Since 2008, CSU has been a member of the InCommon Federation, an organization of participating institutions which provides global cloud-based and local collaboration tools to connect millions of users and hundreds of educational institutions, research organizations, and commercial resource providers.
See Colorado State University’s Participant Operation Practices (2008) and In Common: Federation Operating Practices and Polices (2018) for more information.
Steps to Request and Install InCommon Certificates
Request and install an InCommon SSL (TLS) Certificate on your web server or application to encrypt communications between users and your web server, keep user data private and secure, document website ownership, and build user trust.
If you’re familiar with the request process, click the link below to fill out the InCommon Request form directly. For a detailed explanation of the full certificate process, please continue reading our step-by-step guide.
Follow the instructions by Comodo to create a Certificate Signing Request (CSR) in your web server or application.
Log in with your CSU NetID and complete the InCommon Certificate Request form, which validates the CSR and sends the CSR details and your contact information to the CSU Certificate Administrators.
A CSU Certificate Administrator will submit your CSR to the InCommon Federation Manager. Certificates are usually requested, issued, and sent via email within 24 hours.
Look for an email message from the Certificate Services Manager that your certificate is ready. Click the appropriate link to download your certificate.
Follow the instructions by Comodo to install the certificate onto your web server or application.
Check the configuration of your web server, including the security of your certificate installation, with the GlobalSign SSL Server Test. Results include a letter grade and links to explain and fix issues.
Automating the Certificate Lifecycle
In March 2023, Google announced intentions to limit TLS certificates to 90 days. Sectigo and InCommon have also indicated that automating certificate lifecycle management is becoming essential for efficiency, integrity, security, and regulation compliance.
The CSU Division of IT is encouraging college and division IT managers to develop plans to start consistently automating certificate management in their departments and delegating certificate administration by providing Department Registration Authority Officer (DRAO) accounts in the InCommon Certificate Manager upon request.
IT managers and staff who manage many certificates for entire subdomains should review distributed administration and automation instructions and resources before completing the CSU InCommon Certificate Admin Account Request form.
Additional Resources
Intermediate SSL Certificates
Most Certificate Authorities today protect their root certificate by only signing a few certificates. These “intermediate” certificates are then used to sign individual server certificates, thus protecting the root certificate from compromise through excessive use.
-
What do I do with an intermediate certificate?
Both the Root CA certificate and the Intermediate certificate should be installed on the server, along with the server certificate that was created with the Certificate Signing Request.
-
What does a client’s web browser do with an intermediate certificate?
When the browser requests a page protected by SSL, the server presents the “trust path” which describes the chain of signing relationships from the server through the intermediate to the root. If all three certificates are on the server, AND the root certificate is trusted by the client (if they are “in the browser”), AND the public keys embedded in the certificates match the public keys contained in the browser’s list, THEN the browser happily authenticates the server.
The chain of trust for basic InCommon/Sectigo SSL certificates uses the InCommon RSA Server CA 2 intermediate certificate:
- USERTrust RSA CA (the root, expires in January 2038, may also be shown as USERTrust RSA Certification Authority)
- InCommon RSA Server CA 2 (the intermediate, expires in November 2032)
- End-Entity Certificate (your server)
- InCommon RSA Server CA 2 (the intermediate, expires in November 2032)
- USERTrust RSA CA (the root, expires in January 2038, may also be shown as USERTrust RSA Certification Authority)
-
How do I install an intermediate certificate?
The installation process will vary based on your operating system and web server software; in some cases you may receive a bundle that includes all three certificates in one file. Follow the installation instructions for your server.