Security, 3rd-party SSL certificate services, guidance and usage

3rd-party SSL certificate services may be used as described below to issue SSL certificates for University of Illinois at Urbana-Champaign, University of Illinois at Springfield, and University Administration. The Chief Privacy and Security Officer reserves the right to re-evaluate and adjust approved providers from time to time to ensure the services do not present undue or unintended risk to or burden upon university interests.

Approved Vendors

The listed SSL certificate management tools are approved for all evaluated risk levels (see the Cybersecurity Risk Level questionnaire at https://go.illinois.edu/risklevel) of university electronic functions requiring SSL certificates. See additional requirements for university use below.

AWS Certificate Manager

Technology Services cPanel

 

Requirements for use

3rd party SSL tools and services listed above may be used as described and restricted below as SSL certificate issuers for University of Illinois at Urbana-Champaign, University of Illinois at Springfield, and University Administration. The Chief Privacy and Security Officer reserves the right to re-evaluate and adjust its use from time to time to ensure the service does not present undue or unintended risk to or burden upon university interests.

1. All hosts issued a 3rd party SSL certificate must be assessed against the Privacy & Security Risk Level questionnaire.
a. It is inappropriate to use 3rd party SSL certificates on hosts or service that have not been evaluated; The Privacy & Security Risk Level questionnaire result for hosts must be calculated beforehand.
2. Any un-assessed host currently issued a 3rd party SSL certificate must either:
a. Revoke all associated 3rd party certificates and obtain a certificate through the University of Illinois at Urbana-Champaign SSL Certificate Manager.
b. Immediately
assess the service or solution
against the Privacy & Security Risk Level questionnaire
3. Only persons authorized to make changes to their unit’s illinois.edu DNS zone may use 3rd party SSL certificates for hosts in their zone.

4. All hosts issued a 3rd party certificate must be officially owned, contracted, or leased by University of Illinois at Urbana-Champaign and managed by University of Illinois at Urbana-Champaign professional IT staff.
a. It is inappropriate to use a 3rd party SSL certificate service to issue official certificates for BYOD, unmanaged, personal, or non-UofI assets.
5. All campus policies, standards, provisions, and direction still apply when employing any 3rd party SSL certificate service feature or service.

6. 3rd party SSL certificates may be issued for discrete hosts only. Wildcard and SAN certificates may not be issued through any 3rd party SSL certificate service.

7. The Chief Privacy & Security Officer is the only person who may make feature or capacity requests to 3rd party SSL certificate services on behalf of University of Illinois at Urbana-Champaign.

8. All approved third-party services listed have no official association or official relationship with the University. If you use a 3rd party SSL certificate service, you agree to use it “as-is”, including all limits in capacity and utility. No technical or trouble support for 3rd party SSL certificate services should be expected.
a. Should any incident or event occur requiring immediate certificate modification or revocation (including instances where the usage expectations and/or controls herein have been violated), due to the inability for the university to manage 3rd party SSL certificates, other network-level mitigations may be imposed to mitigate exposures, risks, disruptions, or damage on an as-needed basis. Mitigations may be disruptive and will probably affect availability, stability, or utility of affected hosts.

FAQ

What is “Let’s Encrypt”?
Let’s Encrypt is a cloud-based free, automated, open certificate authority (CA) service that issues Secure Socket Layer (SSL) certificates. It is used primarily to normalize and extend the use of HTTPS for web applications. It is delivered by the Internet Security Research Group (ISRG), based in California, U.S.A. See https://letsencrypt.org/

What are the Advantages and disadvantages of “Let’s Encrypt”?
Advantages
  1. Low cost (free)
  2. Short duration (90 days)
  3. Ease of use (including its ACME API).
Disadvantages
  1. Cannot be administered, managed, modified, or revoked directly by campus SSL Certificate service admins.
  2. On-campus remediation during an incident could very possibly be disruptive to any affected service using a Let's Encrypt SSL certificate.




Keywords:security, cybersecurity, access, privacy, ssl, certificate, encryption, web, website, secure, letsencrypt, risk, scism, endpoint, webapp, application, cert, amazon, aws, cpanel   Doc ID:92484
Owner:Security S.Group:University of Illinois Technology Services
Created:2019-06-17 10:38 CSTUpdated:2019-09-26 11:25 CST
Sites:University of Illinois Technology Services
Feedback:  0   0