Frequently Asked Questions

Download as PDFDownload as PDF

Q. What organisations are eligible to join this service?

A. Organisations can check their eligibility for this service here.

Q. How much does a certificate cost?

A. Currently Janet will absorb the cost of providing Janet Certificate Service, but from 3 June 2013 there will be a charge applied for obtaining SSL certificates from the service.

Q. Why is Janet implementing charging?

A. In order to secure the long term life of the service, it must become self-sustaining. Certificates will be offered at a significant discount to that of the equivalent certificates from the commercial market.

Q. What is the cost of obtaining a certificate from 3 June 2013?

A. Domain and  Organisation validated, as well as Extended Validation certificates can be purchased in bundles of 1 to 250.  Specialist wildcard certificates can also be obtained. Further details of the cost of certificate bundles can be found here.

Q. What is the objective of this service?

A. The objective is to provide the UK education and research community with SSL server certificates that protect users by encrypting information between the user's broswer and the web service, as well as provide users with some reasonable level of assurance regarding the authenticity of the web service. In the latter, assurances are enhanced where web services and websites are secured with EV certificates.

Q. What can the certificates be used for?

A. All SSL certificates obtained through the service can be used for servers hosting web services.

Financial Transactions

Janet has negotiated license terms of certificates issued by Comodo, enabling financial transactions to be possible on all certificates issued through the service.

Q. How do I join this service?

In order to participate in the Janet Certificate Service your organisation will need to sign and return, by fax or post, or email a scanned copy of the Authorised Representative form available from the Janet website here.

The full process is described here.

Q. I'd like to use generic email addresses for the contacts provided in schedule 1: is that possible?

A. The use of generic email addresses for authorised representatives is not permissible.

Q. Can I apply for this service if my domain name does not belong to a Janet-connected organisation?

A. Yes: please see eligibility criteria for further details.

Q. Can I request certificates for *

A. Yes, you can request wildcard domains, e.g. *, and can include up to 9 additional non-wildcard domain names in Subjective Alternative Fields (SANs), i.e. and

Q. What other initial requirements must I meet?

A. Applicants must ensure that their domain name registration is up-to-date with the appropriate domain registry. To check your domain name we suggest that you check in accredited domain registrars such as:

Note: All search engines used to verify domains must be listed with ICANN accredited domain registrars:

The database of ccTLD management organisations and pointers to their registries can be consulted at:

Q. On IIS 6/7 can I create a CSR (Certificate Signing Request) with more than one domain?

A. Yes, you can create a CSR with one CN (Common Name) as well as several SANs (Subject Alternative Names).

The clearerest instructions for how to do this can be found on this external website

Q. My browser doesn't appear to recognise the installed certificate: why might this be?

A. The Server Certificate Service uses the Root CA Certificate: AddTrustExternalCARoot.crt that is installed in the vast majority of browsers by default. In addition to this, the service relies on the UTNAddTrustSGCCA.crt, which is an intermediate certificate. Therefore, it is important to ensure that your server has the intermediate certificate installed accordingly. The intermediate certificate can be downloaded from:,1

Q. How can I test that the intermediate certificate has been installed correctly?

A. If the certificate is installed on a webserver, navigate to the appropriate https location and double click on the padlock that appears at the bottom of the browser. Using the browsers certificate viewer to view the details, you should see the certificate hierarchy, with the AddTrustExternalCARoot.crt Root CA Certificate at the top, followed by the Intermediate CA Certificate: UTNAddTrustSGCCA.crt and finally the individual certificate for your server all linked together.

Alternatively, you may wish to run a simple openssl query such as:

openssl s_client -connect -showcerts

This query should return the certificate chain held on the server. You should check that the resultant output from this returns two certificates - the certificate issued for your server and also the UTNAddTrustSGCCA.crt certificate.

Q. How do I revoke my certificate?

A. Login to the Community site and open the JCS app

Click on the white arrow next to the JCS Account tab, to 'View All Certificates'.

On the list of certificate, find the certificate you wish to revoke. On the far right side, click on the action 'spanner' to see the option to revoke the certificate.

Q. I purchased a bundle of 10 certificate credits but cannot generate a wildcard certificate. How many credits do I need?

A. A Wildcard certificate costs  £100, and a multiple of mixed bundle credits does not equate to cover the charge.

Q. Which DCV email address should I choose for my acceptable internal domain name i.e. (.test, .example, .invalid, localhost, .local, .lan, .priv, .localdomain)

A.  Please choose any email address that is offered as it does not matter.  To incorporate an acceptable internal domain name within a certificate it needs to be an Organisational Validated (OV) type.  An OV certificate does require a Call-back from the CA, and this will verify the ownership of any FQDNs and internal domains, contained within the certificate request.

Please see further explanation on call-back here -

Q. What are the Acceptable Internal domain names?

A. These are acceptable internal domain names: .test, .example, .invalid, localhost, .local, .lan, .priv, .localdomain  For further reference see this link

Please Note:
(a) As of July 1, 2012 (Effective Date), the use of Certificates containing Reserved IP Address or Internal Server Name has been deprecated by the CA / Browser Forum and the practice will be eliminated by October 2016. Also as of the Effective Date, Comodo WILL NOT issue a certificate with an Expiry Date later than 31 October 2015 with a subjectAlternativeName (SAN) extension or Subject commonName (CN) field containing a Reserved IP Address or Internal Server Name. Effective 1 October 2016, Comodo WILL REVOKE all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Server Name.

(b) If you are using an internal top level domain (TLD) which is not currently a valid TLD), such as those above, or others which we may allow at our discretion for your internal use in this certificate request, please be advised that should such TLD become recognized by IANA/ICANN as a valid TLD this certificate will be revoked without further notice. Prior to the certificate being reinstated you will need to demonstrate domain ownership/control.

Q. One of our certificates is due to expire, how do I renew it?  Do I have to request it as a new certificate?

A. You need to buy a replacement certificate, it is not possible to extend the life of an existing certificate.  

Q. How do I generate a CSR on my server?

A. CSR generation is wholly dependent on the software you use. Please find instructions for many flavours of servers here -

Q. I have revoked a certificate, and have not been given the credit back into my bundles.

A. Revoking a certificate does not automatically return the credit to your bundle. Credits are returned solely at the discretion of Jisc, where a recently issued certificate is not required or needs replacing.