Cal Poly Standardized Process for Obtaining SSL Certificates

Information Technology Services has developed a process for centralized bulk purchase of SSL certificates from Thawte, a subsidiary of Verisign. This agreement provides numerous benefits to the campus, as outlined below. The process for obtaining certificates under this agreement is summarized; further details are available by contacting ITS Operations.

Need for SSL Certificates

Many systems on campus receive or transmit sensitive data through the network. For example, a web server may provide confidential student information to authorized users or accept entry of a credit card number. SSL provides specific protections for this information as it is transported over the network. First, SSL provides encryption of data so that those who are not involved in the transaction cannot view or modify the network traffic. Second, SSL provides server authentication, meaning that a user is able to verify that they are conducting a transaction with a server controlled by Cal Poly – as opposed to one that may attempt to trick users into sharing confidential information by posing as a Cal Poly site.

SSL requires that the server have a certificate. In order to provide both encryption and server authentication these certificates must be provided by a well known Certificate Authority. This Certificate Authority establishes that a service name (e.g. my.calpoly.edu) is in fact associated with an organization (e.g. Cal Poly San Luis Obispo).

Thus, SSL is a required measure to protect the confidentiality and integrity of University information as it is sent over the network (unless other equivalent measures are used), and it is necessary to use a certificate issued by a well known Certificate Authority. The centralized purchase process meets these requirements, and offers additional benefits.

Benefits of Centralized Purchase

• Favorable pricing. By combining all campus certificate purchases into one process, we all share reduced per-certificate prices. These will decrease depending on the quantity purchased. Initial year prices will range from $139 to $119, with annual renewal prices from $111 to $95.
• Security and compatibility assurance. Thawte was selected based on a solid record of providing competitive prices and an acceptable level of security assurance through verification practices and presence in nearly all end-user software. Some companies offer cheaper certificates, but at the risk of compatibility or deployment issues. The cost savings for these certificates would be more than offset by the effort involved in handling even one such issue.

• Central tracking and awareness. Certificates include an expiration date, after which end users would typically see warning or error messages upon accessing an affected web site. ITS Operations will facilitate renewal to ensure that certificates are not inadvertently allowed to expire, as can happen during periods when staff are away from campus or employee reassignment has resulted in lack of awareness of certificate obligations.
• Improved response time. By pre-establishing a business relationship with Thawte, ITS is able to process certificates according to campus needs, with potential for extremely rapid turnaround on requests. The certificate issuance process may be completed in only a few minutes in cases where all information has been accurately provided.

Obtaining Certificates – Overview
• ITS will purchase in bulk and pass on savings to the campus
• Department initiates request via Remedy ticket (CTI to be defined) and include:
o a chargeback account #
o the name of departmental system admin (must be staff or faculty)
• OPS will email information required to access Thawte site and request certificate
• OPS will approve the certificate if the above information requirements are met
• Thawte and OPS will send renewal reminders starting 60 days prior to expiration

For more information, contact ITS Operations.