The use of single sign-on and multifactor authentication for accessing the Comodo Certificate Manager is available to any subscriber that also operates an Identity Provider in the InCommon Federation. See this wiki page for details.
The InCommon Certificate Service issues unlimited Extended Validation (EV) SSL/TLS certificates at no additional cost to subscribers. Because EV certificates require additional levels of validation for the requesting organization, our partner Comodo must handle all of the paperwork as well as the validation process for EV certificates. Comodo has provided a background PDF about extended validation SSL.
InCommon and Comodo also offer Anchor Certificates, which pre-validates domains for future EV certificate requests. When you create an Anchor Certificate, you go through the same validation process as an EV certificate, with the anchor valid for approximately 13 months. The anchor is not an actual certificate, but when applied to all of your domains, you can request EV certificates with no further validation during the life of the anchor.
What are EV Certs?
An extended validation certificate is a X.509 public key infrastructure (PKI) digital certificate in which identifying information about the business entity holding the certificate for a web site or other server has been validated by the certificate authority (CA). The CA uses a standardized set of requirements set out in the CA/Browser Forum Extended Validation Certificate Guidelines. These guidelines that also set requirements for auditing, revocation and certificate content. Extended validation certificates are generally considered to be high assurance certificates as that term is used within the PKI community.
Why the additional paperwork?
EV certificates have higher validation requirements and are issued by Comodo under a separate Certification Authority (CA). Because of the formal requirements that all EV certificates must comply with, Comodo must manage the validation process with separate governing legal terms. For EV certificates, InCommon subscription covers the fees and the same Certificate management interface, while Comodo directly engages with the university on legal and validation terms.
First-time EV Cert Requests
- Confirm Domain Approval - Confirm that the domain for which you are requesting the EV certificate has already been approved by InCommon.
- Request an EV Cert via the Certificate Manager (CM)
- First, request an EV certificate using the Certificate Manager (CM). This generates an order number in Comodo's system, which you will need for the next step.
- Submit the Required Documentation - Comodo requires three documents before issuing an EV SSL certificate. These documents should be sent directly to Comodo (not to InCommon). Include your order number on each document for reference.
- EV SSL Certificate Subscriber Agreement (submitted only once)
- A Legal Opinion Letter(see this Sample Legal Opinion Letter) An EV SSL Certificate Request Form (see below)Comodo CA requires the completion of two documents for EV Validation. The Subscriber agreement is accepted when the initial EV certificate is requested. The Certificate Request form is emailed to the requestor with instruction on how to click thru to complete the process.
- EV SSL Certificate Subscriber Agreement - The EV SSL Certificate Subscriber Agreement is separate from the InCommon Certificate Service Addendum. There is no additional charge for EV certificates, but this agreement with Comodo is required. This is required once per organization.
- EV SSL Certificate Request Form
Be sure to list all domains for which you intend to request EV certificates in both the Legal Opinion and the EV Certificate Request Form. Listing the parent domain will cover all sub-domains. For example, listing foo.edu is sufficient to cover web1.foo.edu, web2.foo.edu, etc.
Send via fax or email to Comodo:
Please note your order number on all three forms to speed the process with Comodo.
- The EV SSL Certificate Subscriber Agreement is separate from the agreement signed with InCommon when you subscribed to the InCommon Certificate Service. There is no additional charge for EV certificates, but this agreement with Comodo is required. This is required once per organization. When submitting, please place your order number on the document, on a cover sheet, or in the accompanying email message.
- The Legal Opinion Letter will verify:
- Applicant’s Legal Status
- Flagged Entity Check – Manually done by Comodo
- DBA/Trade Name
- Physical Existence
- Operational Existence
- Phone Number
- Domain Ownership – (Please list ALL domains you own for which you wish to request EV certificates now or in the future). Listing the parent domain will cover all sub-domains. For example, listing foo.edu is sufficient to cover web1.foo.edu, web2.foo.edu, etc.
- Name, Title, and Authority of Contract Signer
Comodo will verify the organization in one of two ways.
