Categories
Trust, Identity and Access Blogs

10 FAQs about the Jisc Certificate Service

Pink background with blue question mark
Photo by Towfiqu Barbhuiya on Unsplash

When the world doesn’t feel stable, make sure your website is with a Jisc SSL certificate!

In this blog post, Emily Brown, Trust and Identity Co-ordinator, gives us her round up of the 10 most frequently asked questions from the certificates help desk.

  1. How to sign up?
  2. How does pricing work?
  3. How do I initiate Domain Validation?
  4. What certificate type do I need?
  5. How do I set up EV certificates?
  6. How do we use ‘Departments’?
  7. How can we utilise the automation feature?
  8. How many admins can we have?
  9. How do renewals work?
  10. How do we turn on notifications?

If you’re not sure what a certificate is, you can check out Emily’s blog, What are SSL certificates, and why do we need them? first.

1: How to sign up?

Signing up to the new Jisc Certificate Service, powered by Sectigo, is really simple and will only take you around six minutes. Simply use this link, and don’t worry, it is secure. It will take you to an online web form to complete your application.

You will need:

  • Your organisation’s details
  • 2 registration authority officers (these are your main admins)
  • A valid PO number

Once this form has been completed, we will onboard you from our side. The only thing left to do is wait for your organisation to be validated by Sectigo, which takes up to 24 hours.

2. How does pricing work?

Pricing is a significant factor for most people and here at Jisc we’re all about value for money.

Customers can achieve average savings of 30-60% through the Jisc certificate service, thanks to our savvy sector savings deal. In fact, we’ve saved our customers over £7million since November 2020!

As a customer you can upgrade to the next tier, as well as migrate to a smaller tier at any point throughout your subscription, if your current tier is not serving the correct purpose. What’s more, we pro-rata the upgrade amount, so you know you’re getting maximum bang for your buck.

You can see the pricing model below:

[1] The Jisc members’ price is available to any organisation that pays a Jisc subscription or has a Janet Network connection

You may also be pleased to know that regardless of its size or type – one certificate is the equivalent to one certificate off your usage. This means you don’t pay extra for things like wildcards, giving you even greater flexibility and value for money.

3. How do I initiate Domain Validation?

Domain validation goes hand in hand with SSL certificates. Domain control validation (DCV) is used by Certificate Authorities to verify the admin making the request. Within the Sectigo portal, all fully qualified domains (FQD) must be added and validated before you can issue a certificate.

Jisc recommend validating your domains via CNAME or via email.

You can follow the steps below to add your domains:

1. Domains > add (on the far right)

2. Enter the domain you wish to add and an optional description

i. You will need to choose which organisation the domain should be added to. Select which certificate types you would like to issue under that domain

3. You can allow or deny specific departments within your organisation the use of that domain by ticking and unticking the boxes as appropriate > Click save > the domain has now been added but will show in your domains list with a delegation status of ‘action required’

And then to validate your domains:

1. Select the domain you wish to validate > select the validate button on the bottom right

2. Choose the DCV method, you wish to use and hit next > please follow the wizard on screen

3. When validation has been completed, the validation status will change to validated

4. The default configuration e.g., jisc.ac.uk, allows you to only issue a certificate for that domain

i. If you would like to issue certificates for subdomains e.g. demo.Jisc.ac.uk, you can either add them individually and validate them if needed or you can add *.jisc.ac.uk to allow certificates to be issued for 3 levels of subdomains

ii. The FQD e.g. jisc.ac.uk must be added and validated before you add *.jisc.ac.uk, which will then validate automatically

Congratulations! You are now ready to request your first certificate!

4. What certificate type do I need?

Here at Jisc, we offer 4 main types of certificates:

      • Extended validation (EV): high assurance
      • Organisation Validated (OV): medium assurance
      • Wildcard (OV type): medium assurance
      • S/MIME email certificate: high assurance

We also provide code-signing certificates through the Sectigo certificate manager, and several other types of certificates can be purchased through us too.

If you are asking, what distinguishes an EV certificate from an OV certificate, that would be its extended validation through a multiple departmental audit to a higher level of assurance. EV and OV certificates hold the same technical properties, however an EV certificate establishes a higher level of trust due to its intensive verification process.

All certificate types are valid for 1 year, but we will come onto our automation feature a bit later on!

For more information about certificate types, check out the Sectigo resource library.

