Information Security
InCommon Certificate Request Processes
Last modified 3/29/2022
For the step-by-step guidance for requesting or revoking certificates, please view the InCommon Certificate Request Procedures page.
Processes
Individual processes exist for requesting, renewing, and revoking SSL/TLS certificates.
New Common Name Certificate Request Process
- Request Process
- The department requires a new SSL/TLS certificate.
- The department generates a new Certificate Signing Request (CSR).
- The department sends the CSR to the Information Security Office and notifies the ISO if existing certificates require revocation.
- The Information Security Office reviews the request and fulfills the request.
- The certificate manager emails the requesting team with pickup details.
- The original requester installs the certificate on the appropriate system(s).
Existing Certificate Renewal Process
- Renewal Process
- An SSL/TLS certificate was previously requested and issued as part of a New Common Name Certificate Request or Existing Certificate Renewal Request.
- The issued certificate is 45 days from expiration.
- A Cherwell ticket or department email is automatically generated.
- The requesting team evaluates the need for a renewal or revocation.
- If revoke is chosen, jump to the Revocation Process below.
- The requesting team generates a new Certificate Signing Request (CSR).
- The requesting team notifies the Information Security Office of the decision to renew.
- The Information Security Office reviews the request and fulfills the request.
- The Information Security Office renewal ticket is closed.
- The original requester installs the certificate on the appropriate system(s).
- The Cherwell ticket in the requester's queue for renewal is closed.
Certificate Revocation Process
- Revocation Process
- The department requires an SSL/TLS certificate be revoked.
- The department sends the revocation request to the Information Security Office.
- The Information Security Office reviews the request and fulfills the revocation request.
- The Cherwell ticket for renewal is closed.
New Code-Signing Certificate Request Process
- Request Process
- The department requires a new code-signing certificate.
- The department sends a request to the Information Security Office.
- The Information Security Office reviews the request and fulfills the request.
- The certificate manager emails the requesting team with pickup details.
Issuance Constraints
- Multi-domain certificates may be subject to additional scrutiny, especially when being generated for use by a vendor.
- Wild card certificates are never given out for the root ISU domains. Wild card certificates given to vendors are subject to additional scrutiny.
- Certificates should only be utilized for a single service. Certificates being used to authenticate multiple systems not providing an identical service will be immediately revoked. An example of acceptable use for a certificate on multiple systems is a high availability cluster where all systems in the cluster provide an identical service.
- SSL/TLS Certificates are valid for 1 year. This constraint is directly from the certificate authority and is immutable.
- Any certificate or private key suspected to be compromised must be immediately reported for revocation. Contact a member of the Information Security Office directly to report suspected breaches of certificates or certificate private keys.