Secure Sockets Layer (SSL) certificates are used worldwide for securely serving web content, encrypting data sent over the Internet. X.509, the underlying technology used to generated the certificates, is covered separately in the Authentication strategy.
Since 2003, IT Services' primary certificate vendor has been Comodo InstantSSL. IT Services had previously been provisioning certs from VeriSign but at a much greater cost than the prices received from Comodo. IT Services still purchases certificates from VeriSign by request, but it is extremely rare and only because Comodo does not sell a Java code-signing cert (IT Services has one client who needs this product).
The SSL (Secure Sockets Layer) certificate provisioning service is widely used across Stanford, with 1458 certificates purchased in the last three years. The certificates are primarily used for SSL-encrypted connections to websites, but are also used in other security-related capacities such as encrypting email traffic. The service allows Stanford users to use university account numbers to purchase certificates; handles order regenerations, revocations, and refunds; sends automated expiration notices 7, 30, and 60 days before expiration; and provides some tech support for clients having trouble with their cert installations. It also accommodates requests outside of the basic offerings, e.g., Unified Communications and sub-domain wildcard certs.
The service has matured and stabilized in recent years, becoming static in nature. No overhauls are needed over the next few years as far as purchasing commercial certificates. IT Services is already buying some of the most inexpensive certificates available and has an established working procedure with Comodo. IT Services' client base, many of whom are repeat customers, are also very familiar and comfortable with the processes in place.
While Comodo certificate prices are relatively low, there are other vendors such as Go Daddy who provide virtually the same product at approximately half the price. In the short term, IT Services should look into purchasing certificates from a less expensive vendor and/or ask Comodo to price match. Looking farther out, the ideal (and inevitable) goal is to acquire certificates from a Certificate Authority Root dedicated to higher education institutions much like what has been established in Europe by TERENA (The Trans-European Research and Education Networking Association).
With the proliferation of firewalls and other network-securing tools, there is an expectation that criminals will focus an effort on attacking SSL connections. Researchers in Europe recently demonstrated a security flaw in X.509 certificates generated with the MD5 hash function. While many commercial certificate authorities such as RSA and VeriSign still use MD5, Comodo does not; awareness is necessary of similar flaws and vulnerabilities that may arise.
There is some room for improvement possible in the current system. The provisioning process is somewhat unwieldy for the technicians ordering the certs. While there are some aspects of the process that simply cannot be automated, there is definitely potential to make the process cleaner and less time-consuming by:
- Automating the forwarding of collected billing information to Finance.
- Revamping request form and processes around tracking expiration dates and billing info.
- Streamlining the cert request process by leveraging the Workflow strategy to create an SSL certificate workflow.
- A new request form is being developed and will run through the new OrderIT system. This measure will make the handling of billing information simpler and more robust, validating university account numbers and the provided approver for them immediately. This addition to the service will make it unnecessary for administrators to continue handling the information. In creating the new request form, using Comodo's API (Application Programming Interface) to automatically create certificates is also being explored. The customer service element of the SSL certificate provisioning service will still be necessary, but the purchase of the certificates should be faster for clients and much less time-consuming for administrators.
Measures of success
- Clients receive the SSL certificate products they request within two to three business days.
- The purchased certificates are free of major vulnerabilities.
- If vulnerabilities are discovered with the certificates purchased, IT Services must act quickly to communicate with clients and replace the vulnerable certs.
- The cert provisioning process should be clean, with manual steps replaced with automation wherever possible.