skip to primary navigationskip to content

Application process and charges

JISC certificate charges

All certificates are valid for 2 years.

Certificate typeNumber of domainsCost

Organization Validation (OV)


Extended Validation (EV)

4 or fewer £20
5–9 £40
10–19 £60
20–29 £120
30–49 £160
Wildcard £150*

* If you're applying for a wildcard certificate, obtain a purchase order and email it to .

How to apply

Step 1

Generate a public/private key pair and associated 'PKCS#10 Certificate Signing Request' (CSR). There are some general instructions on how to do this on QuoVadis web site. Keys for use in QuoVadis certificates must be at either 2048 (recommended) or 4096 bits long. Generate an RSA key pair.

To be acceptable under this scheme, the various items of information that can be included in a CSR for a particular type of certificate are either required (sometimes with a fixed value), optional, or prohibited. Requests that do not meet these conditions will be rejected. Items not mentioned here are prohibited.

Certificate fieldDV CertificateEV CertificateWildcard Certificate
Country/Region (C): GB
State/Province (ST): optional, if present must be Cambridgeshire
City/Locality (L): optional, if present must be Cambridge
Organization (O): optional, if present must be University of Cambridge
Organizational Unit (OU): optional, see below
Common Name (CN): exactly one host name required, see below
exactly one host name required, see below
exactly one host name starting '*' required, see below
Subject Alternative Name extension (SAN): optional, up to 49 additional host names, see below
optional, up to 9 additional host names, see below
optional, up to 9 additional host names, see below
Email address (emailAddress): optional, won't appear in the certificate

The host name or names by which the servers that will use the certificate will be accessed must be included in the request. A single name must be included in the 'Common Name' *(CN) field and additional names may be included in the 'Subject Alternative Name' (SAN) extension field. The names must match the fully qualified host names under which the servers will operate – for a web server these must be the host names that will appear in URLs.

Wildcard certificates must contain a name starting '*.' in the CN, and may contain up to 9 additional names in the SAN extension field. In wildcard certificates, it can often be useful to include the base domain in the SAN, so for example '*' in CN and '' in the SAN.

If present, the Organizational Unit should describe the University institution (department, college, etc.) running the server(s) described in the certificate.

Users of OpenSSL may want to use this configuration file with the 'openssl req' command, or this Python script (run with --help for instructions) to simplify the process. Otherwise, when using 'openssl req' note that you can omit a field without accepting a default by supplying a single dot as the value.

An appropriate CSR looks something like this:


Step 2

Securely back up your private key and any associated pass-phrase. Loss or disclosure of your private key will render any related certificate useless.

Step 3

Visit the TLS certificate administration site and request a new certificate - Raven authentication is required to access this site. Applications will not be accepted unless made by a recognised representative of the University organisation to which the server's host name is assigned.

Step 4

For an OV or EV certification, you will need to provide a cost code for recharging purposes. If the certificate is for a college, add a contact name and college name in the cost code field.

If you're applying for a wildcard certificate, obtain a purchase order and email it to .

You can check the status of your request on the TLS certificate administration site, from where you will also be able to download your certificate when it is ready. Requests for certificates are normally completed in one or two working days - if you don't receive your certificate within this time then please contact .

See 'Installation and deployment' for what to do with your certificate once you've received it and 'Renewal process' for what to do when it eventually expires.


Last updated: April 2019

UIS Service Status

Phone padded  Service status line: (01223) 463085
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin

A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >  |  Back issues

RSS Feed Latest news

Bug in iOS 14 and iPadOS 14 that affects new VPN configurations

Sep 16, 2020

The latest release of Apple's iPad and iPhone operating systems, due out today, has a bug that requires users to follow a different process when setting up a new VPN configuration. It doesn’t affect existing configurations.

AirGroup functionality expanded on University Wireless Service

Sep 15, 2020

We’ve expanded AirGroup functionality on the University Wireless Service. AirGroup enables personal devices to discover and communicate with each other via Wi-Fi – for example, it allows you to use Airplay from your mobile devices to your Apple TV.

View all news