Skip to main content

Quick Reference Guide

General Questions

Departmental Registration Authority Officer (DRAO) Questions

General Questions

How many different certificate types are supported?

The InCommon SSL Certificate Service makes the following products available:

Who is the Departmental Registration Authority Officer (DRAO) for my school or administrative unit?

Refer to the list of DRAOs to find contact information for the person(s) responsible for administering SSL Certificate requests for your area.  Each University school or administrative unit is allowed a maximum of two DRAO’s.

I don't have a Departmental Registration Authority Officer (DRAO) assigned to my school or administrative unit.  Who do I contact?

If a DRAO is not listed for your school or administrative unit, contact the Northwestern IT Support Center with your request. Northwestern IT will attempt to work with the Technology Leader for your area to identify a DRAO designate.  If you do not have a DRAO and your server(s) is located in the University Data Center, please go to the next question.

My server(s) is located in the University Data Centers.  Who do I contact to manage my certificate requests?

Northwestern IT handles all SSL Certificate requests for a server(s) housed in the University Data Center.  Submit a support request to the Northwestern IT Support Center for processing.

Where can I find common troubleshooting support?

Technical support and troubleshooting is being provided by the vendor, Comodo, via Web support, e-mail, and telephone.
Choose from one of the following support options:

  1. Web Support
  2. E-mail support (available 24x 7)
    • support@comodo.com
    • A support ticket is created automatically from the e-mail if you are a registered user.
    • An auto responder replies to the request with the corresponding ticket number or, if you are not a registered user, a request to register.
  3. Telephone support (available Monday through Friday, 4 AM to 8 PM Eastern)
    • (703) 637-9361
    • Select Option 1 - Enterprise Solutions Support, then select Option 2 - Certificate Manager or Digital Certificate Support
Where can I submit my Certificate Signing Request (CSR)?

Contact your appropriate Departmental Registration Authority Officer (DRAO) for CSR processing details. Depending on your department, server owners may be able to self-enroll for certificates.  View the InCommon SSL Certificate request workflow (jpg).

Why am I getting the error message "Unable to read the CSR.  Please try again or contact support" when I try to submit my Certificate Signing Request (CSR)  to the InCommon Certificate Service?

You must use at least a 2048-bit key when generating your CSR. If you comply with this requirement, then something else may have occurred during the CSR creation to cause the error.  Please see the Comodo Knowledge Base for assistance.

What kind of turnaround time can I expect?

While most requests can be met within 24 hours, the vendor guarantees a 48-72 hour turnaround time on all requests. Therefore, please plan accordingly. Certificates are not issued outside of normal business hours.

Where can I re-download my certificate?

Go to https://cert-manager.com/customer/InCommon/ssl?action=download

You will be prompted for:

Where can I request a revocation of my certificate?

To request a revocation of your certificate, you must contact the Departmental Registration Authority Officer (DRAO) for your school or administrative department for certificate revocation. Refer to the list of DRAOs to find the representative for your area.

Will I receive certificate expiration notices?

Yes. You will receive an auto-generated e-mail from the InCommon Certificate Services Manager 60 days prior to the certification expiration date. If no action is taken, additional e-mails will be sent 30 days and 10 days prior to the expiration date and daily for five days prior to the certificate expiration date. 

What are Wildcard certificates?  

A Wildcard SSL Certificate secures your Web site URL and an unlimited number of its sub-domains. The Wildcard SSL Certificate works the same way as a regular SSL certificate and undergoes the same validation processes.

The difference is that the Wildcard SSL Certificate extends to all of the sub-domains of your domain that you want to secure.

Are there any restrictions on the use of Wildcard certificates?

Yes. Wildcard certificates, when compromised by attackers, have the potential to be far more damaging to Northwestern than standard SSL certificates, since they could be used to spoof any host in the domain of the Wildcard. Placing copies of the Wildcard certificates and their accompanying keypairs on multiple machines also increases the attack surface of the certificates.

Therefore, the following restrictions apply:

What is an "Intermediate" Certificate?

An intermediate certificate is the certificate(s) that go between your site (server) certificate and a root certificate. The intermediate certificate(s) completes the chain to a root certificate trusted by the browser.

