SSL Certficate Services

Overview

SSL certificates are used primarily to secure web sites by encrypting the traffic between a user's browser and the web server it is accessing. They are also used to encrypt traffic between client software and servers (for example between an Outlook mail client and the Case mail servers) for anything that can use SSL or TLS to encrypt traffic.

SSL certificates are tied to specific domains (for instance case.edu). Case has authority over the following domains and no others:

  • cwru.edu

  • case.edu

  • clevelandactu.org

This means that Case CAN provide an SSL certificate for something like my-server.case.edu but can NOT provide an SSL certificate for something like my-server.somedomain.com or even something like my-server.case.edu.hosted.somedomain.com.

Availability and Costs 

Case provides SSL certificates free of charge to the following:

  • Any Case faculty or staff member, or any affiliate (for example contractors or temporary employees) acting on behalf of a Case faculty or staff member.

  • Case faculty/staff-run organizations

  • Case faculty/staff-run sites hosted by third-party vendors

Case does NOT provide SSL certificates to the following:

  • Students

  • Student-run organizations

Policies

It is REQUIRED to use SSL certificates provided by the University’s Certificate Authority, including sites with URLs using the domains case.edu or cwru.edu hosted by third-party vendors (for example: https://my-hosted-site.case.edu/… a CWRU site hosted by my.vendor.com). See the official policy statement for more information.  

Some 3rd-party vendors may offer certificates as part of their service. It is NOT permissible to use a vendor-provided certificate if the hostname of the site is in the domain of case.edu or cwru.edu. If the vendor asserts that ONLY their certificates can be used with their service, the validity of the assertion will be verified and an exemption to the rules MAY be granted. The process of validating the vendor assertion and properly authorizing the vendor's certificate to be used in the case.edu/cwru.edu domains will add time to the amount needed to secure the site.

The easiest method of using an InCommon SSL certificate to secure a site hosted by a 3rd-party vendor is to put the vendor in touch with certificate-admin@case.edu.

General Information

All certificates have a name associated with them.  The name identifies the URLs that can be safely accessed by a browser using that certificate.  In the URL https://my-site.case.edu/home.html, the name is my-site.case.edu and what should be the name used when requesting a CWRU SSL certificate.  Some web servers host multiple sites, for example:

The CWRU certificate authority supports certificates with multiple names (called Subject Alternative Names or SANs) if needed to support multiple sites with the same certificate.

All certificates expire, with expiration dates of up to about a year into the future.  Once a certificate has expired, it can no longer be used to protect a web site.  It is the responsibility of the certificate requester to make sure that the certificate is renewed before it expires if it is still needed.  If you allow your certificate to expire, your web pages will be unreachable until you replace the expired certificate.  

The CWRU certificate authority automatically sends out email reminders at 30 days, 15 days, and every day in the last 5 before a certificate expires.

Certificate Types

When acquiring a certificate there are 3 types from which you should choose:

InCommon Multi Domain SSL (SHA-2)

Use this one if you have multiple web sites using the same certificate (for example: https://mysite.case.edu, https://your-site.case.edu).  This type has expirations of 1 year or 398 days.

InCommon SSL (SHA-2)

Use this if you have a plain single-site certificate.  This type has expirations of 1 year or 398 days.

Incommon SSL (Short Life)

Use this for a temporary web site that is only briefly needed.  This type has expirations of 30, 60, or 90 days.

Requesting a Certificate

Prior to requesting a certificate you are required to create a Google Group to receive expiration notifications and other communications regarding your certificate.  You may use the same Google Group to receive notifications for any certificates for which you are responsible.  

The Google Group should be set up with the following:

  • The Group MUST be able to receive posts from anywhere on the web, so that the CWRU certificate manager is able to post expiration notifications to it.  New certificate issuance notifications will also be sent to this address.

  • The Group SHOULD have at least two members, so that if one member is unavailable, the other will still receive, and be able to act on expiration notices.

  • The Group MAY have a third-party vendor address as a member, but make sure that the vendor understands that you expect them to coordinate renewing or replacing the certificate for you.  Many vendors receive the notifications but take no action on them, allowing the certificate to expire and your web pages become unreachable.

  • The CWRU certificate managers will take no action on a request that is associated with an individual email address rather than a Google Group.