Please include the order number on the document, on a cover sheet, or in the accompanying email message. If, later, you need to add a domain not included in your original Legal Opinion Letter, you can re-use the letter (provided it is for the same organization), but please include the new order number.
EV Certificate Request Form
If you have multiple domain names, list them all on this form. There are two different forms; choose the form that fits your situation:
- If one person is able to assume all three roles of Requester, Approver, and Contract Signer, use the simplified version of the Request Form.
- Otherwise use the full version of the Request Form.
You can use one Certificate Request Form for multiple orders submitted at the same time. Otherwise, each order requires its own Certificate Request Form.
Subsequent EV Cert Requests
If you need an EV certificate for a domain not included in your original application, you will need to submit a new Legal Opinion Letter and EV Certificate Request Form. See the information above for details on the Legal Opinion Letter and request form.
Requesting an EV Anchor
An anchor certificate will pre-validate domains for future EV certificate requests. All domains that require an EV certificate should be included in this request. If a domain is not listed in this request, you can still request an EV certificate; however, there the order will need to be processed manually by a validatior.
There is no prerequisite to create an EV anchor certificate yet we suggest every organization follow the following steps. Please note there is only one EV anchor certificate that can be applied to each organization (school). This procedure does not change current certificate ordering process - it is simply to help make EV processing more efficient. The EV Anchor is NOT an actual certificate that can be used.
- Login to CCM Dashboard
- Navigate to the Certificates Tab
- Click the Add button to Add a new Certificate request
- Select the Option “Manual Creation of CSR” and proceed to upload or Copy / Paste CSR.
- Proceed to the next step
- Choose the Organization
- Choose the certificate Type – EV Anchor Certificate
- Choose Term Length 1 Year
- Enter the Common Name (this can be any domain you need an EV cert for)
- In the SAN list enter all domains that you will need The EV Anchor to secure.
- Server Software does not matter in this case
Note regarding domains: Please DO NOT include sub-domains in this certificate unless you are only authorized to order EV certificates for a particular sub-domain. The requirements for EV Enterprise RA laid out by the CA/B Forum allow unfettered issuance only of certificates at 3rd and higher domain levels from a fully validated, active EV SSL certificate. For example: Including example.com will allow you to obtain EV certs for sub1.example.com, sub2.example.com or sub1.sub2.sub3.example.com, BUT including www.example.com will only allow sub1.www.example.com, etc. Do not include any wildcards, only root domains.
6. Continue to Enter your Incorporation, Registration Details and Contract signer Details
7. The option for auto-renewal is optional and can be edited in the certificate details later on.
8. Proceed to Subscriber and Certification agreement and select “I agree” checkbox
Once the request is submitted, you must have another MRAO Admin approve the request to finalize it. Once the request is approved, you will receive the order number.
To find the order number in CCM Dashboard, go to Certificates > SSL Certificates > Filter option to locate the certificate applied for by the common name > select Details.
Under certificate details you will see the order number.
Submit a ticket to Comodo email@example.com and request an EV anchor certificate be set for your account and provide the order number. Please note the validation team may contact you with a request for additional information to verify ownership and company identity. Turnaround time for this request is dependent upon completion of this paperwork.
The EV anchor will be valid for approximately 13 months. DCV expiration notifications will be sent out for this certificate just like any other certificate from CCM. The certificate can be renewed in CCM or another certificate ordered. However, the validation team is to be contacted with the new order number (a renewal will generate a new order number) and request to make it an anchor certificate.
The primary organizational details will be set to match the details validated in the anchor cert order. IF those details are changed it will require a new anchor certificate to be created and then validated.
*The departments under the primary organization will NOT be allowed to have different details except for the Department Name. The street address, city, state, postal code, and country will become uneditable.
For additional questions/concerns, please contact validation which can be reached Monday thru Friday 7 AM to 5 PM at 888-256-2608 Option #2. (Option #3 will bring you to technical support for CCM process/procedure questions).