| Tip | ||
|---|---|---|
| ||
The use of single sign-on and multifactor authentication for accessing the Comodo Certificate Manager is available to any subscriber that also operates an Identity Provider in the InCommon Federation. See this wiki page for details. |
This is a list of frequently asked questions (FAQ) about the InCommon Certificate Service. See the excellent CA/Browser Forum FAQ for answers to more general questions.
| Table of Contents |
|---|
General Questions
What is the InCommon Certificate Service?
...
Is Shibboleth a requirement for using the Certificate Service?
No, but we are investigating using federated identity management to simplify access to the InCommon Not at the moment, but you will find it much more secure and convenient to take advantage the SSO/MFA feature for accessing the Certificate Manager (CM).
Why is InCommon membership required for participation?
...
- SSL/TLS Certificates
- Organizational Validation (OV) SSL/TLS Certificates
- includes wild-card certificates
- Extended Validation (EV) SSL/TLS Certificates
- issued directly by Comodo and subject to Comodo's domain vetting processes, terms and conditions, and CPS, but at no extra charge beyond the base InCommon certificate service fee
- Organizational Validation (OV) SSL/TLS Certificates
- Client Certificates
- Standard Assurance Client Certificates
- three key usage types: signing-only, encryption-only, and dual-use
- a centralized key escrow service is available at no extra charge
- Code-signing Certificates
- not yet available
- Standard Assurance Client Certificates
Are there 1024-bit certificates? What about my current 1024-bit certs?
For security reasons, we no longer issue certificates with 1024-bit keys. Comodo will no longer accept Certificate Signing Requests generated with keys of less than 2048 bits. Existing 1024-key certificates may be used until they expire (but at your own risk of course).
Can I have my own private label CA?
Can I have my own private label CA?
Yes, private label CAs for user certificates are available under our agreement with Comodo. Intermediate CAs are hosted by Comodo, but with campus-specific names, profiles, and practice statements (if desired). They are available to subscribers Yes, private label CAs are available under our agreement with Comodo. Intermediate CAs hosted by Comodo, but with campus-specific profiles and practice statements, are available to members who desire this functionality for an additional cost. The fees for this service are $3500 for the first year and $2400 in subsequent years.
InCommon does not InCommon does not offer intermediate CAs hosted by members or third parties other than Comodo.
...
This functionality is anticipated for a later release of the program based upon demand from the InCommon community. Our agreement with Comodo allows for cross-signing of other CAs at an additional costwith Comodo allows for cross-signing of other CAs at an additional cost.
Can I use single sign-on to access the Comodo Certificate Manager?
Yes, if your organization has an identity provider in the InCommon Federation (you can check here), then your RAOs and DRAOs can use SSO. In addition, Multifactor Authentication is required for RAOs to use SSO.
Questions about SSL/TLS Certificates
...
Be wary of using a browser to test your server configuration. Some browsers (such as Firefox) will store intermediate CA certificates received from a server in the browser's certificate store, so unless you're careful, you may be tricked into believing your server is configured correctly when in fact it's not. To avoid this pitfall, use openssl to definitively test your server configuration:
| Pre |
|---|
openssl |
| Wiki Markup |
| {pre}openssl s_client -connect server:port -CApath /etc/ssl/certs/ {pre} |
If the client machine does not have an /etc/ssl/certs/ directory, download the AddTrust External CA Root certificate, and try the following command instead:
| Pre |
|---|
openssl |
| Wiki Markup |
| {pre}openssl s_client -connect server:port -CAfile AddTrustExternalCARoot.crt {pre} |
In either case, if certificate validation succeeds, you know your server is configured correctly. Let's try a specific example:
| Code Block |
|---|
$ openssl s_client -connect www.incommon.org:443 -CAfile AddTrustExternalCARoot.crt
---
Certificate chain
0 s:/C=US/postalCode=48104/ST=MI/L=Ann Arbor/street=1000 Oakbrook Drive, suite 300/O=InCommon CA/OU=PlatinumSSL/CN=www.incommon.org
i:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
1 s:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
|
...