Last updated: 
4 months 1 week ago
Group Manager

Welcome to the Jisc Certificate Service group.

The service offers a number of different X509 SSL certificates, including Extended Validation certificates that give users the highest possible assurance, as well as S/MIME email certificates for digitally signing emails. Jisc has an agreement with the Certificate Authority, QuoVadis who is the provider of the certificates.

The service has been running since 2006 and has issued many thousands of certificates to organisations in UK research and education.

This is a Community group where users can obtain relevant information, receive service updates and provide feedback.


With regards to our update in September regarding the underscores in domain names for SSL certificates, The CAB Forum has now clarified their position:

 “All certificates containing an underscore character in any dNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019.

After April 30, 2019, underscore characters (“_”) MUST NOT be present in dNSName entries.”

We will be adding the underscore character to the list of invalid characters very soon to stop these any future requests going through.


Back in the day (early UK e-Science days), we had University of XXXX asking for O=University_of_XXXX: it led to the DN being encoded as BMPString which was not good; it should have been printableString, but underscore is not allowed for printableString (see RFC2252) - these days one would use the UTF8 encoding, but we still recommend that people not use underscores and other naughty characters, like '@' in DNs. See 


As a user of the certificate service, I wanted to let you know that our supplier is increasing the tariff prices on this service in addition to increasing administration costs. This means that as of 1 October 2019, the cost of credits will change as per the table below.

Any credits bought between now and 1st of October will be charged at the current price and remain valid for two years.

Mixed SSL Credits:


Jisc’s Certificate Service is due for re-procurement in 2021 and as part of this process we want to get your views.

We are inviting those who use the service to take part in a workshop on Tuesday 24th September at Jisc’s offices in London. During the day we will be asking for your feedback on the existing service and provide you with the opportunity to discuss any additional functionality that would enhance the service.

The workshop will start at 10:30 and finish at 15:00 – lunch will be provided.


The use of underscore characters in dnsNames is not allowed in Internet standards but has historically been treated as a gray area when used in the SAN field of TLS/SSL certificates.  Most CAs are disallowing this issuance following discussion in the CA/Browser Forum.

We have  previously issued browser-trusted TLS/SSL certificates that include dnsNames with underscore characters in the SAN fields.



Q1) What is the change?

From 1 August, new industry regulation states that Certificate Authorities (CAs) must no longer rely on checking a public WHOIS record to validate domain ownership. Instead, customers requesting a certificate must demonstrate a ‘positive interaction’ to show they have control over/ownership of the domain to be used in a certificate.


Change to Certificate Service – from 1st March 2018

Q1) What is the change in the maximum duration of certificates?

    A) The maximum duration will be limited to 2 years, currently this is 3 years.

Q2) What certificates are affected?

    A) Only medium assurance Organisation Validated (OV) certificates. High assurance Extended Validation (EV) and Wildcard  certificates are already limited to 2 years.

Q3) Who is driving this change?


We're pleased to announce that from today the service can provide end user certificates, which are used for digitally signing and encrypting emails. These are called S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates.

S/MIME are installed on email clients which then enable the end user to send digitally signed emails, giving recipients assurances that the email originated from the sender's account. By signing emails, recipients can also have confidence that the contents of the email has been been altered in transit.

Prev | Next