InCommon Certificate Service

ITS facilitates the process for U-M units and individuals to get InCommon server certificates. Managing your InCommon certificates is an ongoing process. The overall process is to:

  1. Obtain a Certificate Signing Request (CSR) for your service. Units have their own procedures to do this. This step does not apply when using ACME for automating renewals.
  2. Request the certificate (as described below).
  3. Renew the certificate each year before it expires (as described below). An expired certificate will prevent users from accessing the services provided via your web server.

Server Certificates

The following options are not mutually exclusive. A unit may use ACME for some certificates, the ICM web app for others, and WASUP for still others.

ACME for automating renewals (recommended for all units)

To prevent a certificate from expiring inadvertently, ITS recommends that you implement the Automatic Certificate Management Environment (ACME) protocol to automate the renewal process between the certificate authority and your web servers.

For more information:

Web Application Sign Up (WASUP) for ITS-managed requests

Use the Web Application Sign Up (WASUP) service to request an InCommon certificate. Before submitting a request:

  • Generate a certificate signing request (CSR) by following your server's instructions.
  • Identify the six-digit university Shortcode and the name of the authorized signer in order to complete a request. Although a Shortcode is required for authorization, your account will not be billed.

Due to an anticipated change in maximum certificate lifetimes from the current 398 days to only 90 days, ITS recommends that you obtain all new certificates using ACME in order to automate renewals and avoid having to manually renew and install them using WASUP four to five times each year.

InCommon Certificate Manager (ICM) for self-managed requests

Units that manage more than 20 certificates and that have two full-time IT staff (who are responsible for their unit’s certificate management) can use the InCommon Certificate Manager (ICM) to directly request and renew InCommon certificates.

Advantages of the ICM webapp over WASUP are that it:

  • Is a more modern interface.
  • Provides better lists for reviewing certificates.
  • Immediately approves certificates for the domain(s) you have been approved for.

A drawback of the ICM web app is that, unlike the recommended option (ACME), the ICM web app does not automate obtaining, renewing, and installing certificates; the ICM web app is a manual method for managing certificates.

Due to an anticipated change in maximum certificate lifetimes from the current 398 days to only 90 days, ITS recommends that you obtain all new certificates using ACME but use ICM to view and manage ACME-issued certificates as well as to obtain non-standard (specialty) certificates.

For more information:

Code-Signing Certificates

  • Contact [email protected] to obtain a code signing certificate. Large units can obtain code-signing certificates through the InCommon Certificate Manager web app.
  • As of May 15, 2023, code-signing certificates are only available on special secure tokens (Hardware Security Modules) that support “key attestation”.
    • ITS is testing the hardware tokens and creating documentation, which will be available by the end of June 2023.  At that point, ITS will provide a token to each university unit that has one or more code-signing certificates.  After this initial rollout, units will be responsible for purchasing their own token directly from external vendors.  A single hardware token can be used for multiple code-signing certificates.  If you need to renew or obtain a code-signing certificate in the meantime, contact [email protected].
    • ITS plans to support only the Yubikey 5 FIPS tokensThese are NOT the same as the Yubikey tokens available through Tech Shop. Yubikey tokens sold through Tech Shop can NOT be used for InCommon code-signing certificates.
    • If you do not currently have a compatible token, it may take several weeks to obtain and set up the token and obtain the certificate — please renew existing code signing certificates early enough to allow for this.
    • Once you have a compatible token and have set it up, you can use the same token to obtain additional or renew existing code signing certificates within 2-3 business days.

Client Certificates

Client certificates are only for rare use cases and are typically not used.

  • The main use case for a client certificate is to authenticate users to a web server as an additional authentication factor.
  • For email that requires encryption, ITS strongly recommends using the Virtru at U-M service to meet compliance and security requirements. Virtru allows users to send end-to-end encrypted email.
  • Contact [email protected] to obtain a client certificate.
  • Large units can obtain client certificates through the InCommon Certificate Manager web app.

Certificate Chain Information for InCommon Certificates

A certificate chain is a certificate together with additional intermediate and/or root certificates that clients may need to verify the certificate. You can install a certificate chain as a single file (a “certificate bundle”), as individual files (one certificate per file each with a link for the hash of the certificate subject), or import it into a keychain, key store, or trust store. For details, refer to What Is an SSL Certificate Chain & How Does It Work?

Best Practice for Web Servers

Best practice for web servers is to have a certificate chain consisting of only the following two certificates:

The root certificate is not present in this chain because it is not needed for most web servers and because including it will result in a warning on your website’s SSL Labs report.

Full Certificate Chain Best Practice

If you need a full certificate chain (for example, to use with a network appliance, with a middleware service, or with a web server with special requirements) the best practice is:

Advanced Use Cases

For advanced use cases (for example, if you need a certificate chain to use with unmaintained and insecure software that does not support modern cryptography) you can use the following chain. ITS recommends avoiding the use of this chain because it makes use of weak hashing algorithms, but as of May 2020, it is the default chain supplied by the InCommon Federation.