Last updated: 
3 weeks 2 days ago
Group Manager

Welcome to the Jisc Certificate Service group.

The service offers a number of different X509 SSL certificates, including Extended Validation certificates that give users the highest possible assurance, as well as S/MIME email certificates for digitally signing emails. Jisc has an agreement with the Certificate Authority, QuoVadis who is the provider of the certificates.

The service has been running since 2006 and has issued many thousands of certificates to organisations in UK research and education.

This is a Community group where users can obtain relevant information, receive service updates and provide feedback.

Error message

  • Notice: Undefined index: ja.netprod-jisc-memcache_storage_bin_indexes in MemcacheStorageAPI::getMultiple() (line 241 of /var/www/html/sites/all/modules/contrib/memcache_storage/
  • Notice: Undefined index: ja.netprod-jisc-cache_bootstrap_1-variables in MemcacheStorageAPI::getMultiple() (line 241 of /var/www/html/sites/all/modules/contrib/memcache_storage/

With regards to our update in September regarding the underscores in domain names for SSL certificates, The CAB Forum has now clarified their position:

 “All certificates containing an underscore character in any dNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019.

After April 30, 2019, underscore characters (“_”) MUST NOT be present in dNSName entries.”

We will be adding the underscore character to the list of invalid characters very soon to stop these any future requests going through.


The use of underscore characters in dnsNames is not allowed in Internet standards but has historically been treated as a gray area when used in the SAN field of TLS/SSL certificates.  Most CAs are disallowing this issuance following discussion in the CA/Browser Forum.

We have  previously issued browser-trusted TLS/SSL certificates that include dnsNames with underscore characters in the SAN fields.



Q1) What is the change?

From 1 August, new industry regulation states that Certificate Authorities (CAs) must no longer rely on checking a public WHOIS record to validate domain ownership. Instead, customers requesting a certificate must demonstrate a ‘positive interaction’ to show they have control over/ownership of the domain to be used in a certificate.


Change to Certificate Service – from 1st March 2018

Q1) What is the change in the maximum duration of certificates?

    A) The maximum duration will be limited to 2 years, currently this is 3 years.

Q2) What certificates are affected?

    A) Only medium assurance Organisation Validated (OV) certificates. High assurance Extended Validation (EV) and Wildcard  certificates are already limited to 2 years.

Q3) Who is driving this change?


We're pleased to announce that from today the service can provide end user certificates, which are used for digitally signing and encrypting emails. These are called S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates.

S/MIME are installed on email clients which then enable the end user to send digitally signed emails, giving recipients assurances that the email originated from the sender's account. By signing emails, recipients can also have confidence that the contents of the email has been been altered in transit.


The following certificates can be obtained through the Jisc Certificate Service's web app, found in the App Centre here:

The service provides Extended Validation (EV) server certificates S/MIME end user for digitally signing emails for high, both of which offer users the highest possible assurance. Business/Organisation Validated (OV) and Wildcard (of OV type) certificates are also available.


All certificates issued are SHA-256.



For all FAQs please click on the header link 'Charging FAQs'

Jisc Certificate Service – charging update 24.04.2013 - 10 new points:

1. Why is the date for charging being moved?


Availability of SHA-256 certificates: 14 October 2014
We’re pleased to announce an agreement has been reached between TERENA and Comodo which will enable customers to obtain SHA-256 certificates. This is available with immediate effect and all certificates obtained from the service will be by default SHA-256.

Prev | Next