UK - InCommon Certificates
The University of Kentucky has partnered with the InCommon Certificate Service to provide unlimited SSL certificates signed by root CA provider Comodo to departments. This new certificate service will replace the Thawte certificates that we previously issued and is available to all UK departments and affiliates.
What is an SSL Certificate?
An SSL Certificate (Secure Sockets Layer), also called a Digital Certificate, creates a secure link between a website and a visitor's browser. By ensuring that all data passed between the two remains private and secure, SSL encryption prevents hackers from stealing private information such as credit card numbers, names and addresses.
An SSL certificate that is signed by a valid certificate authority:
- Verifies the identity of the server to the client (i.e. the client is connecting to the real <example>.uky.edu);
- Is used to encrypt data in both directions between the client and the server;
What browsers, devices and application suites are supported?
Most common browsers and platforms are supported. Please see the InCommon documentation for a complete list.
What products are available?
The InCommon Certificate Service makes the following products available:
- Standard SSL/TLS Server certificates
- Multi-Domain SSL Certificates
- Wildcard certificates (some restrictions apply)
- Extended Validation (EV) Certificates Upon request
- Code-signing certificates
- Intranet SSL certificates (Will be discontinued after October 31st 2015)
By providing SSL/TLS certificates at no cost to individual units, this project cuts IT operational costs across the board, and encourages the use of certificates signed by a legitimate certificate authority, rather than self-signed certificates that are vulnerable to Man in the Middle (MITM) attacks.
What is the procedure for a campus unit to acquire SSL certficicates?
In order to request a certificate you must first contact email@example.com on behalf of your department/unit to establish a profile in the InCommon Certificate Manager portal. Your request will then be vetted by UKIT Security personnel to collect the additional information needed. This process can take up to 24 hours.
What do I do if I have other questions or want more information?
Visit the UKIT Certificate webpage http://www.uky.edu/ukit/security/certs or contact firstname.lastname@example.org.
What is InCommon?
InCommon is a service developed by and for the higher education community. InCommon is a non-profit, community-governed organization – the primary driver is to provide value to the community.
What is the InCommon Certificate Service?
The InCommon Certificate Service provides unlimited certificates for all domains owned by a college or university for one fixed annual fee. The program includes all certificates, including SSL, extended validation, client (personal), and code signing. InCommon has contracted with Comodo, a leading commercial provider of certificates.
What are the benefits of using SSL/TLS certificates?
By using SSL/TLS secured web sites, site administrators and their users get three potentially quite useful things:
- Network traffic gets protected from eavesdropping
- Network traffic gets protected from tampering
- Users get protected from accidentally going to a look-alike counterfeit site
What is the cost to the campus unit, if any?
There is no direct cost to campus units as UKIT has paid the InCommon-Comodo CA institutional fee.
How does a department or user get an SSL certificate?
To obtain SSL certificates, staff should contact the IT office for their respective department, college or unit. Each college and unit should have established, localized procedures. If there are issues finding a contact, UKIT Security can assist you in locating the appropriate staff member for your department, college, or unit.
The process for a unit to become enabled to issue InCommon SSL certificates is an easy one. The department, college, or unit provides:
- Information regarding the department (department name, contact info, etc)
- The domains within that unit, and
- The names of the individuals that should be given access to the Certificate Manager software tools. These individuals are known as Department Registration Authority Officers (DRAO) in the Certificate Manager Portal.
Follow the instruction on the Request a Certificate page to get a certificate.
How do I generate a CSR and install the signed certificate?
For help with generating a CSR and other certificate issues, consult the Comodo Knowledge Base for your web-server type.
What is the minimum length for certificate keys?
Certificate keys must be at least 2048-bit. 1024-bit keys shall not be reused.
Where can I submit my CSR?
How do I install my certificate?
How can I validate that my certificate is correctly installed on my server?
In addition to using validation web sites such as the COMODO SSL Analyzer, you can use the OpenSSL tool, s_client as follows, for example:
openssl s_client -host somehost.berkeley.edu -port 443 -showcerts -verify 3
How long does it take for the certificate to be issued after I request it?
It can take up to 24 hours, but is usually quicker.
Can I get a certificate for a host in a non-UK domain?
Yes — as long as UK hosts the domain.
To ensure the university's compliance with the InCommon agreement, requests for certificates outside of UK's .edu domains are subject to extra vetting and approval, by both the university and possibly InCommon.
To begin your request, send an email to email@example.com requesting the domain be added, and UKIT Security will initiate the process of validating your domain with InCommon. Approvals for non *.uky.edu domains will require additional processing time. These requests will require additional information to be submitted, and changes to the DNS records by the WHOIS admin contact for the domain. After the domain is validated, you can then request a certificate for a host in that domain through the InCommon Portal.
On November 22, 2011, the CA/Browser Forum adopted “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, Version 1.0” (hereafter referred to as the “BR 1.0”) to take effect on July 1, 2012. As part of these requirements, Section 9.2.1 indicates:
How will I know when my certificate is about to expire?
Notifications can be customized in the InCommon Portal to meet your needs. We suggest configuring a notice be sent 30 days prior to your certificate expiration date.
Is there training or more detailed documentation available?