Using an intermediate certificate means that you must complete an additional step in the installation process to enable your site certificate to be chained to the trusted root, and not show errors in the browser when someone visits your web site.

Which domains are eligible for certificates?

All hostnames within the northwestern.edu domain are eligible for certificates through the InCommon agreement.

Can I get a certificate for a host in a non-northwestern.edu domain?

To ensure the University's compliance with the InCommon agreement, requests for certificates outside of northwestern.edu domains are subject to extra vetting and approval, by both the University and possibly InCommon.

To begin, contact your Departmental Registration Authority Officer requesting the domain to be added.  Northwestern IT will work with your DRAO to validate your domain with InCommon. After the domain is validated, you can then request a certificate for a host in that domain through the normal channel.

Do I have to use this service to request SSL Certificates?

No. Although University schools and administrative units are encouraged to take advantage of the unlimited SSL Certificate service sponsored by Northwestern IT, these groups may use other Certificate Authorities (CA) for issuing SSL Certificate(s), if desired. 

You can find the Northwestern IT-recommended CAs listed in Appendix B of the Server Certificate Policy.

Can I get a developer (code-signing) certificate to sign my nifty-keen Java applets or ActiveX controls?

Yes. Send email to the Northwestern IT Support Center at consultant@northwestern.edu with your department name as you would like it to appear in the OU field of the certificate, and an email address where an invitation to enroll will be sent. This email address will be included as a subjectAltName in the certificate, so it should probably reflect an departmental rather than a personal account.

Northwestern IT will request the invitation, which will be sent to the email address you provided. The invitation will include a link to page that will generate a private key and send a certificate request to InCommon. When the certificate is ready, you will receive another email with a link to pick it up. Be sure to use the same browser to pick up the certificate as you did to request it. Once you have picked up the cert, you can export the cert and private key if you want to use it on another computer.

All certs will have an Organization field of "Northwestern University," which is what most browsers will prompt with when asking users if they want to run your applet or control.

NOTE: Do NOT use the Chrome browser to request a code-signing cert. You will not be able to install the issued certificate. Use Firefox or IE instead. If using IE11, you may need to set cert-manager.com to use Compatibility View.

Where can I find additional support?

If you are experiencing difficulty accessing the InCommon Certificate Service, contact the Northwestern IT Support Center at 847-491-HELP (4357) or www.it.northwestern.edu/supportcenter/ for more support options.

Departmental Registration Authority Officer (DRAO) Questions

Where can I find support for the InCommon Certificate Service Manager Web interface?

Support options are available for administrative users (DRAOs) for the InCommon Certificate Service Manager (CSM) Web interface.

Choose from one of the following support options:

  1. Online Demos
  2. Consult the Administrator Guide before submitting a support ticket.
  3. E-mail support (available Monday through Friday, 4 AM to 8 PM Eastern)
  4. Telephone support (available Monday through Friday 4 AM to 8 PM Eastern)
    • Caller must be listed as a DRAO for InCommon.
    • (888) 256-2608
    • Select Option 1 - Enterprise Solutions Support, then select Option 2 - Certificate Manager or Digital Certificate Support

Any issues not covered by these support options should be directed to the inc-cert@incommon.org e-mail list. To join this list, send an e-mail to sympa@incommon.org with the following in the subject line: sub inc-cert FirstName LastName.

Will I receive certificate expiration notices?

Yes.  As a courtesy, you will receive an auto-generated e-mail from the InCommon Certificate Services Manager 60 days prior to a certification’s expiration date.  If no renewal action is taken by the certificate owner, you will receive another e-mail 10 days prior to the expiration date.

Will I receive certificate approval request notices?

Yes. As a DRAO, if you allow self-enrollment for your area, Approval Request notices will be sent via e-mail to all listed DRAOs for your department or administrative unit.

Where can I find additional support?

If you are experiencing difficulty accessing the InCommon Certificate Service, contact the Northwestern IT Support Center at 847-491-HELP (4357) or Submit a Support Request.

Last Updated: 25 April 2017

Get Help Back to top