Topics Map > General UWM Knowledge
UWM Digital Certificate Service
The University of Wisconsin – Milwaukee has partnered with the InCommon Certificate Service to provide unlimited SSL certificates. This certificate service has been paid for with research funds and SSL certificates are available free of cost to UWM departments and units.
Requesting a Digital Certificate
1. Generate a Certificate Signing Request (CSR). The certificate may be generated by a vendor, or you may generate them in Certificate Manager.
Note: The CSR must be 2048 bit and contain the following fields:
- Country (2 character ISO code): US
- State/Province: Wisconsin
- Locality: Milwaukee
- Organization: UW-Milwaukee
- Organization Unit: SampleOrg
- Common Name (Fully Qualified Domain Name): sample.fqdn.uwm.edu
2. Submit the CSR
Submit the CSR at https://cert-manager.com/customer/InCommon/ssl/UWM
Some things to note:
- When logging in, use the search term milw to locate our IdP for authentication.
- A shared mailbox, pantherLIST or other team email address must be added to the external requester field on the form for renewal notifications.
- The comments field should have a very brief description of the service.
- The password field is generally not needed unless you want to revoke a certificate without going through IAM.
- The cert needs to be approved by IAM before it is issued. This will occur within 3 business days.
Note: Local Registration Authority Operators (RAO’s) reserve the right to reject certificate requests that conflict with the terms of the agreement with InCommon.
3. After submission
After using your access code to submit your CSR to the Certificate Manager website, you will receive several email messages:
- The first message, with the subject line APPROVED: SSL Certificate Request for servername.uwm.edu approved will confirm that the UWM Administrator has reviewed and approved your request.
- A second email with the Subject heading Enrollment Successful – Your SSL certificate for servername.uwm.edu is ready will provide download links to your certificate. There typically will be five download links included in the email. Selecting the correct link is essential to properly installing your certificate.
- The following describes certificate links in detail:
-
- X509 Certificate only, Base64 encoded: This is a text file for your certificate, signed by the InCommon intermediate certificate.
- X509 Intermediates/root only, Base64 encoded: This is a text file containing a bundle of two certificates. The first certificate in the bundle is the self-signed root certificate. The second certificate in the bundle is the InCommon intermediate certificate.
- PKCS#7 Base64 encoded: This is a text file containing a bundle of three certificates. The first certificate in the bundle is your certificate signed by the InCommon intermediate certificate. The second certificate in the bundle is the InCommon intermediate certificate. The third certificate in the bundle is the self-signed root certificate.
- PKCS#7 Bin encoded: This is a binary file containing a bundle of three certificates. The first certificate in the bundle is your certificate signed by the InCommon intermediate certificate. The second certificate in the bundle is the InCommon intermediate certificate. The third certificate in the bundle is the self-signed root certificate.
- X509, Base64 encoded: This is a text file containing a bundle of three certificates. The first certificate in the bundle is the self-signed root certificate. The second certificate in the bundle is the InCommon intermediate certificate. The third certificate in the bundle is your certificate signed by the InCommon intermediate certificate.
Frequently Asked Questions
How do I obtain technical support?
For technical support, contact the UWM Help Desk.
Where can I submit my CSR?
https://cert-manager.com/customer/incommon/ssl/UWM
For directions, see step 2 above.
Where can I re-download my certificate?
https://cert-manager.com/customer/InCommon/ssl?action=download
You will be prompted for:
- Your Certificate ID: which was in the email when the certificate was issued
- SSL certificate format: select one of the following 5 choices in a drop-down menu:
- PKCS#7 Binary
- PKCS#7 Base64
- X509 Base64
- X509 Base64 Certificate Only
- X509 Base64 Intermediates Only
Where can I request a revocation of my certificate?
https://cert-manager.com/customer/InCommon/ssl?action=revoke
If you set a password, you will be prompted for the following information:
- Your Certificate ID: included in the email you received when your certificate was ready
- Passphrase: passphrase you entered when you requested your certificate
- Comments: why you want to revoke your certificate
If you did not set a password, contact the UWM Help Desk for assistance.
What kind of turnaround time can I expect?
Turnaround time will be 3 campus business days. Therefore, it is imperative that you plan accordingly. Certificates will not be approved outside of normal campus business hours.
Why is my cert only valid for one year?
The longest permitted valid period is 398 days. You can also use one year and some shorter periods. Two- and three-year certs are no longer available.
Are wildcard certificates available?
By default, we do not provide wildcard certificates. If a wildcard certificate is compromised by attackers, they could be used to spoof any host in the domain of the wildcard, not just the FQDN’s it is meant for. For exceptions to this, please contact IAM through the UWM Help Desk.
Which domains are eligible for certificates?
All hostnames within UWM’s .edu domain and other domains owned by UWM are eligible for certificates through the InCommon agreement.
Do I have to use a certificate from the UWM Digital Certificate Service?
Yes. The InCommon certificate service was acquired through UWM purchasing for the purposes of providing certificates for UWM owned domains. There is a contract in place for its use. Other certificate services would be a duplication of the UWM Certificate service and would not necessarily be acceptable under state purchasing rules. Note that in most instances you are not allowed to accept terms and conditions when using a state P-card.
Can I get a certificate for a host in a non-UWM domain?
Yes, if UWM owns the domain. To ensure the university’s compliance with the InCommon agreement, requests for certificates outside of uwm.edu domains are subject to extra vetting and approval, by both the university and InCommon. To begin your request, contact IAM through the UWM Help Desk.