Getting Started with InCommon Certificates for Web Hosting

Environment

Web Hosting, InCommon Certificates, Web Application Sign Up (WASUP), Automate Certificate Management Environment (ACME), InCommon Certificate Manager (ICM)

Issue

ITS facilitates the process for U-M units and individuals to get InCommon server certificates. Managing InCommon certificates is an ongoing process of requesting new certificates and renewing them each year before they expire.

Resolution

The following options are not mutually exclusive. A unit may use ACME for some certificates, the ICM web app for others, and WASUP for still others.

  • ACME for automating renewals (recommended for all units): To prevent a certificate from expiring inadvertently, ITS recommends that you implement the Automatic Certificate Management Environment (ACME) protocol to automate the renewal process between the certificate authority and your web servers
     
  • Web Application Sign Up (WASUP) for ITS-managed requests: Use the Web Application Sign Up (WASUP) service to request an InCommon certificate
     
  • InCommon Certificate Manager (ICM) for self-managed requests: Units that manage more than 20 certificates and have two full-time IT staff (who are responsible for their unit’s certificate management) can use the InCommon Certificate Manager (ICM) to directly request and renew InCommon certificates

For more information on each of these, see https://its.umich.edu/computing/web-mobile/certificate-services. Includes links to TeamDynamix forms for requesting the above services.

ITS recommends ACME over WASUP or ICM.  And people who are currently using WASUP or ICM should consider starting to switch to ACME now in order to automate certificate renewals.  Google has announced their intention to reduce the maximum certificate lifetime that Google Chrome will accept from the current 398 days to only 90 days at some point in the future.  After that point, people who continue to use WASUP or ICM will need to use it to renew each certificate – and install the renewed certificates on their systems – four to five times per year.  ITS does not know when the current 398 day certificates will no longer be available and all new certificates will be valid for only 90 days, but we believe that it has a good chance of happening near the end of 2024. By starting early, you can identify solutions for systems that may have difficulty with ACME and have time to plan and implement solutions.

Additional Information

Need additional information or assistance? Contact the ITS Service Center.

Details

Article ID: 8041
Created
Thu 5/5/22 10:05 AM
Modified
Wed 6/14/23 11:51 AM

Related Articles (1)

Automatically Issue and Renew InCommon Certificates via Certbot (ACME) Without a Web Server or Domain Control Validation (DCV)
Describes how to use certbot and ACME with the InCommon Certificate Service to automatically obtain and renew TLS/SSL certificates without needing to run a web server on the machine obtaining the certificate, and without needing perform Domain Control Validation.