Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID


InCommon Certificate Service Developing 2018 Work Plan

Feb 13, 2018, by Paul Caskey
Tags: InCommon, InCommon Certificate Service, InCommon Federation, InCommon Multifactor Authentication, Recent Posts

The InCommon Certificate Service (ICCS) is just completing a community survey that will help inform the work plan for 2018. This will be the second year for the survey; in 2017, respondents identified Single Sign-on with Multifactor Authentication as a high priority, and we rolled out that service late in the year. Other highlights, detailed below, include the release of version 6.0 of the Comodo Certificate Manager, with a number of user enhancements.  

In 2017, Chris Bongaarts (University of Minnesota), chaired a working group that developed and compiled the first survey and the resulting work plan. Chris recently discussed the work plan on a webinar; if you are interested, this 10-minute portion of the webinar is available on the IAM Online YouTube channel.

Here is a summary of what we have accomplished against the 2017 work plan and some thoughts about what is coming in 2018.

Securing Your Security Infrastructure
The highest priority work item identified in the 2017 work plan was implementing Single Sign-on with Multifactor Authentication (SSO/MFA) for the Comodo Certificate Manager (CCM), the portal campuses use to manage all the their certificates. We’re happy to say that SSO/MFA is now in full production and a number of organizations are making use of it. The feature requires “RAO” admins - those ultimately responsible for managing certificates on their campuses -  to use MFA, whereas “DRAO” admins (those with some authority delegated by the RAO) can use basic SSO. This requirement is communicated to institutional SSO services (IdPs) using the new community-defined REFEDS MFA profile ( Using SSO/MFA not only allows institutions the convenience of using familiar credentials and systems when logging in to CCM, but also helps to enhance the security of a critical piece of enterprise infrastructure - the issuance of trusted certificates!

New Features in the Certificate Manager
Next, Comodo released a version 6.0 of Certificate Manager (CCM), which includes many enhancements. Here is a brief summary of what’s new in this release:

New Features

  • Microsoft Active Directory integration
  • Auto Installation support for MultiDomain and Wildcard certificate types
  • REST API for CCM
  • Support formats of Subject Name and SAN defined by user-based AD template


  • Add elements IDs (add certificate wizard first step)
  • Improvements to CSoD Agent Installer
    • Auto Install limited on certificate type
    • Support Auto-Installation for Apache 2.4
    • Show if a certificate subject to auto-renew / or auto-replace (with date)
    • SSL Auto-install Port selection improve
    • Move servers to new tab (auto-install configuration)

And, finally, we know that you all have options, so here’s just a quick reminder about some of the benefits of subscribing to the InCommon Certificate Service.

First and foremost, the InCommon Certificate Service is a community-defined service, created by and for the higher education enterprise. You can see from the above that one of the most unique features of the ICCS is your input into defining and improving the service.

A few other items that also provide value to ICCS subscribers include:

  • Unlimited quantities of most certificate types are included: SSL, EV-SSL, S/MIME (user), and code-signing, not to mention the addition of IGTF-approved certificates, another contribution from this community!
  • Complete lifecycle management for all of your certificates
  • A visual dashboard for keeping track of certificate activity within your organization
  • A reporting system that also serves to keep you informed of certificate activities within your organization

For more information on the Certificate Service, you can visit either the website or the wiki. If you have any questions or comments, please email