Information Security

InCommon Certificate Request Procedures

Last modified 1/31/2024

The Information Security Office fulfills requests for SSL/TLS certificates. The procedures below should be followed for requesting, renewing, and revoking SSL/TLS certificates.

Procedures

Individual procedures exist for requesting, renewing, and revoking SSL/TLS certificates.

New Common Name Certificate Request Procedure

  • Request Process

  1. The requesting team requires a new SSL/TLS certificate.

  2. The requesting team (or vendor on behalf of department) generates a new Certificate Signing Request (CSR) from the system requiring the certificate. 

    • Expand CSR Procedure

    1. Log into the system requiring the certificate
    2. Complete CSR and key generation:
      1. For Linux with OpenSSL, run the OpenSSL command and replace the bolded fields
        1. openssl req -new -newkey rsa:2048 -nodes -keyout NAME_YOUR_KEY.key -out NAME_YOUR_REQUEST.csr
      2. For Windows with IIS (steps may differ for old IIS versions):
        1. Open Internet Information Services (IIS) Manager
        2. In the middle panel, double-click Server Certificates.
        3. In the Actions panel on the right, click Create Certificate Request
      3. For all other platforms and software, check knowledge articles provided by the vendor for specific steps to generate a CSR.
    3. Complete the certificate fields
      1. Common Name: Enter the fully-qualified domain name, such as "mydomain.ilstu.edu"
      2. Organization: Illinois State University
      3. Organization Unit: Leave blank
      4. City or Locality: Normal (may be different if using a vendor)
      5. State or Province: Illinois (may be different if using a vendor)
      6. Country: US
    4. Optionally add a password/passphrase
    5. If using Windows with IIS, complete the following extra steps:
      1. For Cryptographic service provider, select Microsoft RSA SChannel Cryptographic Provider.
      2. For Bit length, select 2048, and then click Next.
      3. Name the CSR, and then click Finish.

  3. The requesting team completes the Certificate Request Form on the Information Security Office website. The form will generate a ticket for the ISO.
  4. The Information Security Office reviews the request and fulfills the request by requesting a certificate from the certificate authority.
  5. Upon certificate generation, the certificate manager creates a ticket with instructions to pick up the certificate in the ticket queue of the requesting team.
    1. In the absence of an email-to-ticket address, a ticket will instead be sent to the Technology Support Center (TSC) for Tech Solutions (TS) or a department mailbox/alias for other departments.
  6. The Information Security Office closes the Cherwell certificate request.
  7. A member of the requesting team must download the certificate or certificate chain from the auto-generated ticket or email.
  8. The requesting team (or vendor) installs the certificate on the appropriate system(s). Consult the documentation for your system.
  9. The requesting team closes Cherwell tickets.

Existing Certificate Renewal Procedure

  • Renewal Procedure

  1. An SSL/TLS certificate was previously requested and issued as part of a New Common Name Certificate Request or Existing Certificate Renewal Request.
  2. The issued certificate is within 45 days from expiration.
  3. A Cherwell ticket is automatically generated in Cherwell.
    1. In the absence of an email-to-ticket address, a ticket will instead be sent to the Technology Support Center (TSC) for Tech Solutions (TS) or a department mailbox/alias for other departments.
  4. The requesting team evaluates the need for a renewal or revocation.
    1. If revoke is chosen, jump to the Revocation Procedure below.

  5. The requesting team (or vendor on behalf of department) generates a new Certificate Signing Request (CSR) from the system requiring the certificate. 

    • Expand CSR Procedure

    1. Log into the system requiring the certificate
    2. Complete CSR and key generation:
      1. For Linux with OpenSSL, run the OpenSSL command and replace the bolded fields
        1. openssl req -new -newkey rsa:2048 -nodes -keyout NAME_YOUR_KEY.key -out NAME_YOUR_REQUEST.csr
      2. For Windows with IIS (steps may differ for old IIS versions):
        1. Open Internet Information Services (IIS) Manager
        2. In the middle panel, double-click Server Certificates.
        3. In the Actions panel on the right, click Create Certificate Request
      3. For all other platforms and software, check knowledge articles provided by the vendor for specific steps to generate a CSR.
    3. Complete the certificate fields
      1. Common Name: Enter the fully-qualified domain name, such as "mydomain.ilstu.edu"
      2. Organization: Illinois State University
      3. Organization Unit: Leave blank
      4. City or Locality: Normal (may be different if using a vendor)
      5. State or Province: Illinois (may be different if using a vendor)
      6. Country: US
    4. Optionally add a password/passphrase
    5. If using Windows with IIS, complete the following extra steps:
      1. For Cryptographic service provider, select Microsoft RSA SChannel Cryptographic Provider.
      2. For Bit length, select 2048, and then click Next.
      3. Name the CSR, and then click Finish.

  6. The requesting team notifies the Information Security Office of the decision to renew before 15 days from certificate expiration by completing the Certificate Request Form on the Information Security Office website. The form will generate a ticket for the ISO.
  7. The Information Security Office reviews the request and fulfills the request by requesting an InCommon certificate.
  8. Upon certificate generation, the certificate manager emails a link to pick up the certificate to the Cherwell queue of the requesting team.
    1. In the absence of an email-to-ticket address, a ticket will instead be sent to the Technology Support Center (TSC) for Tech Solutions (TS) or a department mailbox/alias for other departments.
  9. The Information Security Office closes the renewal ticket.
  10. A member of the requesting team must download the certificate or certificate chain from the auto-generated ticket or email.
  11. The requesting team (or vendor) installs the certificate on the appropriate system(s). Consult the documentation for your system.
  12. The requesting team closes the Cherwell ticket, if generated.

Note that the Information Security Office will contact the department if notification is not received by 30 days from certificate expiration. The ISO receives an automatically generated ticket at 30 days from expiration. This procedure will resume at Step 4 after the department is contacted.

Certificate Revocation Procedure

  • Revocation Procedure

  1. The department requires an SSL/TLS certificate be revoked.
  2. The requesting team notifies the Information Security Office of the decision to revoke before 15 days from certificate expiration by completing the Certificate Request Form on the Information Security Office website. The form will generate a ticket for the ISO.
  3. The Information Security Office reviews the request and fulfills the revocation request.
  4. The Information Security Office revocation ticket is closed.
  5. The requesting team closes the automatically-generated Cherwell revocation receipt ticket.

New Code-Signing Certificate Procedure

  • Code-Signing Procedure


Yubikey Requirement

Code-signing certificates must be provisioned onto a Yubikey 5 FIPS. Sectigo publishes instructions for using code-signing certificates with Yubikeys: https://www.sectigo.com/knowledge-base/detail/Key-Generation-and-Attestation-with-YubiKey/kA03l000000roEV.

  1. The requesting team requires a new code-signing certificate.
  2. The requesting team completes the Certificate Request Form on the Information Security Office website. The form will generate a ticket for the ISO.
  3. The Information Security Office reviews the request and fulfills the request by generating a certificate.
  4. Upon certificate generation, the certificate manager emails a link to pick up the certificate to the Cherwell queue of the requesting team.
    1. In the absence of an email-to-ticket address, a ticket will instead be sent to the Technology Support Center (TSC) for Tech Solutions (TS) or a department mailbox/alias for other departments.
  5. A member of the requesting team must download the certificate from the auto-generated ticket or email.
  6. The requesting team closes the Cherwell ticket, if generated.

Further Reading

InCommon Certificate Request Processes

Certificate Request Forms