Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Security

Digital Certificate - Become a Department Authority for Approving SSL Certificates

This article explains why and how staff can become Department Registration Authority Officers (DRAOs) and receive delegated authority to sign SSL certificates for their department and domain.

Introduction

IT Services has contracted with InCommon to receive unlimited SSL certificates for domains that we control signed by root CA provider Comodo. All certificates are free for departments and end users. More information:Digital Certificate - Overview of Available Digital Certificates.

The system is designed for campus environments and allows for relatively sophisticated delegation of authority to approve certificates. (Although it is easier to say we are delegating signing authority, the most accurate description is that we are delegating the ability to approve certificates for signing by Comodo.). In essence the University can delegate authority to qualified representatives of any administrative unit within the University to approve certificates.

Please note that delegation of authority is a feature of the InCommon Certificate Service but is not required if you simply would like to obtain signed certificates. To learn more about using the service please see 19441.

Certificate Service Manager (CSM)

The Certificate Service Manager is a web application that provides the interface for all activity using the InCommon service, including approval of certificates for signing, delegation of authority, etc.

Certificate signing requests (CSRs) can be submitted through various means but eventually must be approved by someone with the authority for that department and domain. Approved certificate requests are signed and delivered (via email/download) by Comodo.

The CSM has some notable features:

  • Optionally, end users can submit CSRs through the CSM so that administrators need only to approve or decline a request (no data entry)
  • Scanning of and reporting on deployment of SSL certificates
  • Customizable notifications for administrators
  • Customizable email templates for communication with end users

The campus RAO can demonstrate and explain these and other features.

Terms and Concepts

Acronym Term Description Who
  Organization the highest level administrative unit on campus in the InCommon system University of Chicago
  Department generic term for an administrative unit within the Organization - a domain can be delegated to a department any administrative unit within the Organization
MRAO Master Registration Authority Officer administrator of entire InCommon system InCommon
RAO Registration Authority Officer campus authority for InCommon Certificate Service University of Chicago IT Security
DRAO Department Registration Authority Officer staff delegated certificate approval authority by RAO for specific department(s) 1 or 2 staff for an administrative unit

Roles and Responsibilities

Registration Authority Officers (RAO)

IT Security members serve as the the Registration Authority Officers (RAO) for the University. The responsibilities of the campus RAOs include:

  • policy authority and system administrator for The University of Chicago
  • contact with InCommon and (for high-level issues) Comodo
  • certificate approver for certificates of higher risk (e.g. wildcard, Extended Validation)
  • delegator of authority to approve certificates
  • support for DRAOs and in some cases tier-2 support for end users

Departmental Registration Authority Officers (DRAO)

One or two representatives of a department can serve as Departmental Registration Authority Officers (DRAO). DRAOs are delegated the authority to approve SSL certificates for a specific delegated domain using the CSM. In return DRAOs are responsible for processing certificate requests from their departmental users and related work as described below. The campus RAO which delegates the authority is also available to assist in configuring the CSM as needed and for general troubleshooting.

A candidate for a DRAO should:

  • Be a full-time professional IT staff member and have good knowledge of and prior experience with handling SSL certificates (generating CSRs, installing certificates, etc.)
  • Have technical support responsibilities for an administrative unit (division, school, department, etc.) that has an ongoing need for certificates for a subdomain of *.uchicago.edu (e.g. *.example.uchicago.edu) or a domain that is outside of the uchicago.edu namespace (e.g. *.example-uc-site.org) but uses campus DNS for its authoritative domain name service. Note that DRAOs will not be delegated the ability to sign certificates for *.uchicago.edu.

DRAO Responsibilities include:

  1. Understand how to use the CSM. Report any issues, questions, or concerns to the RAO.
  2. Take reasonable steps to publicize the service to your relevant departmental users.
  3. Process certificate requests from your departmental users. Verify that requests for certificates are legitimate before approving them. If the DRAO does not personally know the person making the certificate request and their business need for the certificate, provide due diligence to contact a responsible person within the department who can vouch for the request's legitimacy. When in doubt make a phone call or personal visit to a manager in relevant area. Document any request validation done outside of personal knowledge.
  4. Record requests/approvals and any necessary request validation for at least three years and make available to RAOs upon request. This can be done entirely within the CSM or with an external system such as a request tracking or ticketing system.
  5. Stay current with announcements of service updates, etc. from the campus RAO via the DRAO email list and respond to RAO requests for information in a timely way.
  6. Provide basic tier 1 support to your departmental users to help them understand their certificate options, generate CSRs, and install certificates and certificate chains. Comodo and your campus RAO provide documentation for end users that you can use. Support issues that need escalation can be directed to the campus RAO and/or Comodo.

Becoming a DRAO

If you have questions about this service or are interested in becoming a DRAO please email certs@uchicago.edu or call 773-702-2378.

External Resources for InCommon DRAOs

Comodo/InCommon documentation

See Also:




Keywords:delegate delegation RAO DRAO ca cert x509 "certificate authority" incommon comodo tls pki   Doc ID:18199
Owner:James C.Group:University of Chicago
Created:2011-04-19 18:00 CSTUpdated:2015-12-16 13:45 CST
Sites:University of Chicago, University of Chicago - Sandbox
Feedback:  0   0