When requesting a new certificate or renewing a certificate for which additional names have changed, you will generally need to provide a Certificate Signing Request, or CSR.  Most web servers have tools or wizards that will walk you through creating a CSR, but you can direct any questions to certificate-admin@case.edu.  Note that the certificate admins cannot create the CSR for you as the process creates a private key which lives on your web server and ties the certificate to that private key through the CSR.

Once you have the CSR ready, gather any other names you need for the certificate.  At that point you should have:

  1. A Google Group with which to receive expiration and other notifications

  2. The type of certificate you need

  3. The CSR for the certificate

  4. Any additional site names (SANs) that you need to certificate to have

  5. How long the certificate should be valid (up to 398 days depending on the certificate type you chose) before it expires.

Requesting through self-enrollment

To request the certificate yourself there is a self-enrollment form available at https://cert-manager.com/customer/InCommon/ssl/login.  As long as you receive the emails from your Google Group, you may use that as the email address you enter, and to which the verification link will be sent.  You will need an Access Code for the self-enrollment portal which we do not make publicly available, but which may be obtained by requesting it from certificate-admin@case.edu prior to visiting the above site.

Enter the information you gathered above, including the CSR.  Note: If you used your own email address when logging in to the portal, make sure you put the address of your Google Group into the “External Requesters” field of the form.

If you will need the certificate over multiple years and the information will not change, you can turn on “automatic renewal”.  Select when you want the certificate to automatically renew (we recommend 30 days before expiration with a 398 day expiry period so that your certificate will renew about the same time each year).  

Selecting automatic renewal will cause a new request to be generated, however, the certificate admins will still need to reach out to verify that the certificate is still needed, that nothing has changed before they approve the request.  DO NOT wait until the day before expiration to start the renewal process to give the certificate admins sufficient time to verify the information, approve the request and for you to get the certificate installed in your site.  Renewing 30 days before the expiration is safe, and gives you time to interact with third-party vendors if necessary.

Requesting through email to certificate-admin@case.edu

Requesting through email is essentially the same as requesting through the self-enrollment portal.  The same information is required.  The same process is followed including the information verification and approval.

Insufficient Information

Including insufficient information in a request will delay approval and issuance of a certificate as the certificate admins will have to reach out to gather the information that is missing.

Renewing a Certificate

A certificate renewal is a streamlined process for obtaining a certificate whose information has not changed as it nears expiration.  If you have selected automatic renewal please send mail to certificate-admin@case.edu indicating that you still need the certificate and that nothing has changed.  The certificate admins will approve the new certificate and you will receive the new certificate information via your Google Group.  The responsibility for getting the new certificate installed is still yours or the person you delegate.

Certificate Automation with ACME

The Automatic Certificate Management Environment (ACME) provides a mechanism to fully automate the certificate automation and installation process, providing a totally hands-off approach to certificate updates once the environment is set up and configured on your server.

ACME works by installing a client on the server that checks daily to see if a certificate is nearing expiration and if under the configured threshold (typically 30 days before expiration), will reach out to the CWRU certificate authority, request a new certificate based on the previously configured certificate settings, download the new certificate, install it, and then restart the service.  Since the automation typically DOES require a service restart, the process works best in a load-balanced environment.

Once the described level of automation is set up on your server, the only manual intervention required is to add or remove SANs as needed.  You need not wait until the certificate is approaching expiration to make SAN changes to your certificate.

The CWRU certificate authority ACME services support both Linux and Windows web servers, and with some programming expertise, the Linux client can be leveraged to automate the certificate renewal process for other applications and appliances.

The ACME protocol used by the CWRU certificate authority is the same as that used by Lets Encrypt (favored by many third-party vendors) and will work seamlessly with third-party vendor applications with some fairly minor reconfiguration on the vendor’s part.

Individuals interested in setting up ACME certificate automation on their servers should contact certificate-admin@case.edu to set up a meeting to discuss your needs and for guidance in setting up the automation process on your server(s).

Didn’t find what you needed?

Submit a support request using the Technical Support link on the right or email certificate-admin@case.edu for more information.

 

 
SSL Certificate Request SSL Certificate Renewal ACME Implementation Request Technical Support

Service Offerings (4)

SSL Certificate Request
Requests for new InCommon SSL Certificates
SSL Certificate Renewal
Requests for InCommon SSL Certificate renewal
SSL Certificate ACME Protocol
Support for setup and installation of Automatic Certificate Management Environment (ACME) protocol
SSL Certificate Technical Support
Technical support for issues related to SSL Certificates