This is a list of frequently asked questions (FAQ) for the InCommon Certificate Service.
The InCommon Certificate Service, created by and for the higher education community, provides unlimited server and personal certificates for one low membership fee. This includes unlimited SSL certificates, Extended Validation (EV) SSL certificates, client (or personal) certificates, and code signing certificates.
Please see the official fee schedule. Internet2 members receive a 25 percent discount.
Yes, both are included in the base price.
Any higher education institution with its primary location in the United States, who qualifies for a domain in the .edu name space, may subscribe, as well as not-for-profit regional research and education networking organizations in the United States. Subscribers must be InCommon participants or must join InCommon to be eligible for the Certificate Service.
Yes. You must join InCommon but you don't need to use the federated identity services.
No, but we are investigating using federated identity management to simplify access to the Certificate Services Manager.
The higher education community developed this service to reduce the cost of certificates. Because InCommon is a non-profit, community-driven organization, the primary drivers are to provide value and benefits to the subscribers (rather than providing profit for the certificate provider). The program offers unlimited certificates at one annual fee, which is expected to reduce the cost of certificates for many institutions.
Comodo is the certificate authority and InCommon has contracted with Comodo for the deep discounts made available to colleges and universities. As a commercial certification authority, Comodo has extensive knowledge of the marketplace and attractive features. Comodo has been operating a similar service with TERENA, the Trans-European Research and Education Networking Association. TERENA's positive association with Comodo, and its significant software development for the Comodo APIs, made this partnership attractive to InCommon and Internet2.
This program includes all certificates listed above. The program allows institutions to issue so-called wild-card certificates. A primary advantage of wild-card certificates has been to allow a reduction of the number of certificates purchased. Given that in this program there is no longer a price penalty for issuance of additional SSL certs, institutions may want to reconsider the use of wild-card certificates, as some security experts believe that such certificates reduce security due to the extra burden of managing private keys in multiple locations.
There is a Certificate Service Subscriber Agreement stored in our document repository. The Subscriber Agreement is an addendum to the InCommon Participation Agreement. InCommon participation is required to take advantage of the certificate service.
Any domains administered by the institution (e.g., a professional society with a .org domain or even a .com domain) can qualify, as long as the institution can prove that it is the administrative manager for that domain. The key requirement is that the institution be the administrator of record for these domains and organizations.
Initially, institutions are required to commit to participation for an initial term of three (3) years, with the cert service fee billed annually.
InCommon is wholly owned by Internet2, and Internet2 is providing the initial capital required to launch the program.
This program is an extension of the trust services already being provided and managed by InCommon, and will require InCommon resources, including staff time and effort. In particular, implementation of this program will take advantage of the Registration Authority (RA) already managed by InCommon for establishing the trust services structure with participants.
InCommon operates the Registration Authority, leveraging its current processes for verifying organizations and identity proofing officials authorized to act on behalf of an institution for certificate issuance. These individuals may be the same or different than the current InCommon administrators. It is expected that at each institution a small number of people (typically two or three) will be authorized to manage the overall institutional certificate program.
Once an institution authorizes individuals, they will deal directly with the Comodo CA (via either a GUI or the API) for requesting individual certificates. InCommon is, by design, not in the path of certificate issuance or revocation (or even in the path of authorizing second-level personnel), only the vetting of the top-level certificate program administrators and the domains they are authorized to administer.
Comodo offers both a GUI (called the Comodo Certificate Services Manager, CSM) and an API to their service for certificate issuance, management of second-level personnel and institutional policies for certificate structure, as well as support in matters such as certificate revocation.
The CSM is the web-based interface used to request and manage your certificates.
There are seven (7) profiles available to participants:
The initial release of this program does not provide this functionality, but this option is available under the agreement with Comodo. When the GUI for certificate life cycle management has the capability of supporting this option, it is anticipated that institution-based subordinate CAs (and campus-specific profiles and practice statements) will be made available to members who desire this functionality for an additional cost.
This functionality is anticipated for a later release of the program based on the demand from the InCommon community. The agreement with Comodo allows for cross-signing of other CAs at an additional cost.
