SSL Certificate Administration FAQ
(See also InCommon's Cert FAQ, which includes browser/device support lists.)
My server has multiple names (a “real” name, and aliases). Which one should I enter as the “commonName” or CN?
To prevent client browser warnings, you should use the name that viewers (and any links that refer to the site) will be actually using.
If your server has more than one name (e.g. "www.dept.umn.edu" and "dept.umn.edu") that people might access in a web browser you can request a Multi-Domain certificate. This allows you to list additional valid server names as subjectAlternativeNames in your certificate, which browsers will treat as valid.
What other types of certificates are available?
Please send an email containing the following information to email@example.com to begin requesting a code signing certificate:
Your department’s name as you would like it to appear on the certificate
A departmental email address to be included with the certificate
All certs will have an Organization field of "University of Minnesota", which is what most browsers will prompt with when asking users if they want to run your applet or control.
Client Certificates (for use with encrypted email)
Email firstname.lastname@example.org to inquire about client certificates.
What types of certificates are not available?
Server Gated Cryptography (SGC) certificates, also known as SuperCerts, are not available. SGC certificates were made obsolete when the United States removed regulations limiting the export of cryptography from the United States to other nations.
We set up a web site named www.gopherbasketweavingrocks.com . Can we get an SSL certificate for it through this program?
We can add additional non-umn.edu domains to the program, provided the domain is registered to the University of Minnesota or one of its units. Send the domains you wish to issue certs for to email@example.com and we will request they be added to our InCommon account. The InCommon admins will verify the registration information using WHOIS, and approve the delegation of the domain to us.
Once approved, you will need to confirm control of each domain. This process is called Domain Control Verification (DCV) and is required to be performed yearly to demonstrate that you continue to control the domain. There are currently three options to choose from:
Receive an email at the WHOIS contact for the domain, and follow the enclosed link to confirm approval.
Create a DNS CNAME record for a particular name in the domain with a particular target.
Host a text file at a particular HTTP or HTTPS URL with particular contents.
Once the DCV process has been completed, you will be able to request certificates under those domains.
If you have further questions about SSL certificates or PKI in general, send an email to firstname.lastname@example.org.