Cybersecurity, Let's Encrypt, Usage of the Let’s Encrypt SSL certificate service

The Let’s Encrypt service may be used as described below as an SSL certificate issuer for University of Illinois at Urbana-Champaign, University of Illinois at Springfield, and University Administration. The Chief Privacy and Security Officer reserves the right to re-evaluate and adjust its use from time to time to ensure the service does not present undue or unintended risk to or burden upon university interests.

Let's Encrypt is a SSL certificate management tool is approved for all evaluated risk levels (see the Cybersecurity Risk Level questionnaire at https://go.illinois.edu/risklevel) of university electronic functions requiring SSL certificates

Let's Encrypt Requirements

The Let’s Encrypt service may be used as described and restricted below as an SSL certificate issuer for University of Illinois at Urbana-Champaign, University of Illinois at Springfield, and University Administration. The Chief Privacy and Security Officer reserves the right to re-evaluate and adjust its use from time to time to ensure the service does not present undue or unintended risk to or burden upon university interests.

1. All hosts issued a Let’s Encrypt SSL certificate must be assessed against the Privacy & Security Risk Level questionnaire.
a. It is inappropriate to use Let’s Encrypt on hosts or service that have not been evaluated; The Privacy & Security Risk Level questionnaire result for hosts must be calculated beforehand.
2. Any host currently issued a Let’s Encrypt SSL certificate which remain unassessed must either:
a. Revoke all associated Let’s Encrypt SSL certificates and obtain a certificate through the University of Illinois at Urbana-Champaign SSL Certificate Manager.
b. Immediately
assess the service or solution
against the Privacy & Security Risk Level questionnaire
3. Only persons authorized to make changes to their unit’s illinois.edu DNS zone may use Let’s Encrypt for hosts in their zone.

4. All hosts issued a Let’s Encrypt SSL certificate must be officially owned by University of Illinois at Urbana-Champaign and managed by University of Illinois at Urbana-Champaign professional IT staff.
a. It is inappropriate to use Let’s Encrypt to issue official certificates for BYOD, unmanaged, personal, or non-UofI assets.
5. All campus policies, standards, provisions, and direction still apply when employing any Let’s Encrypt feature or service.

6. Let’s Encrypt SSL certificates may be issued for discrete hosts only. Wildcard and SAN certificates may not be issued through Let’s Encrypt.

7. The Chief Privacy & Security Officer is the only person who may make feature or capacity requests to Let’s Encrypt on behalf of University of Illinois at Urbana-Champaign.

8. The Let’s Encrypt service is third-party service with no official association with the University. If you use Let’s Encrypt, you agree to use it “as-is”, including all limits in capacity and utility. University of Illinois has no control or official relationship with Let’s Encrypt. No technical or trouble support for Let’s Encrypt services should be expected.
a. Should any incident or event occur requiring immediate certificate modification or revocation (including instances where the usage expectations and/or controls herein have been violated), due to the inability for the university to manage Let’s Encrypt SSL certificates, other network-level mitigations may be imposed to mitigate exposures, risks, disruptions, or damage on an as-needed basis. Mitigations may be disruptive and will probably affect availability, stability, or utility of affected hosts.

FAQ

What is “Let’s Encrypt”?
Let’s Encrypt is a cloud-based free, automated, open certificate authority (CA) service that issues Secure Socket Layer (SSL) certificates. It is used primarily to normalize and extend the use of HTTPS for web applications. It is delivered by the Internet Security Research Group (ISRG), based in California, U.S.A. See https://letsencrypt.org/

What are the Advantages and disadvantages of “Let’s Encrypt”?
Advantages
  1. Low cost (free)
  2. Short duration (90 days)
  3. Ease of use (including its ACME API).
Disadvantages
  1. Cannot be administered, managed, modified, or revoked directly by campus SSL Certificate service admins.
  2. On-campus remediation during an incident could very possibly be disruptive to any affected service using a Let's Encrypt SSL certificate.



Keywords:security, cybersecurity, access, privacy, ssl, certificate, encryption, web, website, secure, letsencrypt, risk, scism, endpoint, webapp, application, cert   Doc ID:92484
Owner:Security S.Group:University of Illinois Technology Services
Created:2019-06-17 11:38 CDTUpdated:2019-06-19 16:19 CDT
Sites:University of Illinois Technology Services
Feedback:  0   0