailed explanation of the full certificate process, please continue reading our step-by-step guide.

step 1
CSR Generation

Follow the instructions by Comodo to create a Certificate Signing Request (CSR) in your web server or application.

step 2
InCommon Certificate Request

Log in with your CSU NetID and complete the InCommon Certificate Request form, which validates the CSR and sends the CSR details and your contact information to the CSU Certificate Administrators.

step 3
Certificate Issued

A CSU Certificate Administrator will submit your CSR to the InCommon Federation Manager. Certificates are usually requested, issued, and sent via email within 24 hours.

step 4
Download Certificate

Look for an email message from the Certificate Services Manager that your certificate is ready. Click the appropriate link to download your certificate.

step 5
Install Certificate

Follow the instructions by Comodo to install the certificate onto your web server or application.

step 6
Check Configurations

Check the configuration of your web server, including the security of your certificate installation, with the GlobalSign SSL Server Test. Results include a letter grade and links to explain and fix issues.

Additional Resources

Intermediate SSL Certificates

Most Certificate Authorities today protect their root certificate by only signing a few certificates. These “intermediate” certificates are then used to sign individual server certificates, thus protecting the root certificate from compromise through excessive use.

  • What do I do with an intermediate certificate?

    Both the Root CA cert and the Intermediate cert should be installed on the server, along with the server cert that was created with the Certificate Signing Request.

  • What does a client’s web browser do with an intermediate certificate?

    When the browser requests a page protected by SSL, the server presents the “trust path” which describes the chain of signing relationships from the server through the intermediate to the root. If all three certs are on the server, AND the root cert is trusted by the client (if they are “in the browser”), AND the public keys embedded in the certificates match the public keys contained in the browser’s list, THEN the browser happily authenticates the server.

    The chain of trust for basic InCommon/Comodo SSL certs uses the InCommon RSA Server CA intermediate cert:

    • USERTrust Secure (the root) [May also be shown as USERTrust RSA Certification Authority and / or AddTrust External CA Root]
      • InCommon RSA Server CA (the intermediate)
        • End-Entity Certificate (your server)
  • How do I install an intermediate certificate?

    The installation process will vary based on your operating system and web server software; in some cases you may receive a bundle that includes all three certs in one file. Follow the installation instructions for your server.