General Information
SSL certificates are used primarily to secure web sites by encrypting the traffic between a user's browser and the web server it is accessing. They are also used to encrypt traffic between client software and servers (for example between an Outlook mail client and the Case mail servers) for anything that can use SSL or TLS to encrypt traffic.
SSL certificates are tied to specific domains (for instance case.edu). Case has authority over the following domains and no others:
- cwru.edu
- case.edu
- clevelandactu.org
This means that Case CAN provide an SSL certificate for something like my-server.case.edu but can NOT provide an SSL certificate for something like my-server.somedomain.com or even something like my-server.case.edu.hosted.somedomain.com.
Policies
Case provides SSL certificates free of charge to the following:
- Any Case faculty or staff member, or any affiliate (for example contractors or temporary employees) acting on behalf of a Case faculty or staff member.
- Case faculty/staff-run organizations
Case does NOT provide SSL certificates to the following:
- Students
- Student-run organizations
As of May 2011, Case no longer provides self-signed server certificates. Since we are now able to provide unlimited, free, nationally recognized certificates, there is little point in offering self-signed certificates which are not recognized or trusted by modern browsers "out of the box."
3rd-Party Vendors
Many organizations may choose to delegate responsibility for setting up and maintaining a web server and its services to a 3rd-party vendor who provides the web server/site as a service. In those instances, as long as the site URL uses a hostname in the domain of case.edu or cwru.edu then the vendor MUST use a CWRU-provided InCommon SSL certificate. It is the vendor's responsibility to provide a valid Certificate Signing Request as described below and to install the resulting CWRU-provided certificate in the web service they are hosting. Some examples of sites that MUST use CWRU-provided InCommon certificates are:
- https://mysite.case.edu/myApplication
- https://ridealong.case.edu/hosted-by-some-vendor-service
Examples where a CWRU-provided InCommon certificate is not required (and cannot be used) are:
- https://cwru.myvendor.com/cwru-application
- https://case.edu.some-company.com/my-application
Some 3rd-party vendors may offer certificates as part of their service. It is NOT permissible to use a vendor-provided certificate if the hostname of the site is in the domain of case.edu or cwru.edu. If the vendor asserts that ONLY their certificates can be used with their service, the validity of the assertion will be verified and an exemption to the rules MAY be granted. The process of validating the vendor assertion and properly authorizing the vendor's certificate to be used in the case.edu/cwru.edu domains will add time to the amount needed to secure the site.
The easiest method of using an InCommon SSL certificate to secure a site hosted by a 3rd-party vendor is to put the vendor in touch with certificate-admin@case.edu.