Navigation Links
Overview
Michigan State University participates in the InCommon Certificate Program, powered by Sectigo, to provide a low-cost security certificate (SSL) service to the University. Secure websites use encryption and authentication standards to protect the confidentiality of the connection and data. SSL is a protocol commonly used for Web security.
Return to Top
What is the InCommon Certificate Service?
The InCommon Certificate Service, created by and for the higher education community, provides unlimited SSL/TLS and client certificates for one low membership fee. IT Services has licensed this service in order to offer SSL certificates to campus departments free of charge. InCommon operates the Registration Authority to verify organizations and allows authorized officials to act on behalf of an institution for certificate issuance.
Return to Top
How do I request an SSL Certificate?
Network administrators can select the Request an SSL Certificate button at the right side of this article.
InCommon/Sectigo provides these types of certificates:
- Individual SSL Certificates;
- Multi Sub-domain SSL Certificates;
- Unified Sub-domain SSL Certificates;
- IGTF Server Certificates; and
- Filemaker Elite Certificates.
IT Services staff will process the requests within one business day. Standard requests are typically processed in 15 minutes from submission. Requests that are not part of the msu.edu sub-domain will need additional DCV processing. Certificates are approved locally at MSU and then are issued by InCommon/Sectigo email shortly after.
Return to Top
Can an individual department issue certificates?
This option has been migrated into the use of the service offering request process, eliminating the need for a departmental administrator to issue SSL certificates.
Return to Top
Are wild-card certificates available?
Traditionally, the primary advantage of wild-card certificates has been to allow a reduction of the number of certificates purchased. MSU offering certificates at no charge to departments is intended to allow departments to discontinue the use of wild-card certificates and have a much more secure network environment. Wildcard certificates violate the principle of least privilege and the Extended Validation Certificate Guideline and may not be used (NIST SC-17).
Return to Top
Can I get a multi-domain certificate? Can it handle Subject Alternative Names (SANs)?
Yes. Please specify the other domains desired when requesting the certificate in the comments section of the request.
Standard SSL Certificates secure only one Fully Qualified Domain Name. This is important to note, because if you wanted to secure both www.example.com and example.com a multi-domain certificate would be required. This is because they are considered two separate domains.
Multi-domain certificates are more secure than a wildcard certificate and they lower the overhead of deploying SSL by allowing other server names to be associated with the same single certificate.
Return to Top
How do I generate a Certificate Signing Request (CSR)?
Instructions pertaining to creating the CSR vary based on the servers OS. Sectigo Support does have some server OS steps listed here. Additional CSR instructions specific to your type of server and certificate requested are readily available on the Internet via search engines / vendor sites.
Return to Top
How do I install my certificate?
Information on how to install your certificate is available in the email received from InCommon/Sectigo. Additional install instructions specific to your type of server and certificate requested are readily available on the Internet via search engines / vendor sites. Steps on how to install the Intermediate or Root Certificate – Sectigo Support
Return to Top
How am I notified when my certificate is ready?
At least two notifications occur when you request an individual certificate. The first e-mail notification will let you know that the certificate request has been approved by MSU IT Services (your administrator). The second e-mail notification generally happens less than an hour or so later (could be up to 24 hours) when your certificate is ready for download from Sectigo.
The e-mail from Sectigo links to the InCommon Certificate Manager. Take the following steps to finalize issuance of your certificate:
- Click on Certificate Download.
- Enter the certificate ID included in the Sectigo e-mail.
- Select the desired format of the certificate.
- Download your certificate.
Return to Top