Cornell University Cornell Information Technologies Identity Management

Cornell University SSL Certificate Service

Overview

CIT's IT Security Office now offers an on-site distribution service for GeoTrust 128-bit SSL server certificates. The service is available at no cost to Cornell departments. The goal of the service is to promote the use of SSL where appropriate and to streamline and expedite the process of obtaining a certificate. CIT will review the decision to subsidize the service each year during the University's annual budget planning cycle. Factors such as cost and the progress of Internet2 efforts to build a certificate authority for higher education may result in a change to the service itself or to the cost of the service. Based on the situation today we anticipate that the current no-fee service will be in place for the next two years at least.

Benefits:

• User privacy and data integrity: data is encrypted as it is transmitted over the network so it cannot be easily intercepted or altered as it travels between points.
• Strong assurance of server authenticity: the certificate is signed by GeoTrust's certificate authority, which is one of a limited number of certificate authorities automatically trusted by major browsers.

Below is a list of factors which in combination or by themselves indicate that SSL should be used:

• Users are required to authenticate to access the service
• The service either displays or asks the user to provide information
  • Protected by federal or state legislation (some examples: medical histories, personal financial data for granting loans, student visa status, social security numbers)
  • Considered sensitive or confidential (University budgets, physical security infrastructure documents, vendor contracts)
• When the ability to confirm the authenticity of the server is a requirement. For example, in a limited development or test environment a self-signed certificate may be acceptable. The corresponding production service, however, may require the assurance of a certificate signed by a globally-recognized certificate authority.

Guidelines and best practices:

• You must be a permanent member of the staff or faculty to request a certificate.
• When you create the Certificate Signing Request (CSR) a private key and pass phrase are generated. Make a backup of this private key and choose a pass phrase you will remember.
• You must contact sslcert-admin@cornell.edu to revoke a certificate if:
  • The server is compromised
  • The private key is compromised or lost
  • Your pass phrase is compromised or lost
• Certificates are issued for one year. You are responsible for taking action upon receipt of a renewal notification.
• If your application is accepting credit cards for financial transactions, you must work with the Office of Cash Management. Refer to University Policy 3.17 "Accepting Credit Cards to Conduct University Business": http://www.policy.cornell.edu/CM_Images/Uploads/POL/vol3_17.pdf

Basic steps for using this service:

• If this is a request for a new certificate:
  1. Generate a Certificate Signing Request (CSR) [see instructions].
  2. Go to the self-service site for the Cornell University SSL Certificate Service and complete the form.
  3. Wait for your request to be approved. You will receive an email confirming receipt of your order and telling you that it is pending approval.
  4. Upon receipt of the email containing the certificate, install it on your server [see instructions].
  5. If you do not receive the certificate by close of business on the day following your request, notify sslcert-admin@cornell.edu
• GeoTrust will honor up to one year of remaining time on a competitor's certificate (Verisign, Thawte, Entrust, or Baltimore). If you are taking advantage of this option:
  1. Generate a Certificate Signing Request (CSR)
  2. Send the CSR, your contact information and contact information for your manager to sslcert-admin@cornell.edu
• If you determine that the certificate issued to you cannot be used for any reason please notify sslcert-admin@cornell.edu within 7 days so that Cornell can receive a credit.
• When your certificate's expiration date approaches, you will be notified by e-mail so you have a chance to renew. Return to the self-service site for the Cornell University SSL Certificate Service and complete the form as if you were ordering a new certificate. You can renew up to 90 days in advance, and the time left on the old certificate will be added to the new certificate.
• GeoTrust offers a self-service certificate reissue/replacement program for the life of a certificate. This enables the free replacement of the certificate for the same domain in the event the certificate or the keys are deleted or destroyed. Please visit GeoTrust Certificate Reissuance Site to request GeoTrust reissue the certificate.
• For a list of certificates issued to you send an e-mail request to sslcert-admin@cornell.edu. We can send the list for any date range you specify so be sure to include that information. Please allow two to three business days to receive this report.