InCommon Certificate Service

ITS facilitates the process for U-M units and individuals to get InCommon server certificates. Managing your InCommon certificates is an ongoing process. The overall process is to:

  1. Obtain a Certificate Signing Request (CSR) for your service. Units have their own procedures to do this. This step does not apply when using ACME for automating renewals.
  2. Request the certificate (as described below).
  3. Renew the certificate each year before it expires (as described below). An expired certificate will prevent users from accessing the services provided via your web server.

Server Certificates

The following options are not mutually exclusive. A unit may use ACME for some certificates, the ICM web app for others, and WASUP for still others.

ACME for automating renewals (recommended for all units)

To prevent a certificate from expiring inadvertently, ITS recommends that you implement the Automatic Certificate Management Environment (ACME) protocol to automate the renewal process between the certificate authority and your web servers.

For more information:

Web Application Sign Up (WASUP) for ITS-managed requests

Use the Web Application Sign Up (WASUP) service to request an InCommon certificate. Before submitting a request:

  • Generate a certificate signing request (CSR) by following your server's instructions.
  • Identify the six-digit university Shortcode and the name of the authorized signer in order to complete a request. Although a Shortcode is required, your account will not be billed.

InCommon Manager (ICM) for self-managed requests

Units that manage more than 20 certificates and that have two full-time IT staff (who are responsible for their unit’s certificate management) can use the InCommon Manager (ICM) to directly request and renew InCommon certificates.

Advantages of the ICM webapp over WASUP are that it:

  • Is a more modern interface.
  • Provides better lists for reviewing certificates.
  • Immediately approves certificates for the domain(s) you have been approved for.

A drawback of the ICM web app is that, unlike the recommended option (ACME), the ICM web app does not automate obtaining, renewing, and installing certificates; the ICM web app is a manual method for managing certificates.

For more information:

Code Signing Certificates

Client Certificates

Client certificates are only for rare use cases and are typically not used.

  • The main use case for a client certificate is to authenticate users to a web server as an additional authentication factor.
  • For email that requires encryption, ITS strongly recommends using the Virtru at U-M service to meet compliance and security requirements. Virtru allows users to send end-to-end encrypted email.
  • Contact to obtain a client certificate.
  • Large units can obtain client certificates through the InCommon Certificate Manager web app.

Certificate Chain Information for InCommon Certificates

A certificate chain is a certificate together with additional intermediate and/or root certificates that clients may need to verify the certificate. You can install a certificate chain as a single file (a “certificate bundle”), as individual files (one certificate per file each with a link for the hash of the certificate subject), or import it into a keychain, key store, or trust store.

Best Practice for Web Servers

Best practice for web servers is to have a certificate chain consisting of only the following two certificates:

The root certificate is not present in this chain because it is not needed for most web servers and because including it will result in a warning on your website’s SSL Labs report.

Full Certificate Chain Best Practice

If you need a full certificate chain (for example, to use with a network appliance, with a middleware service, or with a web server with special requirements) the best practice is:

Advanced Use Cases

For advanced use cases (for example, if you need a certificate chain to use with unmaintained and insecure software that does not support modern cryptography) you can use the following chain. ITS recommends avoiding the use of this chain because it makes use of weak hashing algorithms, but as of May 2020, it is the default chain supplied by the InCommon Federation.