InCommon Certificates

Since 2008, CSU has been a member of the InCommon Federation, an organization of participating institutions which provides global cloud-based and local collaboration tools to connect millions of users and hundreds of educational institutions, research organizations, and commercial resource providers.

See Colorado State University’s Participant Operation Practices (2008) and In Common: Federation Operating Practices and Polices (2018) for more information.

Steps to Request and Install InCommon Certificates

Request and install an InCommon SSL (TLS) Certificate on your web server or application to encrypt communications between users and your web server, keep user data private and secure, document website ownership, and build user trust.

If you’re familiar with the request process, click the link below to fill out the InCommon Request form directly. For a detailed explanation of the full certificate process, please continue reading our step-by-step guide.

step 1
CSR Generation

Follow the instructions by Comodo to create a Certificate Signing Request (CSR) in your web server or application.

step 2
InCommon Certificate Request

Log in with your CSU NetID and complete the InCommon Certificate Request form, which validates the CSR and sends the CSR details and your contact information to the CSU Certificate Administrators.

step 3
Certificate Issued

A CSU Certificate Administrator will submit your CSR to the InCommon Federation Manager. Certificates are usually requested, issued, and sent via email within 24 hours.

step 4
Download Certificate

Look for an email message from the Certificate Services Manager that your certificate is ready. Click the appropriate link to download your certificate.

step 5
Install Certificate

Follow the instructions by Comodo to install the certificate onto your web server or application.

step 6
Check Configurations

Check the configuration of your web server, including the security of your certificate installation, with the GlobalSign SSL Server Test. Results include a letter grade and links to explain and fix issues.

Automating the Certificate Lifecycle

In March 2023, Google announced intentions to limit TLS certificates to 90 days. Sectigo and InCommon have also indicated that automating certificate lifecycle management is becoming essential for efficiency, integrity, security, and regulation compliance.

The CSU Division of IT is encouraging college and division IT managers to develop plans to start consistently automating certificate management in their departments and delegating certificate administration by providing Department Registration Authority Officer (DRAO) accounts in the InCommon Certificate Manager upon request.

IT managers and staff who manage many certificates for entire subdomains should review distributed administration and automation instructions and resources before completing the CSU InCommon Certificate Admin Account Request form.

Additional Resources

Intermediate SSL Certificates

Most Certificate Authorities today protect their root certificate by only signing a few certificates. These “intermediate” certificates are then used to sign individual server certificates, thus protecting the root certificate from compromise through excessive use.

  • What do I do with an intermediate certificate?

    Both the Root CA certificate and the Intermediate certificate should be installed on the server, along with the server certificate that was created with the Certificate Signing Request.

  • What does a client’s web browser do with an intermediate certificate?

    When the browser requests a page protected by SSL, the server presents the “trust path” which describes the chain of signing relationships from the server through the intermediate to the root. If all three certificates are on the server, AND the root certificate is trusted by the client (if they are “in the browser”), AND the public keys embedded in the certificates match the public keys contained in the browser’s list, THEN the browser happily authenticates the server.

    The chain of trust for basic InCommon/Sectigo SSL certificates uses the InCommon RSA Server CA 2 intermediate certificate:

    • USERTrust RSA CA (the root, expires in January 2038, may also be shown as USERTrust RSA Certification Authority)
  • How do I install an intermediate certificate?

    The installation process will vary based on your operating system and web server software; in some cases you may receive a bundle that includes all three certificates in one file. Follow the installation instructions for your server.