Security, 3rd-party SSL certificate services, guidance and usage
3rd-party SSL certificate services may be used as described below to issue SSL certificates for University of Illinois at Urbana-Champaign, University of Illinois at Springfield, and University Administration. The Chief Privacy and Security Officer reserves the right to re-evaluate and adjust approved providers from time to time to ensure the services do not present undue or unintended risk to or burden upon university interests.
Requirements for use
3rd party SSL tools and services listed above may be used as described and restricted below as SSL certificate issuers for University of Illinois at Urbana-Champaign, University of Illinois at Springfield, and University Administration. The Chief Privacy and Security Officer reserves the right to re-evaluate and adjust its use from time to time to ensure the service does not present undue or unintended risk to or burden upon university interests.1. All hosts issued a 3rd party SSL certificate must be assessed against the Privacy & Security Risk Level questionnaire.
a. It is inappropriate to use 3rd party SSL certificates on hosts or service that have not been evaluated; The Privacy & Security Risk Level questionnaire result for hosts must be calculated beforehand.2. Any un-assessed host currently issued a 3rd party SSL certificate must either:
a. Revoke all associated 3rd party certificates and obtain a certificate through the University of Illinois at Urbana-Champaign SSL Certificate Manager.3. Only persons authorized to make changes to their unit’s illinois.edu DNS zone may use 3rd party SSL certificates for hosts in their zone.
b. Immediately assess the service or solution against the Privacy & Security Risk Level questionnaire
a. It is inappropriate to use a 3rd party SSL certificate service to issue official certificates for BYOD, unmanaged, personal, or non-UofI assets.5. All campus policies, standards, provisions, and direction still apply when employing any 3rd party SSL certificate service feature or service.
a. Should any incident or event occur requiring immediate certificate modification or revocation (including instances where the usage expectations and/or controls herein have been violated), due to the inability for the university to manage 3rd party SSL certificates, other network-level mitigations may be imposed to mitigate exposures, risks, disruptions, or damage on an as-needed basis. Mitigations may be disruptive and will probably affect availability, stability, or utility of affected hosts.
FAQWhat is “Let’s Encrypt”?
Let’s Encrypt is a cloud-based free, automated, open certificate authority (CA) service that issues Secure Socket Layer (SSL) certificates. It is used primarily to normalize and extend the use of HTTPS for web applications. It is delivered by the Internet Security Research Group (ISRG), based in California, U.S.A. See https://letsencrypt.org/
What are the Advantages and disadvantages of “Let’s Encrypt”?
- Low cost (free)
- Short duration (90 days)
- Ease of use (including its ACME API).
- Cannot be administered, managed, modified, or revoked directly by campus SSL Certificate service admins.
- On-campus remediation during an incident could very possibly be disruptive to any affected service using a Let's Encrypt SSL certificate.