Use InCommon Certificate Manager (ICM) to Request or Renew Certificates

This document describes how to request access to and use the InCommon Certificate Manager (ICM) to request or renew InCommon certificates.

Contents

Overview

Units that manage more than 20 certificates and that have two full-time IT staff (who are responsible for their unit’s certificate management) can use the InCommon Certificate Manager (ICM) to directly request and renew InCommon certificates.

Advantages of the ICM webapp are that it:

  • Is a more modern interface than U-M’s Web Application Sign Up (WASUP) service.
  • Provides better lists for reviewing certificates.
  • Immediately approves certificates for the domain(s) to which you have been approved.

Requirements

The ICM webapp establishes people credentials versus server credentials, so it is important for units to have a set of standards in place to manage times when staff change roles, are terminated, or leave U-M.

  • Units that use ICM are required to manage ICM access for two or more full-time IT staff who are responsible for their unit’s certificate management.
  • Units are required to remove ICM webapp access from departing employees within 48 hours of their exit. For example, if an employee’s last day of work is on Friday, the unit must remove access by Monday morning.
  • If both assigned IT staff leave the unit, it is the responsibility of the unit to immediately notify the ITS Web Hosting Team to remove their access within 48 hours of their last day of work. They also need to identify two other full-time IT staff whom they want to grant access to use the ICM web app.

The following types of domains are approved for use with ICM:

  • Main domain under umich.edu (for example, med.umich.edu)
  • Subdomain under umich.edu that you fully control and are not shared (for example, mhealthy.umich.edu)
  • Domains that a unit purchased that are not under umich.edu (for example, mmheadlines.org)

If a domain was not previously registered with Sectigo, submit a request to the ITS Web Hosting Team to create the new domain.

Getting Started

  1. Submit a request to set up an InCommon account.

If your request is approved, the ITS SSL Certificates Team will authorize your UMICH account to use the ICM web app and notify you.

Request a Certificate

  1. Use a web browser to go to https://cert-manager.com/customer/InCommon.
  2. Click InCommon Federated Login.

Sectigo website login

  1. Click Add (+).

InCommon Certificate Manager (ICM) home page

  1. Select Using a Certificate Signing Request (CSR).
  2. Click Next.

Request SSL Certificate popup window

  1. Verify University of Michigan displays in the Organization field or select it from the drop-down list.
  2. Verify your department displays in the Department field or select it from the drop-down list.
  3. Select the appropriate type of certificate from the drop-down list in the Certificate Profile field.

Notes:

  • In general, only use the InCommon Multi-Domain SSL (SHA-2) or InCommon SSL (SHA-2) certificate type unless you have a special need for another type of certificate.
    • InCommon Multi-Domain SSL (SHA-2) is preferred because it supports Subject Alternative Names.
    • ITS also recommends the multi-domain type for certificates that currently do not have any SANs (for consistency and simplicity).
    • The Extended Validation (EV) certificate profiles cannot currently be used to issue certificates because the university is still completing the necessary paperwork (as of February 2022).

Request SSL Certificate popup window

  1. Scroll down.
  2. Enter appropriate comments in the Comments field.
  3. Enter the email addresses to receive notifications for this certificate in the External Requesters field.

Request SSL Certificate popup window

  1. Drag or paste your Certificate Signing Request (CSR) into the CSR field.
  2. Click Key Type to add the key type.
  3. Click Next.

Request SSL Certificate popup window

  1. Select the name of the appropriate domain in the Common Name field.
  2. Click Next.

Request SSL Certificate popup window

  1. Click OK.

Note: ITS does not recommend the Enable Auto-Renewal setting because you still need to obtain and install the certificate manually after it is renewed. With auto-renewal turned on, InCommon will issue new certificates to replace ones that are expiring, but you have to manually get the new certificate from the email message that InCommon sends or download it from the web app. After manually getting the new automatically renewed certificate, you need to install the new certificate before the old certificate expires.

Request SSL Certificate popup window

  1. Select the checkbox of your new certificate that displays a status of REQUESTED.
  2. Click Approve.

ICM Home page

  1. Type an appropriate message in the Message field.
  2. Click Approve to update the status of your certificate request to APPLIED.

Note: You will receive an email from InCommon with a link to your certificate within 24 hours. However, you can get your certificate much quicker by waiting a few minutes and downloading it directly from ICM, as shown in the following steps.

Approval Message popup window

  1. To download the certificate, select the checkbox of the certificate and click View.

ICM Home page

  1. Click the Download button and select the appropriate certificate type. For most users, the Certificate (w/ issuer after), PEM encoded option is recommended. Depending on your service, you may choose between a certificate-only, intermediate, or full chain option. See Certificate Chain Information for InCommon Certificates for more information.
  2. Click Close to return to the ICM home page.

SSL Certificate popup window

Renew a Certificate

  1. Use a web browser to go to https://cert-manager.com/customer/InCommon.
  2. Click InCommon Federated Login.

Sectigo website login

  1. Select the checkbox of the certificate you need to renew.
  2. Click Renew.

ICM home page

  1. Click OK.

Certificate manager popup window

  1. To download the renewed certificate, click View.

ICM home page

  1. Click the Download button and select the appropriate certificate type (e.g., Certificate only, PEM encoded).
  2. Click Close to return to the ICM home page.

SSL Certificate popup window

Last Updated: 
Thursday, May 5, 2022