SSL Certificates

Overview

CSU, Chico uses 4 types of SSL certificates to secure servers.  The following matrix describes the types of certificates the appropriate platform for each certificate and the types of data where the certificate could be used. 

Public Purchased Certificate

The Information Security Office now offers signed named certificates.  The certificate is identical to a certificate purchased from an outside entity such as VeriSign or Thawte.  The cost of these certificates is $99 per year which saves departments and system owners anywhere from $300-$600 per year, per server.  The certificate is added to the Internet root Certificate Authority and would be trusted to any browser or user.  The certificate is authorized to the specific server.  The certificate will expire one year after the certificate is issued, though two and three year options are available through the Information Security Office.

*.csuchico.edu (Wildcard Certificate)

The campus has purchased a wildcard certificate that has one annual cost.  Servers can be added throughout the year without incurring additional costs.  The certificate is added to the Internet root and would be trusted.  Each server will receive their own serial number on the certificate.  In case of a server breach, the other servers with the wildcard certificate are still secure because only the certificate with the assigned serial number is compromised.  This is becoming the more common certificate for servers.  The campus wildcard certificate, and all servers using *.csuchico.edu must be renewed once a year in July.

To request a wildcard certificate, please go here.

Beech / PKI Cert

This certificate is designed for internal communications and is supported solely by Information Resources.  The certificate has not been added to the Internet root and thus would not be trusted for users outside the campus network.  This certificate is used by individuals to access their workstation and process confidential information.  The certificate is also used by the workstation to access data on campus servers.  This is becoming the more common certificate for internal communications, workstation authentication, and communication between Windows servers. 

Self-Signed

Linux and Unix servers have the ability to sign a certificate for internal communications between Linux and Unix servers and management workstations.  Certificates are issued for a single service going to a single server.  For example, a secure shell service for managing a remote server would be issued between the server and associated management workstations.  This is the common certificate for internal communications between Linux and UNIX servers.

Roles and Responsibilities

Information Security Office

The Information Security Office will work with Server Administrators and System Owners/Designee upon request to determine the type of certificate that is appropriate for their server based on the matrix above.  As part of the System Security Worksheet (SSW) process, the recommended solution will be documented.

The Information Security Office will manage the *.csuchico.edu/wildcard certificates.  A procedure has been developed regarding this process and is posted here. The Information Security Office will notify server administrators and server owners 30 days in advance regarding the expiration of the wildcard certificate. 

As enterprise servers transition from public purchased certificates to wildcard certificates, the Information Security Office will maintain a list of these servers.  Server Administrators and System Owners/Designee will be notified 30 days in advance regarding the expiration of a Thawte/VeriSign certificate so a wildcard certificate can be generated.  A monthly status of all servers with a wildcard certificate will be sent to the Server Owner/designee.

The Information Security Office also manages the Beech/PKI certificates.  Procedures have yet to be finalized regarding the issuance and handing of these certificates.

System Owner/Designee

Server Owners are responsible for working with the Server Administrator and/or Application Administrator to determine the type of certificate that is appropriate for their server based on the matrix above.  The Information Security Office can offer assistance in making these decisions.

 Server Owners/Designees are responsible for reviewing the monthly status of their servers with wildcard certificates to ensure that replacements for expiring certificates are requested in a timely manner. 

 *A wildcard certificate should be requested and generated at least one week before the expiration of the public purchased certificate in case there are any issues which make the wildcard certificate a non-viable option.

Server Administrator

Server Administrators are responsible for working with the Server Owner/Designee and Application Administrator to determine the type of certificate that is appropriate for their server based on the matrix above.  The Information Security Office can offer assistance in making these decisions.

Server Administrators are responsible for Public Purchased Certificates and Self-Signed Certificates.  These responsibilities include ensuring that replacement certificates are requested in a timely manner for expiring certificates, as well as what servers and client systems may use the certificate  to interact with their application.  The Server Administrator is responsible for contacting any users of the certificate upon expiration, renewal or modification of the certificate. 

In addition, upon receiving notification of a wildcard certificate expiration, Server Administrators must follow Steps 2 & 3 in the Wildcard Certificate Handing Procedures.

Application Administrator

Application Administrators are responsible for working with the Server Owner/Designee and Server Administrator to determine the type of certificate that is appropriate for applications under their control.  The Information Security Office can offer assistance in making these decisions.

Application Administrators are responsible for Public Purchased Certificates and Self-Signed Certificates in use by their applications.  These responsibilities include ensuring that replacement certificates are requested in a timely manner for expiring certificates, as well as what servers and client systems may use the certificate to interact with their application.  The Application Administrator is responsible for contacting any users of the certificate upon expiration, renewal or modification of the certificate.