Technology Service Certificates Moving to SHA-2

This page contains information for IT Pros about certificates issued through the InCommon certificate service on 9/24/14 or later. 

Microsoft, Google, and Mozilla have all announced that they will stop accepting SHA-1 signed certificates in the near future.  Existing certificates which expire after January 1, 2016 will potentially encounter this issue and should be reissued before January 1, 2016.  This will affect all certificate types, including code signing certificates.

As of September 24, 2014, InCommon certificates will be issued with SHA-2 hashes by default. Anyone requiring a SHA-1 certificate beyond this date for compatibility with older systems will need to contact the Technology Service Certificate Manager to arrange the issuance of their certificate.  SHA-1 certificates will not be available with an expiry date later than January 1, 2016.
 
If you are concerned about whether the change to SHA-2 will affect your legacy systems, please reference the Comodo SHA-2 transition page.

Intermediate and Root Certificates

All certificates issued by Technology Service after 9/24/14 will require the installation of TWO new intermediate certificates:

InCommon RSA Server CA  [Download

-----BEGIN CERTIFICATE-----
MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQx
MDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQyMREw
DwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBD
QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+e
xU5NEFj6MJsXKZDmMwysE1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7v
HgV9lestjaKpTbOc5/MZNrun8XzmCB5hJ0R6lvSoNNviQsil2zfVtefkQnI/tBPP
iwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW61fo8BBZ321wDGZq0GTl
qKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5AB8f2IHpT
eIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyML
fzcCAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bL
MB0GA1UdDgQWBBQeBaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYw
EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECAjBQBgNVHR8ESTBHMEWgQ6BB
hj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNh
dGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo
dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5j
cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI
hvcNAQEMBQADggIBAC0RBjjW29dYaK+qOGcXjeIT16MUJNkGE+vrkS/fT2ctyNMU
11ZlUp5uH5gIjppIG8GLWZqjV5vbhvhZQPwZsHURKsISNrqOcooGTie3jVgU0W+0
+Wj8mN2knCVANt69F2YrA394gbGAdJ5fOrQmL2pIhDY0jqco74fzYefbZ/VS29fR
5jBxu4uj1P+5ZImem4Gbj1e4ZEzVBhmO55GFfBjRidj26h1oFBHZ7heDH1Bjzw72
hipu47Gkyfr2NEx3KoCGMLCj3Btx7ASn5Ji8FoU+hCazwOU1VX55mKPU1I2250Lo
RCASN18JyfsD5PVldJbtyrmz9gn/TKbRXTr80U2q5JhyvjhLf4lOJo/UzL5WCXED
Smyj4jWG3R7Z8TED9xNNCxGBMXnMete+3PvzdhssvbORDwBZByogQ9xL2LUZFI/i
eoQp0UM/L8zfP527vWjEzuDN5xwxMnhi+vCToh7J159o5ah29mP+aJnvujbXEnGa
nrNxHzu+AGOePV8hwrGGG7hOIcPDQwkuYwzN/xT29iLp/cqf9ZhEtkGcQcIImH3b
oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH
OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
-----END CERTIFICATE-----

USERTrust RSA Certification Authority Intermediate [Download]

-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
0fKtirOMxyHNwu8=
-----END CERTIFICATE-----

AddTrust External CA Root [Download

IMPORTANT: Typically, this root is already installed on the system for most OS's, and did not change with the switch to SHA-2 - however, if yours requires it be installed seperately, it is listed below. 

-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
 
For users chaining their own certificates, you will need to make sure that they get chained in the correct order (which should be subject at the top of the file, working your way back down the signature chain to the root at the bottom of the file).  You may encounter trouble with devices that assume a maximum of one intermediate certificate (there have been reports of problems with Aruba wireless controllers, for example), but servers should be fine.
 
Comodo also has a test site that uses a SHA-2 certificate. You can test software and devices against this URL to attempt to determine SHA-2 compatibility: https://sha256rsa.comodoca.com.

If you do not install the new certificate chain properly when using a new certificate issued after September 2014, users attempting to visit your website may see browser errors such as "This certificate cannot be verified up to a trusted certification authority", "The certificate is not trusted because the issuer certificate is unknown" or "This Connection is Untrusted". You may even be unable to install your new certificate due to server-side errors such as "Windows does not have enough information to verify this certificate" and/or "The issuer of this certificate could not be found". 

Installation Instructions

For IIS Users

First, perform the Root and Intermediate Certificate installation via MMC using the instructions located here. Then, install your server certificate using the instructions provided on the Comodo website for IIS 5.x/6.x , IIS 7.x. or IIS 8.x.

