InCommon Certificate Service

Purdue is a member of the InCommon Federation. The InCommon Federation provides unlimited certificates via their InCommon Certificate Service to its member institutions for a single price.

Server and code-signing certificates are currently available, with personal certificates to be offered in the future.

This cost will be funded centrally by IT Security and Policy (ITSP) for use on Purdue services and applications.

If you would like to read more about the InCommon Certificate Service, please visit https://incommon.org/certificates/.

Note: If you are looking for information about the InCommon Federation Service, please visit the IAMO Incommon Service page.

Note on InCommon Certificate Hashing Algorithms

Note: In response to the phase-out of SHA-1, the InCommon certificate authority will no longer issue SHA-1 certificates that expire after December 31, 2015, so the maximum term available for them is 1 year. SHA-2 certificates may be issued with 1-, 2-, or 3-year terms just as we have done in the past (we request a 3-year term unless the request specifies a shorter duration).

Unless specifically requested otherwise, we will request a certificate generated with the newer SHA-2 hashing algorithm rather than one generated with the SHA-1 hashing algorithm like those that have been issued in the past. This is due to the sunsetting of SHA-1 certificates by Firefox, Microsoft, and Google as described in the articles linked below.

https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

https://technet.microsoft.com/library/security/2880823

http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html

For system administrators, there is no change in how the CSR should be generated (the hashing algorithm used for the CSR does not influence the hashing algorithm used by the CA for the certificate signature). However, the SHA-2 certificates do use a different intermediate certificate chain than the SHA-1 certificates so it will be important that the system administrator install the certificate chain referenced in the email notification generated when the certificate is issued. This will be particularly important to pay attention to when replacing a SHA-1 certificate with a SHA-2 version.

Most recent software and operating systems are capable of handling SHA-2 certificates. GlobalSign maintains a fairly comprehensive table of the minimum OS or software version required to support SHA-2 (aka SHA-256) at the URL below.

https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility

Requesting an InCommon Server Certificate

To request a host certificate for a host within the Purdue domain, please generate a Certificate Signing Request (CSR) file using whatever method is appropriate for your system or software. The CSR should be constructed with the information below and then sent to accounts@purdue.edu.

  • Key length=2048
  • OU=Department Name
  • CN=Hostname
  • C=US
  • ST=Indiana
  • L=West Lafayette
  • O=Purdue University

In addition, please include the following:

  • An email contact for the certificate. This can be an individual or a group mailing list. A notification will be sent to this address once the certificate is ready.
  • If a SHA-1 certificate is needed (which will only be valid until December 31, 2015), please note that in your request.

After your request has been submitted, IAMO will verify the requester and host information for the certificate. Once verified, it will be submitted to InCommon. When the certificate request has been processed by InCommon, an email will be sent to the email contact that includes the information needed to download the requested certificate.

Normal turnaround time on requests for production servers is approximately 2-3 business days.

Note: Certificates for domains outside of the Purdue domain will take significantly longer.

Requesting an InCommon Code-Signing Certificate

To request a code-signing certificate for use at Purdue, please send the following information to accounts@purdue.edu:

  • The name of the Purdue department that will use the certificate.
  • An email address to assign to the certificate. Preferably this would not be a specific user's email address, but rather a group or mailing list.

After your request has been submitted, IAMO will create a Code Signing Certificate Enrollment invitation. When the invitation has been processed by InCommon, an email will be sent to the email contact that includes a link to generate a private key and create a certificate request. Once the certificate is signed, another email message will be sent to the email contact with a link to download the certificate.

Normal turnaround time on requests for code-signing certificates is approximately 2-3 business days.

Note: A pre-generated Certificate Signing Request (CSR) is not required for a code-signing certificate.

If you have any questions, please send email to accounts@purdue.edu.