skip to primary navigationskip to content
 

Application process and charges

JISC certificate charges

All certificates are valid for 2 years.

Certificate typeNumber of domainsCost

Organization Validation (OV)

or

Extended Validation (EV)

4 or fewer £20
5–9 £40
10–19 £60
20–29 £120
30–49 £160
Wildcard £150*

* If you're applying for a wildcard certificate, obtain a purchase order and email it to .

How to apply

Step 1

Generate a public/private key pair and associated 'PKCS#10 Certificate Signing Request' (CSR). There are some general instructions on how to do this on QuoVadis web site. Keys for use in QuoVadis certificates must be at either 2048 (recommended) or 4096 bits long. Generate an RSA key pair.

To be acceptable under this scheme, the various items of information that can be included in a CSR for a particular type of certificate are either required (sometimes with a fixed value), optional, or prohibited. Requests that do not meet these conditions will be rejected. Items not mentioned here are prohibited.

Certificate fieldDV CertificateEV CertificateWildcard Certificate
Country/Region (C): GB
State/Province (ST): optional, if present must be Cambridgeshire
City/Locality (L): optional, if present must be Cambridge
Organization (O): optional, if present must be University of Cambridge
Organizational Unit (OU): optional, see below
Common Name (CN): exactly one host name required, see below
exactly one host name required, see below
exactly one host name starting '*' required, see below
Subject Alternative Name extension (SAN): optional, up to 49 additional host names, see below
optional, up to 9 additional host names, see below
optional, up to 9 additional host names, see below
Email address (emailAddress): optional, won't appear in the certificate

The host name or names by which the servers that will use the certificate will be accessed must be included in the request. A single name must be included in the 'Common Name' *(CN) field and additional names may be included in the 'Subject Alternative Name' (SAN) extension field. The names must match the fully qualified host names under which the servers will operate – for a web server these must be the host names that will appear in URLs.

Wildcard certificates must contain a name starting '*.' in the CN, and may contain up to 9 additional names in the SAN extension field. In wildcard certificates, it can often be useful to include the base domain in the SAN, so for example '*.example.com' in CN and 'example.com' in the SAN.

If present, the Organizational Unit should describe the University institution (department, college, etc.) running the server(s) described in the certificate.

Users of OpenSSL may want to use this configuration file with the 'openssl req' command, or this Python script (run with --help for instructions) to simplify the process. Otherwise, when using 'openssl req' note that you can omit a field without accepting a default by supplying a single dot as the value.

An appropriate CSR looks something like this:

-----BEGIN CERTIFICATE REQUEST-----
MIICuTCCAaECAQAwdDELMAkGA1UEBhMCR0IxIDAeBgNVBAoTF1VuaXZlcnNpdHkg
b2YgQ2FtYnJpZGdlMSgwJgYDVQQLEx9EZXBhcnRtZW50IG9mIEltcG9ydGFudCBT
dHVkaWVzMRkwFwYDVQQDExB3d3cuaXMuY2FtLmFjLnVrMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAtw2cw4W53IF67x0q8WiTUCEuUUzW6Vgfyc0REtDp
jTIEewa9x+VYUPuAHwWk/feQb6QkqhY7uewpjNCpzku8WH3tpMEAQZLXiwlJyxwP
Bocw8zZT/dRGfCHLSXe1eEqLDaQrmEesWwj3/mD8LLer+1M8B9UfVqIcUta8/MGU
HDyeyuWYcX5BiSvcRZGBYZ6BL1OAjznN2KV6zF6XAK9ONPjGwtaDvtTCLkb7CV/P
Ydj5ZoM+2H9Ks2fHBJjI6uMbYXbNyKBLVnQd1dr0SzdbofPjLY1PAMeZH+6VZJOA
RAdQmtKTSMFkOapJiQVyI5f5LOUkuwmTl6sM8OZPBx1GMwIDAQABoAAwDQYJKoZI
hvcNAQEFBQADggEBAKALISF2WpYjJqGEP89t57Pa4xm4FvGqYosph0ANOlYdcvtP
cYfFpuzAThwm+U14FJJ0/VrK31uR9O4Y8NFve0vjCDivQ1ZcI+sYXYGSfQ+LueTc
89TRo7GSIbXWV7AG76Sms9RI6JmHaJJPIxyvLEUJJd5wiA/+6FrTzTXrd8kVYfAk
0YLkLVe2juFeV7OdPztiaHHy63UD1ADupg734zj5zUZYvyu/wWim5EmBpnsxSjpS
nYuOtdHuQZRzDjzJlpc7wH0+cL43D0HS0K7d7aGrR49NMC6xGojtA+ABQ2gWyoT6
g5xhyQv1d3+NBCmDUpY0Ic061uTMnb//6uNWmPg=
-----END CERTIFICATE REQUEST-----

Step 2

Securely back up your private key and any associated pass-phrase. Loss or disclosure of your private key will render any related certificate useless.

Step 3

Visit the TLS certificate administration site and request a new certificate - Raven authentication is required to access this site. Applications will not be accepted unless made by a recognised representative of the University organisation to which the server's host name is assigned.

Step 4

For an OV or EV certification, you will need to provide a cost code for recharging purposes. If the certificate is for a college, add a contact name and college name in the cost code field.

If you're applying for a wildcard certificate, obtain a purchase order and email it to .

You can check the status of your request on the TLS certificate administration site, from where you will also be able to download your certificate when it is ready. Requests for certificates are normally completed in one or two working days - if you don't receive your certificate within this time then please contact .

See 'Installation and deployment' for what to do with your certificate once you've received it and 'Renewal process' for what to do when it eventually expires.

 

Last updated: April 2019

UIS Service Desk


  Phone padded  01223 332999

UIS Service Status

Phone padded  Service status line: (01223) 463085
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin


A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >  |  Back issues

RSS Feed Latest news

Wireless service maintenance on 13 and 19 November

Nov 12, 2019

The Wireless Service will be subject to interruption between 07:30 and 09:00 on Wednesday 13 and Tuesday 19 November while we carry out essential maintenance.

Windows 7 end-of-life countdown: 2 months to go

Nov 01, 2019

There are only 2 months left until Windows 7 reaches end of life, after which Microsoft will no longer supply security updates and bug fixes for the operating system.

View all news