Why Are Certificates (SSL) So Important?
Certificates are a crucial part of securing web applications and other services, ensuring encrypted communication between servers and clients. SSL, also known as TLS, is an encryption protocol that enables secure connections to websites and other services. An SSL Certificate is a file hosted on a website's server, that makes SSL encryption possible.
What Types of Certificate Services Are Available & Which One Should I Use?
ITS Certificate Services offer a variety of ways for faculty and staff to request certificates using standard automated protocols at no cost to you.
Which one you use depends on:
the type of service,
where the service is hosted, and
if the service is accessible to the public Internet.
Guidelines based on different scenarios and the associated options for certificate management:
All of these options require the use of Cal Poly-Hosted domain names for DNS.
If you are having trouble determining the right option, please submit a Support Request ticket to ITS.
Automate Certificate Management Environment (ACME Protocol)
Certificate automation uses the Automated Certificate Management Environment (ACME) protocol. The ACME protocol was developed to automate the process of issuing and renewing SSL/TLS certificates, by handling tasks such as account registration, certificate requests, domain validation, and certificate issuance. Along with using the ACME protocol, additional tasks are needed for configuring the application to use the certificate, scheduling a job to check if the certificate is close to expiration and needs to be renewed, and triggering the application to use a newly issued certificate after renewal.
ACME Client
The Client-side is managed by an ACME Client that implements the ACME protocol. Many ACME clients, such as “Certbot”, also automate the additional tasks specific to various operating systems and applications. Even if an ACME client does not support a specific application, it may support "hooks" that allow for custom scripts to install the certificate and/or restart the application.
ACME Server
On the other side, the ACME Server is responsible for receiving and processing these requests. Let's Encrypt, a free service that has implemented an ACME server but requires domain validation during every certificate request. This validation step can be challenging, particularly for web services that are behind firewalls and not publicly accessible. The InCommon certificate service has also implemented an ACME server. An advantage with this service is that the entire calpoly.edu
domain has been pre-validated. This eliminates the need for domain validation at each certificate request, making it much easier for ACME clients to renew certificates, especially from behind the firewall or on private networks.