SSL Server Certificates

ITS makes InCommon server certificates and Active Directory (UMROOT) certificates available for U-M use, as well as roll-up certificate bundles.

InCommon Certificates

Rather than obtaining a per-certificate discounted price, the InCommon Federation has negotiated a flat annual rate for obtaining unlimited SSL certificates. The University of Michigan is participating in this arrangement. InCommonCA Certificates (2048-bit) are available to members of the U-M community for U-M use at no cost.

How to Request Certificates

Use the Web Application Sign Up (WASUP) service to request an InCommon Certificate. You will need to generate a certificate signing request (CSR) by following your server's instructions. You will also need a six-digit university Shortcode and the name of the authorized signer in order to complete a request. Although a Shortcode is required, your account will not be billed.

Certificate Chains

A certificate chain is a certificate together with additional intermediate and/or root certificates that clients may need to verify the certificate. You can install a certificate chain as a single file (a “certificate bundle”), as individual files (one certificate per file each with a link for the hash of the certificate subject), or import it into a keychain, key store, or trust store.

Best Practice for Web Servers

Best practice for web servers is to have a certificate chain consisting of only the following two certificates:

The root certificate is not present in this chain because it is not needed for most web servers and because including it will result in a warning on your website’s SSL Labs report.

Full Certificate Chain Best Practice

If you need a full certificate chain (for example, to use with a network appliance, with a middleware service, or with a web server with special requirements) the best practice is:

Advanced Use Cases

For advanced use cases (for example, if you need a certificate chain to use with unmaintained and insecure software that does not support modern cryptography) you can use the following chain. ITS recommends avoiding the use of this chain because it makes use of weak hashing algorithms, but, as of May 2020, it is the default chain supplied by the InCommon Federation.

Active Directory (UMROOT)

University Windows computers will trust Active Directory automatically, so this certificate is primarily of concern to Linux systems that authenticate against Active Directory.

Needed for:

  • Linux and Mac systems that use ldaps:// to verify logins and passwords
  • Routers, VPN, and other appliances that use ldaps:// to verify logins and passwords

Certificate Chain for SHA2:

  • UMROOT Root CA
    • UMROOT Issuing CA

Roll-Up Certificate Bundles

For simplicity, you can download all the certificates described above (InCommon and UMROOT) as a single file. These are a good starting point for hosting an SSL website or using Cosign for authentication.

Roll-Up Bundles:

  • PEM format (Linux): UM Certificates 2020
  • Java Keystore (Tomcat): UM Certificates 2020 (password is "changeit")
  • PKCS7 format (Windows): UM Certificates 2020