There is a user manual and training content at the InCommon.org website: http://www.incommon.org/certificates/resources.html
Who is the DRAO (Departmental Registration Authority Officer) for my area?
List coming soon. Email firstname.lastname@example.org if you have any questions.
Certificate Service Manager (CSM)
The Certificate Service Manager is a web application that provides the interface for all activity using the InCommon service, including approval of certificates for signing, delegation of authority, etc.
Certificate signing requests (CSRs) can be submitted through various means but eventually must be approved by someone with the authority for that department and domain. Approved certificate requests are signed and delivered (via email/download) by Comodo.
The CSM has some notable features:
- Optionally, end users can submit CSRs through the CSM so that administrators need only to approve or decline a request (no data entry)
- Scanning of and reporting on deployment of SSL certificates
- Customizable notifications for administrators
- Customizable email templates for communication with end users
Terms and Concepts
the highest level administrative unit on campus in the InCommon system
University of Kentucky
generic term for an administrative unit within theOrganization - a domain can be delegated to a department
any administrative unit within the Organization
Registration Authority Officer
campus authority for InCommon Certificate Service
University of Kentucky IT Security
Department Registration Authority Officer
staff delegated certificate approval authority by RAO for specific department(s)
staff for an administrative unit
Roles and Responsibilities
REGISTRATION AUTHORITY OFFICERS (RAO)
UKIT Security members serve as the the Registration Authority Officers (RAO) for the University. The responsibilities of the campus RAOs include:
- policy authority and system administrator for The University of Kentucky
- contact with InCommon and (for high-level issues) Comodo
- certificate approver for certificates of higher risk (e.g. wildcard, Extended Validation)
- delegator of authority to approve certificates
DEPARTMENTAL REGISTRATION AUTHORITY OFFICERS (DRAO)
DRAOs are delegated the authority to approve SSL certificates for a specific delegated domain using the InCommon Certificate Services (CSM). In return DRAOs are responsible for processing certificate requests from their departmental users and related work as described below. The campus RAO, which delegates the authority, is also available to assist in configuring the CSM as needed and for general troubleshooting.
A candidate for a DRAO should:
- Be a full-time professional IT staff member and have good knowledge of and prior experience with handling SSL certificates (generating CSRs, installing certificates, etc.)
- Have technical support responsibilities for an administrative unit (division, school, department, etc.) that has an ongoing need for certificates for a subdomain of *.uky.edu (e.g. *.example.uky.edu) or a domain that is outside of the uky.edu namespace (e.g. *.example-uky-site.org) but uses campus DNS for its authoritative domain name service. DRAO Responsibilities include:
- Understand how to use the CSM. Report any issues, questions, or concerns to the RAO.
- Take reasonable steps to publicize the service to your relevant departmental users.
- Process certificate requests from your departmental users. Verify that requests for certificates are legitimate before approving them. If the DRAO does not personally know the person making the certificate request and their business need for the certificate, provide due diligence to contact a responsible person within the department who can vouch for the request's legitimacy. When in doubt make a phone call or personal visit to a manager in relevant area. Document any request validation done outside of personal knowledge.
- Record requests/approvals and any necessary request validation for at least three years and make available to RAOs upon request. This can be done entirely within the CSM or with an external system such as a request tracking or ticketing system.
- Stay current with announcements of service updates, etc. from the campus RAO via the DRAO email list and respond to RAO requests for information in a timely way.
- Provide basic tier 1 support to your departmental users to help them understand their certificate options, generate CSRs, and install certificates and certificate chains. Comodo and your campus RAO provide documentation for end users that you can use. Support issues that need escalation can be directed to the campus RAO and/or Comodo.
Becoming a DRAO - If you have questions about this service or are interested in becoming a DRAO please email email@example.com.
Where can I find common troubleshooting support?
Technical support and troubleshooting is being provided by the vendor, Comodo, via Web support, e-mail, and telephone.
Choose from one of the following support options:
- Contact UKIT Security with general questions at firstname.lastname@example.org.
- Web Support
- E-mail support (available 24x 7)
Telephone support (available Monday through Friday, 4 AM to 8 PM Eastern)
- (703) 637-9361
- Select Option 1 - Enterprise Solutions Support, then select Option 2 - Certificate Manager or Digital Certificate Support
Request a Certificate
There is a user manual and training content at the InCommon.org website: http://www.incommon.org/cert/demos/.
1.Submit a department group to UKIT Security
The first step for a unit to become enabled to manage and request certificates is to create a group name. This will create a department group per Campus IT director. An example of the data required includes:
Department Name: Business and Economics
2.Submit domain(s) to associate with your department
Provide a list of domains you want to activate SSL certificates for in your unit. You can send as many as you like. At least one domain is required for initial setup. You may add others as you need to by submitting them to the certificate administrator through the UKIT Security office.
Description: Business and Economics website
3.Submit the names of individuals in your department, college, or unit group to create certificates for your department
As a reminder, these individuals will be known as a Department Registration Authority Officers (DRAO) to the certificate management software. The information required for each individual should be submitted like this:
- Link Blue ID: wildcat01
- Email Address: email@example.com
- Full Name of the proposed DRAO: Wally Wildcat
- Phone number
After an individual is added for the unit, the UKIT Security office will contact the DRAO with an initial password and logon information.