Overview
UCSF provides SSL/TLS certificates for UCSF services through the InCommon Certificate Service (Sectigo). SSL/TLS certificates encrypt connections (HTTPS) and help clients verify a server’s identity before establishing an encrypted session.
How to access
Manual request (ServiceNow / RITM)
Use this for one-time/occasional requests or where automation isn’t being managed locally.
Automation guidance (ACME)
Some teams use ACME-capable tooling to automate certificate issuance and renewal for approved UCSF domains.
Before you request
Installing a certificate does not harden or secure a server by itself—teams should ensure systems are appropriately configured and maintained before requesting certificates. Requests that remain open for extended periods with unresolved vulnerabilities may be closed and require re-submission after remediation (or an approved exception).
To comply with the UCOP Encryption Key and Certificate Management Standard, UCSF services must use SSL/TLS certificates issued through the UCSF IT Security certificate service (or approved by the UCSF CISO). Third-party CA certificates (e.g., Let’s Encrypt, GoDaddy SSL, SSL Dragon, etc.) are prohibited.
Certificate lifetime and domain validation requirements
The CA/Browser Forum approved Ballot SC-081v3 in April 2025, phasing down maximum certificate validity and Domain Control Validation (DCV) reuse periods through 2029. Sectigo enforcement dates:
Effective | Max certificate validity | Max DCV reuse |
|---|---|---|
March 12, 2026 | 199 days | ~198 days |
March 15, 2027 | 100 days | 100 days |
March 15, 2029 | 47 days | 10 days |
Support scope
IT Security can assist with certificate service questions and request workflow issues. For ACME, support typically includes account/access topics and credential delivery; client configuration and troubleshooting is generally handled by local administrators or platform teams.
How can we help you?
Need assistance?
Do you have issue with this service? Submit an IT Service Desk ticket for more assistance with this service.
We want to hear from you
Have you noticed a technical or content issue with this page? Provide feedback to assist the content owner with enhancing the content?
Send Feedback