Skip to main content

System Status: 

  1. Home
  2. Technology
  3. Security
  4. Services
  5. Digital Certificates
  6. InCommon Certificate Enrollment

InCommon Certificate Enrollment

Last Updated: February 16, 2024 9:48:26 AM PST
Give feedback

Learn how to request an InCommon Digital Certificate.

This page contains instructions for submitting a Certificate Signing Request (CSR) via the InCommon Certificate Service self-service web site. InCommon also provides a generic End User SSL Guide (PDF).

Before you begin

Ensure the request meets all of the requirements (login required) listed on the Digital Certificates page (login required).

Information you will need

  1. A ucsd.edu group e-mail address (login required) to associate with the certificate request.
    Note: A group mail alias or role e-mail account should be used to ensure delivery in the event of personnel changes. The requesting group email must match the contact information in hostmaint/Infoblox.
  2. Certificate Type (login required).
  3. Certificate Signing Request (CSR) (login required).
  4. Name of the server software that will use the certificate (e.g. Apache/ModSSL, Citrix, Microsoft IIS 5.x and later, Tomcat, etc.).
  5. Certificate term length (also known as Validity Period): 1 year or 2 years.
  6. A(n optional) pass-phrase: A secret word or words known only to you.
  7. The Access Code: triton
    Note: This access code is only for the ucsd.edu domain.
  8. Enrollment Account: Leave this entry blank.

Refer to the Digital Certificates page (login required) for requirements.

Enrollment and collection of your certificate

This step-by-step guide will explain how to enroll for and download your client certificate:

Enrollment by access code

  1. Open the InCommon Certificate Manager SSL Enrollment web portal
    Note: Your web browser must have JavaScript enabled for the InCommon Certificate Manager to work correctly.
  2. Access Code: Enter the access code, triton
  3. Email: Enter the group e-mail address to be associated with the certificate request
    • Notices for request status, issued certificates and certificate expiration warnings will be sent to this address.
    • A group mail alias or role e-mail account should be used to ensure delivery in the event of personnel changes.
  4. Click on the CHECK ACCESS CODE button to open the SSL Enrollment submission form.

Enrollment submission form

Note: Form field names followed by a * red asterisk are required.

  1. Select the desired certificate type from the Certificate Type: drop-down menu.
    • The default is InCommon SSL (SHA-2) (for a single domain).
    • You must select the correct certificate type first before entering the CSR so that all of the correct form fields are displayed. For example, selecting certificate type InCommon Multi Domain SSL (SHA-2) will add a Subject Alternative Names: field to the form.
  2. Select the desired term from the Certificate Term: drop-down menu.
  3. Select the server software from the Server Software: drop-down menu.
    • If the desired server software is unknown or unlisted, select OTHER.
    • This selection only affects the "Enrollment Successful" e-mail message, not the certificate contents.
  4. Enter the Certificate Signing Request (CSR) via one of the following methods:
    • Paste the entire contents of the CSR into the CSR: box, or
    • Click on the UPLOAD CSR button and upload the CSR file.
  5. The Common Name: box should automatically populate after the CSR has been entered into the CSR: box. If this box is blank, click the GET CN FROM CSR button. Check that the correct Common Name for your host is displayed.
  6. If the selected certificate type also provides a Subject Alternative Names: box:
    • Review the requirements for Subject Alternative Names (login required).
    • The Subject Alternative Names: box should automatically populate IF the CSR contains Subject Alternative Names.
    • Additional or missing Subject Alternative Names may be manually typed into the Subject Alternative Names: box (comma separated with no spaces between names).
    • Always include the Common Name in the list of Subject Alternative Names. When a certificate contains Subject Alternative Names data, client software will only use the Subject Alternative Names field and ignore the Common Name field.
    • IP address Subject Alternative Names must be entered manually. The CSR keyword IP Address= is not processed by the InCommon Certificate Manager at the time of this writing.
  7. Enter a pass-phrase into the Pass-phrase: box.
  8. Enter the same pass-phrase into the Re-type Pass-phrase: box.
  9. Optional: If you are requesting this certificate on behalf of someone else and you want that person to also receive all of the certificate request notification emails, enter that person's UC San Diego e-mail address in the External Requester: box.
  10. Enter your primary UCSD e-mail address into the Comments: box. UC San Diego best practices require a group email for the requester address because of the frequency of change of individual accounts. Please submit with a group address as the requester. External Requester can be an individual.
    • You may enter other relevant information.
    • For VMware vSphere certificates, enter the OU value desired.
  11. Review each of the above for correctness.
  12. Click the ENROLL button to submit the SSL enrollment request.
  13. A message acknowledging your submission will be sent to the e-mail address associated with the certificate request. The subject in this email will be "AWAITING APPROVAL: InCommon SSL certificate for (CommonName)", where CommonName is replaced by the value of the Common Name (CN) in the certificate.

Approval process

The approval process has two stages:

First, a UC San Diego representative approves the request.

  • All sdsc.edu Common Name certificates are processed only by SDSC staff. Contact hostmaster@sdsc.edu.
  • All other Common Name certificates are processed by ITS Network Security. A team member processes pending requests twice daily on normal business days – once in the morning and once in the afternoon.
  • When the request is approved, a message will be sent to the e-mail address associated with the certificate request. The subject in this email will be "SSL Certificate Request for CommonName approved", where CommonName is replaced by the value of the Common Name (CN) in the certificate.

Second, the Certification Authority completes the certificate enrollment.

  • Comodo, the Certification Authority behind the InCommon Certificate Service, can take up to 24 hours to issue a certificate.
  • After Comodo has completed the enrollment process, a message will be sent to the e-mail address associated with the certificate request. The subject in this email will be "Enrollment Successful - Your SSL certificate for CommonName is ready", where CommonName is replaced by the value of the Common Name (CN) in the certificate.
  • If the "Enrollment Successful" message is not received 24 hours or more after the "SSL Certificate Request for" message was sent, notify ITS Network Security. Notify us by forwarding the "SSL Certificate Request for" message  to pki-certs@ucsd.edu; be sure to include a note about the delay in the email,

Collecting the certificate

The "Enrollment Successful" message will contain download links to the issued certificate and the Certification Authority Root and Intermediate Certificates (login required).

The files generated will be named like the following:

  • Certificate: CommonName_cert.cer (e.g. mywebserver_ucsd_edu_cert.cer)
  • CA Root and Intermediate Certificates (bundled into a single file): CommonName_interm.cer (e.g. mywebserver_ucsd_edu_interm.cer)
For more information, contact pki-certs@ucsd.edu.