FAQ - InCommon SSL Certificate Service

1. What is a CSR?

Certificate Signing Request (CSR) - A digital file which contains a user's name and public key. The user sends the CSR to a Certificate Authority (CA) to be converted into a certificate.

2. Why does the CSR have to be 2048-bit strength?

To avoid putting the Internet and e-commerce users at risk, the Certificate Authority Browser Forum has published new requirements for secure certificates which requires a minimum of 2048-bit RSA keys for root and subordinate CAs.

3. Is it secure to send a CSR through email or submit into a ticketing database?

It is safe to send the CSR through email or submit into a ticketing database as it provides no value without the associated key file.

4. What are the available lifetimes for certificates?

We can issue 1, 2, or 3 year certificates. We will provision a 3-year certificate unless requested otherwise.

5. How does Comodo handle certificate revocation lists (CRLs)?

See this Comodo KB article and also note that each certificate provisioned will have a X509v3 CRL Distribution Pointsentry for live access to the current CRL.

6. What about other DNS domains such as Can you issue certificates for such domains?

The UCSF InCommon-Comodo CA is currently registered to issue certificates for the domain and its DNS subdomains plus a few other domains that InCommon has approved following our request for authorization to issue certificates on behalf of the domain. We can request to add any other DNS domains which we control or own, and for which we can provide to InCommon: (1) evidence of ownership and (2) proof of control of the DNS domain in question. For DNS domains that we do not own, this CalNet InCommon-Comodo CA will not apply so standard certificate requesting procedures with an external CA will be necessary.

7. What is the cost to the campus unit, if any?

There is no direct cost to campus units as UCSF has paid the InCommon-Comodo CA institutional fee.