Certificate Services

Why Are Certificates (SSL) So Important?

Certificates are a crucial part of securing web applications and other services, ensuring encrypted communication between servers and clients. SSL, also known as TLS, is an encryption protocol that enables secure connections to websites and other services. An SSL Certificate is a file hosted on a website's server, that makes SSL encryption possible.

What Types of Certificate Services Are Available & Which One Should I Use?

ITS Certificate Services offer a variety of ways for faculty and staff to request certificates using standard automated protocols at no cost to you.

What Types of Benefits Can Be Gained by Automating Certificate Renewals?

Automating certificate renewals is essential, especially as major browsers are considering shortening certificate lifespans to 200, 100, 45, and even 30 days. Frequent renewals increase the workload and the chance of human error. Automation reduces that workload while also ensuring certificates are updated on time, preventing outages.

Which one you use depends on:

the type of service,
where the service is hosted, and
if the service is accessible to the public Internet.

Guidelines based on different scenarios and the associated options for certificate management:

Vendor Hosted Services

Vendors should offer no-cost SSL certificates to secure their services. If this is unavailable, work with your vendor to see which of the following they can use to automate certificate requests.

Any Services Hosted in AWS

AWS has its own Certificate Manager (ACM).
https://aws.amazon.com/certificate-manager/
If you have questions, please submit a Support Request to ITS.

Services not managed by ITS and are accessible on the public internet, not behind a firewall

Use an ACME Client with the free Let’s Encrypt service.
https://letsencrypt.org/

All ITS managed services,
on-premise web services not accessible to the public internet,
and non-web services

Use an ACME Client with InCommon Certificate Services.

Please submit a Support Request to work with ITS for next steps.

All of these options require the use of Cal Poly-Hosted domain names for DNS.

If you are having trouble determining the right option, please submit a Support Request ticket to ITS.

Automate Certificate Management Environment (ACME Protocol)

Certificate automation uses the Automated Certificate Management Environment (ACME) protocol. The ACME protocol was developed to automate the process of issuing and renewing SSL/TLS certificates, by handling tasks such as account registration, certificate requests, domain validation, and certificate issuance. Along with using the ACME protocol, additional tasks are needed for configuring the application to use the certificate, scheduling a job to check if the certificate is close to expiration and needs to be renewed, and triggering the application to use a newly issued certificate after renewal.

ACME Client
The Client-side is managed by an ACME Client that implements the ACME protocol. Many ACME clients, such as “Certbot”, also automate the additional tasks specific to various operating systems and applications. Even if an ACME client does not support a specific application, it may support "hooks" that allow for custom scripts to install the certificate and/or restart the application.

ACME Server
On the other side, the ACME Server is responsible for receiving and processing these requests. Let's Encrypt, a free service that has implemented an ACME server but requires domain validation during every certificate request. This validation step can be challenging, particularly for web services that are behind firewalls and not publicly accessible. The InCommon certificate service has also implemented an ACME server. An advantage with this service is that the entire calpoly.edu domain has been pre-validated. This eliminates the need for domain validation at each certificate request, making it much easier for ACME clients to renew certificates, especially from behind the firewall or on private networks.