skip to content
 

JISC certificate charges

All certificates are valid for 1 year.

Certificate type Number of domains Cost

Organization Validation (OV)

or

Extended Validation (EV)

4 or fewer £20
5–9 £40
10–19 £60
20–29 £120
30–49 £160
Wildcard £150*

* If you're applying for a wildcard certificate, obtain a purchase order and email it to .
 

How to apply

Step 1

Generate a public/private key pair and associated 'PKCS#10 Certificate Signing Request' (CSR). There are some general instructions on how to do this on QuoVadis web site. Keys for use in QuoVadis certificates must be at either 2048 (recommended) or 4096 bits long. Generate an RSA key pair.

To be acceptable under this scheme, the various items of information that can be included in a CSR for a particular type of certificate are either required (sometimes with a fixed value), optional, or prohibited. Requests that do not meet these conditions will be rejected. Items not mentioned here are prohibited.

Certificate field DV Certificate EV Certificate Wildcard Certificate
Country/Region (C): GB
State/Province (ST): optional, if present must be Cambridgeshire
City/Locality (L): optional, if present must be Cambridge
Organization (O): optional, if present must be University of Cambridge
Organizational Unit (OU): optional, see below
Common Name (CN): exactly one host name required, see below exactly one host name required, see below exactly one host name starting '*' required, see below
Subject Alternative Name extension (SAN): optional, up to 49 additional host names, see below optional, up to 9 additional host names, see below optional, up to 9 additional host names, see below
Email address (emailAddress): optional, won't appear in the certificate

The host name or names by which the servers that will use the certificate will be accessed must be included in the request. A single name must be included in the 'Common Name' *(CN) field and additional names may be included in the 'Subject Alternative Name' (SAN) extension field. The names must match the fully qualified host names under which the servers will operate – for a web server these must be the host names that will appear in URLs.

Wildcard certificates must contain a name starting '*.' in the CN, and may contain up to 9 additional names in the SAN extension field. In wildcard certificates, it can often be useful to include the base domain in the SAN, so for example '*.example.com' in CN and 'example.com' in the SAN.

If present, the Organizational Unit should describe the University institution (department, college, etc.) running the server(s) described in the certificate.

Users of OpenSSL may want to use this configuration file with the 'openssl req' command, or this Python script (run with --help for instructions) to simplify the process. Otherwise, when using 'openssl req' note that you can omit a field without accepting a default by supplying a single dot as the value.

An appropriate CSR looks something like this:

-----BEGIN CERTIFICATE REQUEST-----
MIICuTCCAaECAQAwdDELMAkGA1UEBhMCR0IxIDAeBgNVBAoTF1VuaXZlcnNpdHkg
b2YgQ2FtYnJpZGdlMSgwJgYDVQQLEx9EZXBhcnRtZW50IG9mIEltcG9ydGFudCBT
dHVkaWVzMRkwFwYDVQQDExB3d3cuaXMuY2FtLmFjLnVrMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAtw2cw4W53IF67x0q8WiTUCEuUUzW6Vgfyc0REtDp
jTIEewa9x+VYUPuAHwWk/feQb6QkqhY7uewpjNCpzku8WH3tpMEAQZLXiwlJyxwP
Bocw8zZT/dRGfCHLSXe1eEqLDaQrmEesWwj3/mD8LLer+1M8B9UfVqIcUta8/MGU
HDyeyuWYcX5BiSvcRZGBYZ6BL1OAjznN2KV6zF6XAK9ONPjGwtaDvtTCLkb7CV/P
Ydj5ZoM+2H9Ks2fHBJjI6uMbYXbNyKBLVnQd1dr0SzdbofPjLY1PAMeZH+6VZJOA
RAdQmtKTSMFkOapJiQVyI5f5LOUkuwmTl6sM8OZPBx1GMwIDAQABoAAwDQYJKoZI
hvcNAQEFBQADggEBAKALISF2WpYjJqGEP89t57Pa4xm4FvGqYosph0ANOlYdcvtP
cYfFpuzAThwm+U14FJJ0/VrK31uR9O4Y8NFve0vjCDivQ1ZcI+sYXYGSfQ+LueTc
89TRo7GSIbXWV7AG76Sms9RI6JmHaJJPIxyvLEUJJd5wiA/+6FrTzTXrd8kVYfAk
0YLkLVe2juFeV7OdPztiaHHy63UD1ADupg734zj5zUZYvyu/wWim5EmBpnsxSjpS
nYuOtdHuQZRzDjzJlpc7wH0+cL43D0HS0K7d7aGrR49NMC6xGojtA+ABQ2gWyoT6
g5xhyQv1d3+NBCmDUpY0Ic061uTMnb//6uNWmPg=
-----END CERTIFICATE REQUEST-----

Step 2

Securely back up your private key and any associated pass-phrase. Loss or disclosure of your private key will render any related certificate useless.

Step 3

Visit the TLS certificate administration site and request a new certificate - Raven authentication is required to access this site. Applications will not be accepted unless made by a recognised representative of the University organisation to which the server's host name is assigned.

Step 4

For an OV or EV certification, you will need to provide a cost code for recharging purposes. If the certificate is for a college, add a contact name and college name in the cost code field.

If you're applying for a wildcard certificate, obtain a purchase order and email it to .

You can check the status of your request on the TLS certificate administration site, from where you will also be able to download your certificate when it is ready. Requests for certificates are normally completed in one or two working days - if you don't receive your certificate within this time then please contact .

See 'Installation and deployment' for what to do with your certificate once you've received it and 'Renewal process' for what to do when it eventually expires.

 

Last updated: April 2019

UIS Service Desk

UIS Service Status

Phone padded  Service status line: (01223 7)67999
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin

A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >

Latest news

University Wireless Service maintenance: Tuesday 21 September, 08:00–09:00

16 September 2021

The University Wireless Service will be undergoing essential maintenance between 08:00 and 09.00 on Tuesday 21 September while we apply a security software patch. This is a security update to ClearPass, which provides Wireless Service network access control. We're not expecting any disruption to service, but it should be...

Mailing list migrations from Mailman to Sympa

31 August 2021

We intend to migrate all remaining lists associated with colleges from Mailman to Sympa during the week commencing 13 September 2020. The current total is 1,567. How this will affect users of the mailing list management service Most mailing list subscribers shouldn't notice any difference. During the switchover, there will...

Managed Zone Service closedown and migration to Mythic Beasts

24 August 2021

The Managed Zone Service (MZS) is being shut down, and its data content migrated to a commercial provider, Mythic Beasts. There will be no interruption to the service, but MZS users in institutions will need to make arrangements to retain management access to their zones. What is changing? UIS set up the MZS many years ago...