Types of SSL Certificates
Questions and answers about different types of SSL Sever certificates
This article applies to: SSL Server Certificate
How Can I Request a Code-Signing Certificate?
- Send your request to the IT Service Desk. Specify the contact email address you would like to appear in your certificate.
- The IT Service Desk will initiate a code signing certificate invitation. You will get an automated email with the subject, Invitation - InCommon Code Signing Certificate Enrollment from firstname.lastname@example.org.
- Follow the instructions in the Code Signing Certificate Enrollment email to start the enrollment process. The vendor recommends using IE 8+ on Windows and Firefox on Mac for certificate enrollment. Select the default values in the enrollment form, then select GENERATE.
- When the certificate is ready, you will receive an email with the subject ISSUED: InCommon Code Signing certificate from email@example.com.
- Windows: If you used IE or Chrome to install your certificate, the certificate is also placed in the Personal Certificate Store of your Computer Account in the MMC. Firefox installs the certificate at the browser level.
- MacOS: If you used Safari or Chrome to install your certificate, the certificate is in the login keychain. Firefox installs the certificate at the browser level.
- To verify your code signing certificate is installed, follow these instructions:
- After installing your code signing certificate, you may need to export the certificate for use on a different computer, for signing code, etc.
- Windows: Use these instructions to export the certificate.
- MacOS: Different versions of Firefox behave differently. Use Google to search for the instructions for exporting the certificate in Firefox for your browser version. When exporting a certificate in Firefox, you may see a list of formats to choose. Select pkcs#7 format, to export the certificate with a private key.
Can I Get a Certificate for a Host in a Non-Cornell Domain?
Yes - as long as Cornell owns the domain. Send your request to the IT Service Desk.
To ensure the university's compliance with the InCommon agreement, requests for certificates outside of cornell.edu domains are subject to extra vetting and approval, by both the university and InCommon.
To begin your request, send email to the IT Service Desk requesting the domain to be added, and IDM SSL admin will initiate the process of validating your domain with InCommon. After the domain is validated, you can then request a certificate for a host in that domain through normal channel.
What are Extended Validation Certificates?
Extended Validation (EV) SSL certificates are the next generation SSL certificate because they work with high security Web browsers to clearly identify a Website's organizational identity.
For example, if you use Internet Explorer 7.0, Firefox 3.0, or Opera 9.5, the address bar will turn green to identity this site as having an EV SSL certificate. A display next to the URL will toggle between the organization name and the certificate and the Certificate Authority that issued the SSL Certificate. The green bar means that a third party has validated the legitimacy of the business, the business' right to use the domain name, and the High-Assurance SSL Certificate was legitimately obtained.
Generating a CSR for an EV certificate is the same as generating the CSR for a single domain SSL certificate.
What is a Unified Communications Certificate?
A Unified Communications Certificate is a multi-domain certificate specifically designed for use with Microsoft Exchange and Microsoft Office Communications servers.
What is a Multi-Domain SSL Certificate?
A multi-domain certificate allows you to secure a primary domain, and up to 99 additional fully qualified domains, in a single certificate. It is best for organizations that have multiple unique domains hosted on a single server.
- The domains included in multi-domain certificate do not have to have unique IPs.
- It must be reissued each time you want to add a new host/domain name to the certificate.
When generating a CSR for multiple domain certificate, enter the primary domain name in common name field. In SSL request form's Subject Alternative Names field, enter the rest of domain names that you want included in the certificate.
What is a Wildcard Certificate?
Wildcard Certificates are a security risk.
Use of wildcard certificates is strongly discouraged for most use cases. If possible try to make use of other certificate types such as multi-domain certificates. When you deploy a wildcard certificate and private key across multiple websites and servers, a single site compromise will result in the compromise of the entire sub domain. Also note that not all applications are compatible with wildcard certificates. In particular, many mobile applications will not work with wildcards.
Wildcard Certificates secure multiple subdomains with a single SSL Certificate. For example, you want to secure www.entrust.com, secure.entrust.com and support.entrust.com, you can use a wildcard certificate to secure all 3 sub domains under *.entrust.com.
There is a limitation on the way wildcard certificates work. This goes across the board for all Certificate Authorities. Wildcard certificates only support one level up in the fully qualified domain name.
For example, if we create a certificate for the common name of *.test.entrust.com,
- https://www.test.entrust.com/ will work
- https://www.shop.test.entrust.com/ will not work
- https://test.entrust.com will not work either.
When generating a Certificate Signing Request (CSR) for a Wildcard certificate, add an asterisk (*) to the left of the Common Name where you want to specify the wildcard.
Cornell IT Service Desk
Normal Business Hours: Monday-Friday, 8am-6pm (Eastern Time)
Emergency Service Disruptions: After Hours Support