skip to content

IT Help and Support

University Information Services
 

Create and manage a range of digital certificates for websites, code signing and other applications.

This service provides free digital certificates that you may wish to use in cases where a certificate from Let’s Encrypt wouldn’t be appropriate for your application. Other digital certificate providers are available. If you would like advice on which certificate would be best for your situation, please don’t hesitate to contact us.
 

Benefits

  • Certificates are free
  • Create your own certificates in minutes in your account at Sectigo Certificate Manager
  • Choose from a wide range of certificates including TLS/SSL, client and code signing
  • Automatic renewal and automatic renewal and installation via ACME where applicable

 

How to get an account with Sectigo Certificate Manager

To register your institution, complete the form on our self-service portal. You can also navigate to form by visiting the portal at https://uniofcam.saasiteu.com and browsing for 'Certificates: Add New Institution'.

You'll need to provide: 

  • the name of your institution
  • the top-level domains you wish to create certificates for
  • the CRSids of all IT staff who will need to create and manage certificates.

If you add a domain outside the main university domain (cam.ac.uk), you will need to prove that you control it. We'll provide you with a CNAME entry that you'll need to add to the DNS for the domain. The Certificate Manager will scan your DNS hourly looking for this entry and will approve the domain when it finds it. This process is called Domain Control Validation (DCV).

We will contact you when we have created your account.
 

How to manage your account

You can add new domains, and add and delete users, on your account by completing the appropriate form on the self-service portal:

You can also navigate to these forms by visiting the portal at https://uniofcam.saasiteu.com and browsing for them. Each one is prefixed with 'Certificates:'.

How to create and manage your certificates

Once we have created your account, go to Sectigo Certificate Manager, select 'Sign in with your institution' and use your Raven credentials to access your account.
 

Which SSL/TLS certificate to use

For a website, we recommend a Jisc OV multi-domain SSL certificate. We don't recommend Jisc IGTF multi-domain SSL or Jisc EV anchor (validation only) certificates.

How to choose between EV or OV

EV stands for extended validation, while OV means organisation validation. Modern browsers make no practical distinction between these certificate types. We strongly recommend that you use OV rather than EV certificates. EV certificates will take longer to issue because someone from UIS will need to approve them.

If you still wish to use an EV certificate, we recommend a Jisc EV multi-domain SSL certificate for a subdomain of cam.ac.uk. If it's for another domain, that domain will need to go through the extended validation process if it hasn't already. The process will take several days. Contact servicedesk@uis.cam.ac.uk to arrange this, stating the domains you wish to add and why you cannot use an OV certificate for this application. To complete the process, you will need to provide additional information about the organisation for Sectigo to verify.

EV Anchor certificates

You won't need to create an EV Anchor certificate to create EV certificates if your certificate is a subdomain of cam.ac.uk. Contact servicedesk@uis.cam.ac.uk if you want to create EV certificates for domains outside the University's main domain.

Ensuring your certificate has all the SANs you need

Make sure you select a Jisc OV multi-domain SSL certificate or the corresponding EV version, if needed, when you make your request if you have multiple SANs. If you have selected another type of certificate, you'll find it won't have all the SANs you requested. If this happens, simply revoke the old certificate and request a new one.
 

How to request a certificate for domains external to cam.ac.uk

We strongly recommend using Let's Encrypt for external domains because you'll avoid unnecessary work and annual revalidation of your domain.

All-in-one hosting services such as Squarespace or Wix may not support certificates other than the ones those services provide. You must have control of your DNS and the ability to create a CNAME record pointing to an external domain. Not all hosting services allow this.

To request a certificate for an external domain, complete the Add a new domain form on UIS' self-service portal.

Domain Control Validation (DCV)

You'll need to insert a CNAME record that we'll supply into the DNS for your domain to prove that you control it. When the certificate manager finds this record, it will allow you to create certificates. Here's a sample of what we will give you, using an example domain:

_11cf2a82c33b85f17a07cf09a564ac6c.example.com. CNAME 1d4ddc9fdd82efe3a40ea3d09ac53f3b.7c6e9c73c7c00fe732332b713310f4a5.sectigo.com.

The bold part of the first line is the alias and the second line is the canonical name.

To add this to your zone file for example.com, add this entry (all on one line):

_11cf2a82c33b85f17a07cf09a564ac6c IN CNAME 1d4ddc9fdd82efe3a40ea3d09ac53f3b.7c6e9c73c7c00fe732332b713310f4a5.sectigo.com.

If you manage your DNS with a GUI of some sort, you'll need to follow its documentation. In either case, it's essential that:

  • the record type is CNAME
  • the alias begins with the leading underscore
  • the canonical name ends with the final dot.

After the new record has had time to propagate, you should check it using a web-based DNS service to look it up or nslookup on the command line. For example:

nslookup -type=cname _11cf2a82c33b85f17a07cf09a564ac6c.example.com.

Once your CNAME is set up and visible, your domain should be validated within an hour, and you will then be able to create certificates.
 

How long it takes for a certificate to be issued

OV certificates should take just a few minutes. If you experience a delay, contact us and we'll investigate. EV certificates will take longer because they need to be manually approved (see How to choose between EV or OV).
 

The SSL root certificate

Sectigo will provide you with the root and intermediate (chain) certificates when your new certificate is issued. Note that this will be different than the SSL root certificate used in a previous iteration of this service.
 

Creating a Certificate Signing Request

To get your SSL/TLS certificate, you'll need to create a Certificate Signing Request (CSR). The easiest way to do this is using our camcsr.py script (hosted on Gitlab).

Here's an example:

python camcsr.py --ou="Institute for Example Studies" --nodes --force example.cam.ac.uk www.example.cam.ac.uk private.example.cam.ac.uk

The script will generate a key file and the CSR. Install the key file on your server and use the CSR to get your certificate.

You can check your CSR like this:

openssl req -text -noout -verify -in example_cam_ac_uk.csr
 

Using certificates from the old certificate service

You'll still be able to download your existing certificates from the same place until they expire, and they'll continue to be valid until their expiry date. We'll contact you a month before each certificate is due to expire, so you'll have plenty of time to replace it.
 

How to get a code signing certificate

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. You can obtain a code signing certificate for free from the Certificate Service.

If you are already signed up to the certificate service and can receive email at your_crsid@your_domain.cam.ac.uk, you can create your code signing certificate directly using the certificate manager.

In any other case, use the service request form.

 

 

Phone padded  Service status line: (01223 7)67999
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin

A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >

Latest news

Your University GoogleDrive: 20GB quota limit from December 2022

19 January 2022

Google is replacing its G Suite for Education model licensing model in October 2022. As a result, there will be a new limit of 20GB on personal GoogleDrive spaces provided with G Suite@Cambridge accounts. If your GoogleDrive usage exceeds 20GB after 1 December 2022, your University account GoogleDrive will become read-only until your usage is brought below 20GB.

Moodle offline for upgrade during 06:00–12:00 on Tuesday 11 January

10 January 2022

Moodle will be unavailable from 06:00 to 12:00 on Tuesday 11 January while we upgrade it to version 3.9. During the upgrade, you won’t be able to view or upload sessions on Panopto because access is managed via your Moodle login. Assessment Moodle, ICE Moodle and Clinical School Moodle users will be unaffected. An outline...

HEAT authentication method changing to Azure on 13 January

7 January 2022

We're changing the authentication method for the IT service management system, HEAT, to Microsoft Azure on Thursday 13 January 2022. What is changing? You should continue to use the same URL for accessing HEAT: https://uniofcam.saasiteu.com. However, the 'Sign in' screen you'll be directed to will look slightly different,...