Title: Use of Encryption Certificates for ÐÇ¿Õ´«Ã½ Online Services
Approved by: Office of the President
Date approved by President or Board of Trustees: July 18, 2019
Effective date: July 18, 2019
Responsible Official: Chief Information Security Officer
Responsible University Office: UTech Security and Policy
Revision History: 2
Related legislation and University policies:
Review Period: 3 Years
Date of Last Review: August 21, 2024
Relates to: Faculty, Staff
Summary
ÐÇ¿Õ´«Ã½ [U]Tech defines a standard for encryption certificates for use in ÐÇ¿Õ´«Ã½ server infrastructure.
Any service presented as being provided by the university that provides publicly accessible content should use industry-standard secure sockets layer (SSL) certificates.
Purpose
The university provides systems administrators managed SSL certificate services free of charge.
- When establishing services needing Secure Hypertext Transport Protocol (HTTPS), Secure Sockets Layer (SSL), or Transport Layer Security (TLS) certificates, all case.edu and cwru.edu services are to procure certificates from ÐÇ¿Õ´«Ã½â€™s [U]Tech certificate authority.
- ÐÇ¿Õ´«Ã½ participates in the InCommon certificate program. The cost of certificates and maintenance are borne by [U]Tech.
- Off-campus hosted services must also use ÐÇ¿Õ´«Ã½â€™s [U]Tech certificate authority. Requests for exceptions will be addressed on a case-by-case basis.
- Any server that performs user authentication must have SSL encryption implemented to protect the user authentication data from disclosure or compromise.
- Third-party hosted solutions must have ÐÇ¿Õ´«Ã½ system owner/sponsor approval or creation and renewal of TLS/SSL certificates.
- ÐÇ¿Õ´«Ã½ Information Security will periodically check for proper configurations and vulnerabilities to TLS/SSL services.
- Current certificates purchased before the implementation of this policy may be given the option to operate until current certificates expire, but must be renewed under the ÐÇ¿Õ´«Ã½ certificate service.
Responsibility
The InCommon CA issues and tracks certificate expirations, and is configured to email multiple notifications to server/service owner(s) when they are about to expire. It is the responsibility of each server/service owner to request and install updated certificates before they are about to expire. [U]Tech Certificate Administrators: Approve the issuance of a certificate that has been requested for new certificates and certificate renewals. The certificate administrators will vet the request to make sure the certificate has been properly requested and will reach out to the requestor with any questions prior to approving the certificate issuance. Upon request the ÐÇ¿Õ´«Ã½ certificate administrators will enable auto-renewal of any certificate up for renewal. The certificate automatically generated by this process must still be installed by the service owner.
Systems Administrators: Engage the [U]Tech Certificate Authority to obtain free certificates (see the Certificate KBA). Upon receipt of the requested certificate, the system administrator is responsible for getting the certificate properly installed so that it properly protects the data being presented by the service.
Definitions
Certificate Authority (CA): An authority in a network that issues and manages security credentials for message encryption.
Encryption Certificate: An electronic document used to bind together a public key with an identity.
SSL/TLS, also Secure Socket Layer and Transport Layer Security Secure Sockets Layer (SSL): Protocols used to authenticate servers and clients and to encrypt messages between the authenticated parties.