Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This is a list of frequently asked questions (FAQ) about the InCommon Certificate Service. See the excellent CA/Browser Forum FAQ for answers to more general questions.

Table of Contents

General Questions

What is the InCommon Certificate Service?

...

Can I have my own private label CA?

Yes, private label CAs for user certificates are available under our agreement with Comodo. Intermediate CAs hosted are hosted by Comodo, but with campus-specific names, profiles, and practice statements , are (if desired).  They are available to members subscribers who desire this functionality for an additional cost.  The fees for this service are $3500 for the first year and $2400 in subsequent years.

InCommon does not offer intermediate CAs hosted by members or third parties other than Comodo.

...

Be wary of using a browser to test your server configuration. Some browsers (such as Firefox) will store intermediate CA certificates received from a server in the browser's certificate store, so unless you're careful, you may be tricked into believing your server is configured correctly when in fact it's not. To avoid this pitfall, use openssl to definitively test your server configuration:

{pre}openssl
Wiki Markup
Pre

openssl s_client

-connect

server:port

-CApath

/etc/ssl/certs/

{pre}

If the client machine does not have an /etc/ssl/certs/ directory, download the AddTrust External CA Root certificate, and try the following command instead:

{pre}openssl
Wiki Markup
Pre

openssl s_client

-connect

server:port

-CAfile

AddTrustExternalCARoot.crt

{pre}

In either case, if certificate validation succeeds, you know your server is configured correctly. Let's try a specific example:

Code Block

$ openssl s_client -connect www.incommon.org:443 -CAfile AddTrustExternalCARoot.crt
--- 
Certificate chain
 0 s:/C=US/postalCode=48104/ST=MI/L=Ann Arbor/street=1000 Oakbrook Drive, suite 300/O=InCommon CA/OU=PlatinumSSL/CN=www.incommon.org
   i:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
 1 s:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---

...