<p><strong><a name="17" id="17"></a>17. What are the supported browsers, devices and application suite?</strong></p> <p>Extended Validation Browsers:<br> Microsoft Internet Explorer 7 +<br> Opera 9.5+<br> Firefox 3+<br> Apple Safari 3.2+<br> Google Chrome 1+<br> <br> Web Browsers: <br> Microsoft Internet Explorer 5.01 + <br> Mozilla Firefox 1.0+ <br> Opera 8.0+ <br> Apple Safari 1.2 + <br> Google Chrome AOL 5 + <br> Netscape Communicator 4.77 + <br> Camino 1.0+ <br> Konqueror (KDE) Mozilla 0.6 +<br> <br> Email Clients (S/MIME): <br> Microsoft Outlook 99+ <br> Microsoft Entourage (OS/X) <br> Mozilla Thunderbird 1.0+ <br> Microsoft Outlook Express 5+ <br> Qualcomm Eudora 6.2+ <br> Lotus Notes (6+) <br> Mail.app (Mac OS X) <br> Microsoft / Windows Mail 1.0+ (Vista) <br> The Bat 1+<br> <br> Micro Browsers /PDAs <br> Apple iPhone<br> iPod Safari 1.0+ <br> Microsoft Windows Mobile 5* / 6 +<br> ACCESS NetFront Browser v3.4 + <br> RIM Blackberry v4.2.1 + <br> KDDI Openwave v220.127.116.11 + <br> Opera Mini v3+ <br> Opera Mobile 6+ <br> Sony Playstation Portable Sony Playstation 3 <br> Netscape Communicator 4.77+ <br> Nintendo Wii NTT / DoCoMo<br> <br> Application Suites: <br> Microsoft Authenticode Visual Basic for Applications (VBA) <br> Adobe AIR Sun <br> Java SE 1.4.2+ <br> Mozilla Suite 1.0+ <br> Sea Monkey </p> <p>Document Security Platforms: <br> Microsoft Office (Word, Excel,Powerpoint, Access, InfoPath) </p> <p>Server Platforms <br> All SSL-Capable Server Platforms</p> <p>* Windows Mobile 5 certificates will be issued from a Non InCommon / Internet2 branded subordinate Root.</p> <p><strong><a name="18" id="18"></a>18. Are non-profit regional research and education networks and other organizations within the .edu domain eligible?</strong></p> <p>Not for profit regional research and education networking organizations with primary offices in the United States that are not housed within an otherwise eligible educational institution may join this program by paying an annual fee of $2,000. No further discounts are applicable to this fee. In all cases, participation in this program is solely to allow the organization to acquire certificates for staff within that organization and for servers and services operated directly by the organization. Participation explicitly excludes the ability for the organization to issue certificates to members of the organization or to resell the service to members of the organization. This fee also applies to any non-Carnegie classified organizations who qualify for participation (i.e., organizations in the United States who currently have a .edu domain). All participating organizations must still join InCommon as is required for all participants in this program. </p> <p><strong><a name="19"></a>19. What is the certificate chain for SSL certificates issued by the InCommon Certificate Service? </strong></p> <p>SSL certificates issued prior to February 1, 2011 chain up to the AddTrust root CA in the following way: AddTrust External Root CA:COMODO High Assurance Server CA:End-Entity Certificate <p>SSL certificates issued on February 1, 2011 or later also chain up to the AddTrust root CA, but with a different intermediate CA: AddTrust External Root CA:InCommon Server CA:End-Entity Certificate <p>This intermediate CA is known as the InCommon Intermediate CA, which was deployed on February 1, 2011. <p><strong><a name="20"></a>20. I'd like a seal. Are those available? </strong> <p>Yes — go to http://www.trustlogo.com/install <p><strong><a name="21"></a>21. Will certificates issued by the Certificate Service comply with the emerging InCommon Identity Assurance Profiles (Bronze/Silver)? </strong> <p> The InCommon PKI subcommittee will ensure that the certificates align with the Identity Assurance Profiles. <p><strong><a name="22"></a>22. What is the certificate chain for Extended Validation (EV) certificates issued by the InCommon Certificate Service? </strong> <p>EV certificates chain up to the AddTrust root CA in the following way: AddTrust External Root CA:COMODO Certification Authority:COMODO Extended Validation Secure Server CA:End-Entity Certificate <p><a name="23"></a><strong>23. Do I need to install any certificates in my browser to access web sites that use SSL or EV certificates issued by the InCommon Certificate Service?</strong> <p>No, you do not need to install any certificates in the browser. The AddTrust root CA certificate, which is required for browser access, ships with all known browsers. In general, intermediate CA certificates are passed from the server to the browser as needed, so yes, there is a certificate bundle that needs to be installed on the server, but <strong>not</strong> in the browser. <p> If you are a site administrator testing a new server configuration, there is one caveat, however. Some browsers (such as Firefox) will store intermediate CA certificates received from a server in the browser's certificate store, so unless you're careful, you may be tricked into believing your server is configured correctly when in fact it's not. <em>Be sure to remove intermediate CA certificates from your browser's certificate store before testing your server configuration.</em> <p><strong><a name="24"></a>24. What is the best way to test a server configured with an SSL or EV certificate issued by the InCommon Certificate Service? </strong> <p>Be wary of using a browser to test your server configuration. Some browsers (such as Firefox) will store intermediate CA certificates received from a server in the browser's certificate store, so unless you're careful, you may be tricked into believing your server is configured correctly when in fact it's not. To avoid this pitfall, use openssl to definitively test your server configuration: <pre> $ openssl s_client -connect server:port -CApath /etc/ssl/certs/ </pre> <p> If the client machine does not have the /etc/ssl/certs/ directory, try the following command instead: <pre> $ openssl s_client -connect server:port -CAfile comodoroot.crt </pre> <p>In either case, if certificate validation passes, you know your server is configured correctly. Note that /etc/ssl/certs/ and comodoroot.crt contain root certificates only; no intermediate CA certificates are included.</p> </div> </div>