5. How do I set up EV certificates?

As mentioned in the above, EV certificates are tantamount to the highest level of security and dispense both maximum trust and high reliability, providing a higher level of assurance when compared a domain validated cert.

To enable EV certificates, you will need to provide us with some additional information. This information can only be added once Sectigo have validated your organisation and can only be edited by us, here at Jisc.

Contact us to let us know you would like to issue EV certs, providing as much of the information on screen as possible – anything left blank, we will be able to add on your behalf.

Once these details have been added, you will need to create your EV trust anchor.

Steps for this can found in the quick start guide.

Please note: All domains needed within your EV anchor certificate, will need to be validated prior to creating your EV trust anchor.  Similarly, the only domains that need to be included in your EV anchor are the fully qualified domain names needed within your certificate. For example, jisc.ac.uk and ja.net

Once completed, your EV anchor request will be passed to Sectigo for a multiple departmental audit which can take up to 72 hours to be approved. After validating your organisation to this higher level of assurance, your EV anchor should be issued.

Once issued, you can now request EV certificates for the domains listed within your anchor.

If you need a certificate urgently, you can request a OV certificate straight away without waiting for the extra validation from Sectigo. There are no technical differences between both EV and OV and the OV certificate will be provided instantly.

6. How do we use ‘Departments’?

Departments within Sectigo are a really easy way to provide organisational structure within your Sectigo account. Creating individual departments provides you with refined individual access improving efficiencies in regards to certificate administration.

Setting them up is really simple:

Navigate to the organisation tab > select your organisation > click departments > click the green plus on the top right > add the name of the department you wish to set up > press next > press save

You have now set up a department within your organisation. You are now able to create Domain Registration Authority Officer (DROA) admins and create certificates under this specific department.

7. How can we utilise the automation feature?

A great benefit of the new Sectigo service is their automation feature. Sectigo supports the installation and renewals of server certificates via Automatic Certificate Management Environment (ACME), using solutions like certbot, making it easier than ever to automate your management of certificates for a variety of systems.

For more information on ACME please see section 8 of the Sectigo certificate manager administrator’s guide.

Sectigo state that automation is critical to any certificate management system. It enforces cryptographic compliance and prevents service disruptions caused by human error, so while you are here, get it set up!

8. How many admins can we have?

On the Sectigo platform, you have the privilege of having as many admins as necessary.

You also have the option to create admins who operate under specific departments. (See ‘how do we use departments’ for more info).

The breakdown of admin types is shown below:

      • RAO – Registered authority officer
      • DRAO – Admins set up under specific departments.

In order to create additional admins, please check out the quick start guide for more detailed instructions.

9. How do renewals work?

If you have decided the certificate service is for you and you’ll stay another year, here is all you need to know about the renewal process.

The renewal of your subscription is pretty simple:

      • All RAO’s will receive an email reminder with a link to renew your subscription 45, 30, 15 and 7 days before it is due to expire
      • For this, you will need to provide us with a valid PO
      • Once confirmed, all RAO’s will receive a confirmation email and you will be good to go for a further year!

In regards to certificate renewals, these can be actioned In a few different ways:

      • Firstly, you can set up your certificate to auto renew x number of days before it is due to expire. This range is chosen by you. Sectigo will then email you a link to your new renewed certificate
      • Auto renewals will issue the certificate with the same Certificate Signing Request (CSR) as used originally and therefore you will need the originally exported private key
      • Similarly, when you select a certificate, you have the option to renew it then and there. This method also uses the original CSR
      • If you wish to recreate your certificate with a new CSR, you can just request a new certificate as normal

10. How do we turn on notifications?

Notifications are an important part of most services and create a fast and efficient way to communicate with a desired audience. Sectigo notifications need to be set up manually by your organisation, this might be something you missed when originally onboarding so let me address how to get started:

Settings > notifications > add > select from a range of notification types that will enhance your user experience and will help prevent loss of service. You can select who the notifications go to, whether that be RAOs, departments or just the owner!

Notifications are an easy feature to set up, so get started today and ensure you never miss a thing.

And that’s a wrap!

Our certificate service provides a self-service approach which lets you, the user, view and manage your account whenever possible. This means you can make certificate management easy with a central location, gain control and flexibility, save time through our automation feature and manage your budgets better through our subscription model.

We hope this has been a useful blog post. If you have any queries about the contents of this blog, please feel free to get in touch with our dedicated service desk via certificates@jisc.ac.uk and we will be more than happy to help.

Leave a Reply

Your email address will not be published. Required fields are marked *