Information Services Division


PKI Certificates

How to order a Public Key Infrastructure TLS certificate and terms and conditions of use

How to get TLS certificates

To get a TLS certificate, please use the Remedyforce self service form: 'TLS (SSL) certificate request' (search for 'certificate' or look under the 'Websites, Apps and Databases' category). You will need to include a certificate signing request (CSR). Note the key strength must be at least 2048 bit, and you must include the following in the CSR:

  1. CountryName (C), organizationName (O), commonName (CN):
    The country name must be GB.
    The organisation name must be University College London.
    The common name should be the hostname of your server (as referenced by end users e.g. www.ucl.ac.uk).
  2. The 'OU' (Organisation Unit) field is no longer accepted.
  3. Leave all other attributes blank (they often cause rejection of the certificate application).

Please do not send us the private key. You must store the private key in a secure place where no one can access it. The certificate that we supply needs the private key.

Allow three working days for new certificate requests. Please start the renewal process at least seven working days before certificate expiry.

The certificate enrolment notification email will include links to different format downloads. See the Sectigo knowledge base for advice on which format to use, and for guidance on how to install the certificate.

Certificates will last for 1 year.

Terms and conditions for certificate requests

Only Departmental Computer Representatives registered with ISD should submit a certificate request. See the Computer Reps section of Resources & Services for IT Staff on the ISD website.

The certificate must be for a UCL domain associated with the department of the Computer Rep.

Only TLS (SSL) server certificates are available. If you have an enquiry about another certificate type please email ukerna-ra@ucl.ac.uk.

We can only get certificates for domains registered to 'University College London'. If not, our provider must be able to verify domain ownership using email, file or DNS domain. We may need extra documentary evidence of domain registration.

There is currently no charge for certificates at the point of use, but UCL does have to pay a fee for certificates.

You must agree to Sectigo's Certificate Subscriber Agreement to use a certificate. See the legal documents section of Sectigo's website.