III-5 Use of Encryption Certificates for CWRU Online Services

Overview

Version 0.9
Last Revision Date: July 18, 2019
Approval Date: FINAL DRAFT
Approval Authority: CWRU Chief Information Security Officer

Purpose

CWRU [U]Tech defines a standard for encryption certificates for use in CWRU server infrastructure.

Coordination with Other Policies and Procedures

Cancellation

Not applicable.

Policy Statement

General

Any service presented as being provided by the university that provides publicly accessible content should use industry-standard secure sockets layer (SSL) certificates.

The university provides systems administrators managed SSL certificate services free of charge.

Policy

  1. When establishing services needing Secure Hypertext Transport Protocol (HTTPS), Secure Sockets Layer (SSL), or Transport Layer Security (TLS) certificates, all case.edu and cwru.edu services are to procure certificates from CWRU’s [U]Tech certificate authority.
  2. CWRU participates in the InCommon certificate program. The cost of certificates and maintenance are borne by [U]Tech.
  3. Off-campus hosted services must also use CWRU’s [U]Tech certificate authority. Requests for exceptions will be addressed on a case-by-case basis.
  4. Any server that performs user authentication must have SSL encryption implemented to protect the user authentication data from disclosure or compromise.
    • Third-party hosted solutions must have CWRU system owner/sponsor approval or creation and renewal of TLS/SSL certificates.
  5. CWRU Information Security will periodically check for proper configurations and vulnerabilities to TLS/SSL services.
  6. Current certificates purchased before the implementation of this policy may be given the option to operate until current certificates expire, but must be renewed under the CWRU certificate service.

Responsibility

The InCommon CA issues and tracks certificate expirations, and is configured to email multiple notifications to server/service owner(s) when they are about to expire. It is the responsibility of each server/service owner to request and install updated certificates before they are about to expire.
[U]Tech Certificate Administrators: Approve the issuance of a certificate that has been requested for new certificates and certificate renewals. The certificate administrators will vet the request to make sure the certificate has been properly requested and will reach out to the requestor with any questions prior to approving the certificate issuance. Upon request the CWRU certificate administrators will enable auto-renewal of any certificate up for renewal. The certificate automatically generated by this process must still be installed by the service owner.
Systems Administrators: Engage the [U]Tech Certificate Authority to obtain free certificates (see the Certificate KBA). Upon receipt of the requested certificate, the system administrator is responsible for getting the certificate properly installed so that it properly protects the data being presented by the service.

Definitions

Certificate Authority (CA): An authority in a network that issues and manages security credentials for message encryption.

Encryption Certificate: An electronic document used to bind together a public key with an identity.

SSL/TLS, also Secure Socket Layer and Transport Layer Security Secure Sockets Layer (SSL): Protocols used to authenticate servers and clients and to encrypt messages between the authenticated parties.

Standards Review Cycle

This standard will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.