ITS makes InCommon server certificates and Active Directory (UMROOT) certificates available for U-M use, as well as roll-up certificate bundles.
InCommon Certificates
Rather than obtaining a per-certificate discounted price, the InCommon Federation has negotiated a flat annual rate for obtaining unlimited SSL certificates. The University of Michigan is participating in this arrangement. InCommonCA Certificates (2048-bit) are available to members of the U-M community for U-M use at no cost.
How to Request Certificates
Use the Web Application Sign Up (WASUP) service to request an InCommon Certificate. You will need to generate a certificate signing request (CSR) by following your server's instructions. You will also need a six-digit university Shortcode and the name of the authorized signer in order to complete a request. Although a Shortcode is required, your account will not be billed.
Certificate Chains
A certificate chain is a certificate together with additional intermediate and/or root certificates that clients may need to verify the certificate. You can install a certificate chain as a single file (a “certificate bundle”), as individual files (one certificate per file each with a link for the hash of the certificate subject), or import it into a keychain, key store, or trust store.
Best Practice for Web Servers
Best practice for web servers is to have a certificate chain consisting of only the following two certificates:
- InCommon certificate you obtained for your system or service
- 2024 InCommon RSA Server CA intermediate certificate
The root certificate is not present in this chain because it is not needed for most web servers and because including it will result in a warning on your website’s SSL Labs report.
Full Certificate Chain Best Practice
If you need a full certificate chain (for example, to use with a network appliance, with a middleware service, or with a web server with special requirements) the best practice is:
- InCommon certificate you obtained for your system or service
- 2024 InCommon RSA Server CA intermediate certificate
- 2038 USERTrust RSA Certification Authority root certificate
Advanced Use Cases
For advanced use cases (for example, if you need a certificate chain to use with unmaintained and insecure software that does not support modern cryptography) you can use the following chain. ITS recommends avoiding the use of this chain because it makes use of weak hashing algorithms, but, as of May 2020, it is the default chain supplied by the InCommon Federation.
- InCommon certificate you obtained for your system or service
- 2024 InCommon RSA Server CA intermediate certificate
- 2028 USERTrust RSA Certification Authority intermediate certificate
- 2028 AAA Certificate Services root certificate
Active Directory (UMROOT)
University Windows computers will trust Active Directory automatically, so this certificate is primarily of concern to Linux systems that authenticate against Active Directory.
Needed for:
- Linux and Mac systems that use ldaps://adsroot.itcs.umich.edu to verify logins and passwords
- Routers, VPN, and other appliances that use ldaps://adsroot.itcs.umich.edu to verify logins and passwords
Certificate Chain for SHA2:
- UMROOT Root CA
- UMROOT Issuing CA
Roll-Up Certificate Bundles
For simplicity, you can download all the certificates described above (InCommon and UMROOT) as a single file. These are a good starting point for hosting an SSL website or using Cosign for authentication.
Roll-Up Bundles:
- PEM format (Linux): UM Certificates 2020
- Java Keystore (Tomcat): UM Certificates 2020 (password is "changeit")
- PKCS7 format (Windows): UM Certificates 2020