CSU has joined the InCommon Federation, a standards-based trust fabric designed to enable participants to conditionally allow end-user access to protected applications and information based on information provided to them by other participants. Colorado State University’s Participant Operation Practices are described Colorado State University’s Participant Operation Practices are described here.


Services:


Intermediate SSL Certificates:

What is an intermediate certificate?

Most Certificate Authorities today protect their root certificate by only signing a few certificates. These “intermediate” certificates are then used to sign individual server certificates, thus protecting the root certificate from compromise through excessive use..

What do I do with an intermediate certificate?

Both the Root CA cert and the Intermediate cert should be installed on the server, along with the server cert that was created with the Certificate Signing Request.

What does a client's web browser do with an intermediate certificate?

When the browser requests a page protected by SSL, the server presents the “trust path” which describes the chain of signing relationships from the server through the intermediate to the root. If all three certs are on the server, AND the root cert is trusted by the client (if they are “in the browser”), AND the public keys embedded in the certificates match the public keys contained in the browser’s list, THEN the browser happily authenticates the server.

The chain of trust for basic InCommon/Comodo SSL certs uses the InCommon RSA Server CA intermediate cert:

  • USERTrust Secure (the root) [May also be shown as USERTrust RSA Certification Authority and / or AddTrust External CA Root]
    • InCommon RSA Server CA (the intermediate)
      • End-Entity Certificate (your server)

How do I install an intermediate certificate?

The installation process will vary based on your operating system and web server software; in some cases you may receive a bundle that includes all three certs in one file. Follow the installation instructions for your server.