Tips for IIS users: 

  • Some users who have Windows Server 2012 or 2008 and IIS7 installed report issues when simply choosing "renew" in IIS to auto-generate their CSRs. The symptom of this issue is the generation of an extra-long CSR that is unreadable by the vendor. The workaround for this is to choose "Create new" and then import and register the new certificate.
  • IIS requires a restart to ensure it is able to serve the full certificate chain correctly. Users have reported success with import a single combined .cer file into IIS that includes the machine certificate, intermediates, and root (in that order). The order is necessary to ensure proper installation.
  • IIS does not support creating SAN CSR's through its wizard, but this can be accomplished using the built-in certificate tool in Windows and/or the OCS interface where applicable.
  • Some campus ITPros have noticed that new SHA-2 certificates issued by the Technology Service Certificate Manager may experience problems with Firefox clients when used on certain Windows servers.  This results from Firefox not having the new "USERTrust RSA Certification Authority" in the Root CA store.  In order to make this work correctly with Firefox, until the new CA certificate is added to their store, the "USERTrust RSA Certification Authority" must be imported into the server's intermediate certificate store, using the version available above and REMOVED from the root certificate store.  (This is in addition to the "InCommon RSA Server CA" intermediate certificate, which must also be placed into the intermediate store.)  This will cause the server to serve the USERTrust certificate as an intermediate that is signed by the "AddTrust External CA Root", which is a trusted certificate in the Firefox store.  Failure to remove the certificate from the server's root store, if present, will lead the server not to transmit the certificate, even if it is listed in the intermediate store.

For Apache Users

Follow the instructions provided on the Comodo website to install the new certificates.

Recommended Apache Config Example:

SSLEngine On
        SSLCertificateKeyFile /etc/apache2/ssl/hostname.illinois.edu.2015.key
        SSLCertificateFile/etc/apache2/ssl/hostname.illinois.edu.2015.crt
        SSLCertificateChainFile/etc/apache2/ssl/hostname.illinois.edu.2015.ca-bundle
 
        #per Technology Service Security: 
        SSLOptions StrictRequire
        SSLProtocol All -SSLv2 -SSLv3
        SSLHonorCipherOrder on
        SSLCipherSuite 'AES128+EECDH:AES128+EDH:ECDH+AES+HIGH:EDH+AES+HIGH:3DES+RSA+SHA+HIGH:AES+RSA+HIGH'

For RHEL/CentOS/Fedora systems

Don Meyer (ACES) is providing RPM packages to easily install the chained-ca bundle on RHEL/CentOS/Fedora systems, including configs for Apache.  For details/download, please visit: http://esoterica.itcs.illinois.edu/linux/packages/uiuc-intermediates.html

For Tomcat Users

Follow the instructions provided on the Comodo website to install the new certificates.

For OS X Server

Follow the instructions provided here.

For other systems

The complete listing of documentation provided by Comodo for installation on various server OS's can be found here: Comodo Knowledgebase: Certificate Installation

Additional Information

Previously, the OU field for a certificate was determined by the data which the user specified on creation, i.e."Computational Science and Engineering". Because of the way the InCommon enterprise hierarchy is set up, we will always see O=University of Illinois, OU=Urbana-Champaign Campus for UIUC certs, regardless of what is in the CSR. Here is a partial list of attributes that server admins may want to be aware of.

Subject Certificate attributes: 

Issuer: C=US, ST=MI, L=Ann Arbor, O=Internet2, OU=InCommon, CN=InCommon RSA Server CA
        Subject: C=US/postalCode=61801, ST=IL, L=Urbana/streetAddress=LEAVE_THIS_FIELD_BLANK/streetAddress=LEAVE_THIS_FIELD_BLANK/
        streetAddress=LEAVE_THIS_FIELD_BLANK, O=University of Illinois, OU=Urbana-Champaign Campus, OU=PlatinumSSL, CN=your_server_fqdn.illinois.edu

             X509v3 CRL Distribution Points:
                 URI:http://crl.incommon-rsa.org/InCommonRSAServerCA.crl

             Authority Information Access:
                 CA Issuers - URI:http://crt.incommon-rsa.org/InCommonRSAServerCA.crt
                 OCSP - URI:http://ocsp.incommon-rsa.org

InCommon Intermediate Certificate attributes:

Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
         Subject: C=US, ST=MI, L=Ann Arbor, O=Internet2, OU=InCommon, CN=InCommon RSA Server CA

             X509v3 CRL Distribution Points:
                 URI:http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl

             Authority Information Access:
                 CA Issuers - URI:http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
                 OCSP - URI:http://ocsp.usertrust.com

USERTRUST Intermediate Certificate attributes:

Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
         Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority

             X509v3 CRL Distribution Points:
                 URI:http://crl.usertrust.com/AddTrustExternalCARoot.crl

             Authority Information Access:
                 OCSP - URI:http://ocsp.usertrust.com

AddTrust External CA Root Certificate Attributes:

Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
         Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
         Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root

More information about the InCommon certificate service can be found on InCommon's website or you can contact the Technology Service Certificate Manager