You are here


My institution is already registered on previous SCS project. Do I need to reissue the registration ?
Yes, it is needed. As we have changed of certificates provider, we need to have another few documents to prove that our customers are aware of the Comod CPS, that we have verified the list of their registered domains, etc. However, if your institution has not changed its status since your SCS registration, your are not obliged to resend us the complete legal paper over the statusof your institution as we will grab it from the SCS documents.

Why do I need to renew all my SCS certificates ? They are still valid !
The reason is that the contract between TERENA (and incidently Belnet) and GlobalSign ends on 07/01/2010 and, in principle, on 07/04/2010, GlobalSign will revoke every SCS certificates issued accross european NRENs.

How to create a CSR ?
Simply create a text file with your favorite ASCII text editor (vim, Emacs, Notepad...) and take inspiration from examples available here

How to revoke a certificate ?
Follow the detailed procedure here

May I request a personal (user) certificate ?
In a later phase it will be possible to request personal certificates.

What to do if my server gets compromized ?
Simply revoke your certificate (follow the procedure described here ). You can also always contact us at, so we can help you with the revocation.Tip: Do not forget to open a security issue with our CERT team.

What is a wildcard certificate ?
It is a certificate that contains a * in its CN field, like *

What's wrong with wildcard certificates?
It is very easy to create only one certificate and to install it on all the servers of your domain. Unfortunately it is also unsafe because even if only one server gets compromised, the whole wildcard certificate needs to be revoked. So all other servers will also have an invalid certificate.

Can I request DCS wildcard certificates?
Yes, the new system authorizes to get wildcard certificates. Beware: It should only be used for a subdomain of your principal domain, like *

What about key length ?
We recommend a minimum of 2048 bits as key length since Comodo now refuses key length with a size less than 2048 bits.

Should I encrypt my private key ?
We advise you to encrypt the private key, but it is not mandatory.

What's a PKCS-12 file ?
It is a file format to handle certificates as a whole (including public and private keys) and to permit to transport certificates from one machine to another one for example. If you use the backup my certificate button in your browser, it will by default try to create a PKCS-12 file, usually with the extension .p12.

How many years should I apply for a certificate ?
We advise you to choose a validity of 3 years. This will diminish your workload. 

Where can I see an example of a DCS certificate live in action ?
Just go to the web interface to see it in action.

People tell me that my server certificate is not issued by a well known CA ... Did I forget something ?
You probably forgot to download and install the keychainfile of trust along with your certificate in your webserver. You can download the chainfile along with the URL provided when you get your certificate.

How long will it take to get my certificate ?
It depends on the time it takes for the the local RA within your institution to approve your request.

Who is the local RA for my institution ?
For privacy reasons, we cannot provide a list of RAs for each institution. Please, contact the computing center or the IT department within your institution.

Are Unicode or ASCII encoded strings valid in CSR ? 
Yes, both are valid. Simply select the type within the request page (Unicode is set by default, but you may use ASCII if you prefer).

I'm a RA but I've lost my login/password... what can I do ?
Sent an email to We will regenerate a new password and email it to you ASAP.

What is DCV ?
DCV stands for Domain Control Validation. It is a procedure put in place by Comodo to ensure that certificates requested for peculiar domains are well authorized for the requestors. It consists of confirming the domain after having received an email sent by Comodo to a crafted email address such as hostmaster@thedomain. When the domain has been confirmed, confirmation is not asked anymore. The result is also a quicker delivery of the certificates.

What are SHA-1, SHA-2, SHA-256, SHA-384... ?
SHA stands for Secure Hash Algorithm. They splits in several families, SHA-1, SHA-2 and SHA-3 currently.
All are algorithms that compute a hash of a message with a certain length in number of bits used. SHA-1's hashes are 160 bits long, for SHA-2, lengths are of 224, 256, 384 and 512 bits (and thus the associated names SHA-256, SHA-384...); SHA-3 is the future new NIST standard to replace SHA-2 but, while known and documented, is not published as a standard yet, and thus, not considered as an algorithm to be used in production environments.

Why/how is SHA-1 being deprecated ?

Please, look on this page for a full story...

What to do to enable SHA-2 in place of SHA-1 ?

All you have to do is to replace the used digest algorithm setting by sha256; thus is the OpenSSL's configuration files, change the following statement :
digest_md = sha1 by digest_md = sha256
Comodo will then automatically compute a sha256 hash to sign your certificate. You may continue to use SHA-1 if you want (i.e. if you have an appplication that needs it) but, in case you create a certificate with a validity date that go over 01/01/2017, it will automatically flick to SHA-2 (sha256) regardless.
IMPORTANT: While the top Certificate Authority remains the same, the intermediary chained CA have changed. Thus, don't forget to install the new keychain file on your server as well (it is available either in the ZIP file containing the certificate or on the webpage where your download your certificate).

I have another question not answered by this FAQ... who can I contact ?
Send an email to; we will do our best to give you an appropriate answer ASAP.