Wildcard Certificate Requests and Handling Procedures

Wildcard Certificate Requests and Handling Procedures

Secure Socket Layer (SSL) certificates provide endpoint authentication and communications privacy over the Internet using cryptography.

The University has purchased a Wildcard SSL certificate (wildcard certificate) from InCommon to support secure communications between computers and servers for official campus business.  Use of this wildcard certificate eliminates the need to purchase individual certificates for every server that requires secure communication channels. The Information Security Office at CSU, Chico is the source for identity verification and issuance of wildcard certificates for official campus use.

The following outlines the steps involved in receiving an SSL certificate:

Step 1: Notification of Wildcard Certificate Expiration

The Information Security Office will provide the server administrator and server owner 30 days notice of the expiration of a wildcard certificate.

Step 2: Generate your Certificate Signing Request (CSR)

  1. Go to the following URL: https://support.comodo.com/index.php?_m=knowledgebase&_a=view&parentcategoryid=33&pcid=1&nav=0,96,1
  2. Select the application type from the menu on the right for detailed instructions.
  3. Use the following required information to create a CSR (All other fields must be left blank)

    Country: US
    State/Province: California
    City: Chico
    Organization Name: California State University, Chico
    Common Name: *.csuchico.edu

  4. Send an e-mail to the ITSS (itss@csuchico.edu) containing the CSR file and the following information:
    *Name
    *Phone
    *Server name
    *Server State ID
    *Purpose for certificate
    *Operating System or application used to generate the CSR 

Step 3: Receiving the Wildcard Certificate

Upon receipt of the CSR and contact information, the Information Security Office will conduct a needs assessment for the certificate.  Upon approval, a certificate will be generated for the server and a meeting request will be sent to the requestor.

During the meeting, Information Security Office personnel will review certificate handling best practices and acceptable use.  The requestor will sign for the certificate and receive an electronic copy of the certificate.

Step 4: Install the Wildcard Certificate

Information on how to install your SSL certificate is located at

https://support.comodo.com/index.php?_m=knowledgebase&_a=view&parentcategoryid=95&pcid=1&nav=0,96,1

Select your Platform/OS from the Link-Menu on the right.

Wildcard Certificate Handling Best Practices

Administrators should take extreme caution in securing their certificate and encryption keys. 

The following are tips for security of the certificate:

  • Securely erase all certificates from media upon completion of transfer.
  • Create and store a backup copy of the certificate on read-only media in case the original certificate is accidentally deleted. If the certificate is lost and cannot be recovered from backup media, a new certificate must be requested from the Information Security Office.
  • Create and store a backup copy of the encryption keys on read-only media in case the keys are deleted accidentally. If the keys are lost and cannot be recovered from backup media, a new key pair and certificate must be created. Note that the backup copy of the keys must be physically secured and encrypted
  • Store the original certificate in a folder or partition accessible by only Web or system administrators and secured by appropriate authentication mechanisms.
  • Consider running data integrity scanner (e.g., Tripwire) on the Web server (see Section 8.2.2) and ensure that it is monitoring for any changes to the certificate.
  • Examine system logs regularly to validate and ensure prevention of unauthorized system access.

If a malicious user gains unauthorized access to a Web server, the integrity of the entire server is lost.  A new certificate must be procured from the Information Security Office.