Create and manage a range of digital certificates for websites
This service provides free digital certificates.
- OV TLS/SSL certificates
- Code signing certificates
You may wish to use in cases where a certificate from Let’s Encrypt wouldn’t be appropriate for your application. Other digital certificate providers are available. If you would like advice on which certificate would be best for your situation, please don’t hesitate to contact us.
Benefits
- Certificates are free
- Create your own OV TLS/SSL certificates in minutes
- Automatic renewal and automatic renewal and installation via ACME where applicable
If you add a domain outside the main university domain (cam.ac.uk), you will need to prove that you control it. We'll provide you with a CNAME entry that you'll need to add to the DNS for the domain. The Certificate Manager will scan your DNS hourly looking for this entry and will approve the domain when it finds it. This process is called Domain Control Validation (DCV). We recommend using Let’s Encrypt certificates for domains outside of cam.ac.uk.
Please contact us via the UIS service desk if you require a wildcard certificate or a certificate with more than 20 SANs.
Who can use the Certificate Service
Available to University institutions, departments, and affiliated institutions requiring SSL/TLS certificates for University-managed domains.
How to create and manage your certificates
You can use the UIS self-service portal to set up access to the service for your institution and manage the users who can create certificates.
You can specify the domains belonging to your institution, and add more later, including inst.cam.ac.uk and inst.private.cam.ac.uk.
Domains outside cam.ac.uk will require extra steps to prove ownership.
Existing users can access the service using University SSO at https://www.digicert.com/secure/
How to request a certificate for domains external to cam.ac.uk
We strongly recommend using Let's Encrypt for external domains because you'll avoid unnecessary work and annual revalidation of your domain.
If you use an all-in-one hosting platform, such as Squarespace or Wix, they will typically provide the necessary certificates as an integral part of their service.
To request a certificate for an external domain, complete the Add a new domain form on UIS' self-service portal.
Domain Control Validation (DCV)
You'll need to insert a CNAME record that we'll supply into the DNS for your domain to prove that you control it. When the certificate manager finds this record, it will allow you to create certificates. Here's a sample of what we will give you, using an example domain:
_11cf2a82c33b85f17a07cf09a564ac6c.example.com. CNAME 1d4ddc9fdd82efe3a40ea3d09ac53f3b.7c6e9c73c7c00fe732332b713310f4a5.digicert.com.
The bold part of the first line is the alias and the second line is the canonical name.
To add this to your zone file for example.com, add this entry (all on one line):
_11cf2a82c33b85f17a07cf09a564ac6c IN CNAME 1d4ddc9fdd82efe3a40ea3d09ac53f3b.7c6e9c73c7c00fe732332b713310f4a5.digicert.com.
If you manage your DNS with a GUI of some sort, you'll need to follow its documentation. In either case, it's essential that:
- the record type is CNAME
- the alias begins with the leading underscore
- the canonical name ends with the final dot.
After the new record has had time to propagate, you should check it using a web-based DNS service to look it up or nslookup on the command line. For example:
nslookup -type=cname _11cf2a82c33b85f17a07cf09a564ac6c.example.com.
Once your CNAME is set up and visible, your domain should be validated within an hour, and you will then be able to create certificates.
How long it takes for a certificate to be issued
Certificates should take just a few minutes. If you experience a delay, contact us and we'll investigate.