Certificate Service

Last updated: 
3 months 2 weeks ago
Group Manager

Welcome to the Jisc Certificate Service group.

For an update on the NEW Jisc certificate service please follow the below link.

The New Jisc Certiface Service 

The service offers a number of different X509 SSL certificates, including Extended Validation certificates that give users the highest possible assurance, as well as S/MIME email certificates for digitally signing emails. Jisc has an agreement with the Certificate Authority, QuoVadis who is the provider of the certificates.

The service has been running since 2006 and has issued many thousands of certificates to organisations in UK research and education.

This is a Community group where users can obtain relevant information, receive service updates and provide feedback.


On Jan 14th, at 19:34:34 2021 GMT, Digicert revoked a version of the “QuoVadis Global SSL ICA G2” and “QuoVadis Global SSL ICA G3” intermediate certificates used to issue our OV certificates, without advance notification to Jisc. Many other users globally have been affected by this.                                                                                                                                                                                               




It has been brought to our attention that many certificates issued via the old version of the Jisc Certificate Service (provided by Digicert/QuoVadis) are, as of last night, showing browser errors due to revocation of the issuing intermediate certificate. This is due to Digicert revoking an old version of the intermediate (not the certificates themselves).


The next generation of our Certificate Service is now live and ready to be used.

The new service has a new subscription model based on a small number of usage classes - giving a small number of certificates for free on one end of the scale and culminating in an of an offering unlimited number of certificates for a fixed price. The pricing has been set to ensure the average organisation within each usage class pays less than they currently do overall.

The new service also has many added benefits as compared to the existing service, including:


An issue regarding the use of the OCSP Signing EKU in issuing CAs is affecting hundreds of CAs in the industry including QuoVadis (see more at https://www.digicert.com/blog/working-with-delegated-ocsp-responders-and-eku-chaining/).

We will communicate with each institution separately and provide a list of the affected certificates shortly with instruction on replacements that will be required. We will add the necessary credits to the account to issue replacements


Please see further update from QuoVadis on the OU field Issue:

Retiring the OU field for public TLS/SSL 

QuoVadis will turn off the Organizational Unit (OU) field for all new public TLS/SSL certificates starting on August 31, 2020 at 00:59. This will affect new, reissued, and renewed certificates. Existing certificates with OUs are not affected (and do not require revocation or replacement). 


With regards to our update in September regarding the underscores in domain names for SSL certificates, The CAB Forum has now clarified their position:

 “All certificates containing an underscore character in any dNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019.

After April 30, 2019, underscore characters (“_”) MUST NOT be present in dNSName entries.”

We will be adding the underscore character to the list of invalid characters very soon to stop these any future requests going through.


Back in the day (early UK e-Science days), we had University of XXXX asking for O=University_of_XXXX: it led to the DN being encoded as BMPString which was not good; it should have been printableString, but underscore is not allowed for printableString (see RFC2252) - these days one would use the UTF8 encoding, but we still recommend that people not use underscores and other naughty characters, like '@' in DNs. See http://www.ogf.org/documents/GFD.225.pdf 


As a user of the certificate service, I wanted to let you know that our supplier is increasing the tariff prices on this service in addition to increasing administration costs. This means that as of 1 October 2019, the cost of credits will change as per the table below.

Any credits bought between now and 1st of October will be charged at the current price and remain valid for two years.

Mixed SSL Credits:

Prev | Next