SSL/TLS Certificate Standard

Table of Contents

• What are SSL/TLS Certificates?
• University of Guelph SSL/TLS System, Application, or Website Requirements
• University of Guelph SSL/TLS Certificate Requirements
• Self-Signed Certificates
• What are the security risks associated with SSL/TLS Certificates?
• How do I obtain an SSL/TLS certificate?
• Additional Resources

What are SSL/TLS Certificates?

Transport Layer Security (TLS), formerly Secure Sockets Layer (SSL), allows for encrypted communication over networks. When properly configured, TLS employs strong cryptography to encrypt network connections and authenticate the endpoints. This is frequently referred to as encryption of 'data in transit' or 'data in motion'.

University of Guelph SSL/TLS System, Application, or Website Requirements

Any network-accessible University of Guelph system, application, or website is required to:

1. Use TLS version 1.3 (or higher) to maintain encrypted communications channels between endpoints. TLS version 1.2 is permitted when TLS version 1.3 is not supported by the server or client software.
2. Use a “Recommended” or “Sufficient” Cipher Suite for the corresponding TLS version from the Government of Canada’s Guidance on securely configuring network protocols (ITSP.40.062)
3. Use a public certificate authority (CA) whenever providing network services to the public or broader University community. Unencrypted (HTTP) connections are never to be used for these scenarios.

University of Guelph SSL/TLS Certificate Requirements and Recommendations

All University of Guelph TLS certificates MUST meet all the following criteria:

• Certificates MUST have a minimum key size of 2048 bits.
• Certificates MUST NOT be expired (the ‘valid from’ date must be in the past and the ‘valid to’ date must be in the future).
• Certificates MUST have a maximum validity period of 13 months.
• The Subject Name or Subject Alternate Name of the certificate MUST contain the fully qualified domain name of the service the certificate is protecting.
• Certificates MUST be revoked when the service they protect is no longer required.

When issued by a public certificate authority (CA), the CA MUST meet these additional criteria:

• Conform to the CA/B Forum Baseline Requirements.
• Participate in the Certificate Transparency (CT) Initiative and publish the certificates it issues to multiple CT logs.
• Be trusted by all major browsers including, but not limited to, Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari.
• Support certificate revocation in accordance with the CA/B Forum Baseline Requirements.

All TLS certificates SHOULD meet these additional criteria:

• Services should use automation to support the life cycle management process of certificates.

• Private keys should only be installed to a single system and should never be transferred/copied between systems. If this is required, the use of a Hardware Security Module (HSM) is recommended.
• It is recommended that the certificate Organization field be set to ‘University of Guelph’ when user credentials or sensitive information is being exchanged.
• Security best practice is to generate a new keypair and Certificate Signing Request (CSR) each time the certificate is renewed.

Self-Signed Certificates

Self-signed certificates are only permitted for:

• Development and test systems which contain no Confidential (S3) or Restricted (S4) data, are segregated from the production network, and are prohibited from accepting connections from external users and systems.
• Server-to-server connections within the University data centre.
• Internally hosted infrastructure systems (e.g. management interfaces for network, storage, server, and backup appliances) that are exclusively accessed by infrastructure IT staff and segregated from general-purpose user networks.  

What are the security risks associated with SSL/TLS Certificates?

• Outdated Versions of SSL or TLS - Transport Layer Security (TLS) is an updated and more secure version of SSL. Over SSL's lifetime, significant risks have been identified by security researchers which have led to improvements in the TLS protocol. Running the most current version of TLS is required to ensure communications remain secure.
• Expired or Untrusted Certificates - Expired or untrusted certificates can be taken advantage of by attackers. For example, if users are accustomed to seeing an expired certificate and ignoring warnings, these unsafe practices may lead to potential harm when accessing a malicious site.
• Weak Keys - SSL certificates signed using RSA keys less than 2048 bits are considered weak as they are increasingly vulnerable to cracking by powerful modern computers. A successful attack of this nature would provide an attacker with clear text access to encrypted data in motion.
• Weak Encryption Configuration - Hashing algorithms are used to provide a certificate with a digital signature to ensure that its contents have not been altered. These algorithms come in various types and some have been cracked and are subject to attack. If successful, a bad actor could impersonate a trusted source and access all communications between endpoints.
• Improperly Signed Certificates - Improperly signed certificates may be rejected by specific applications or services.

For these reasons, Information Security uses third-party tools to monitor the University's publicly available SSL/TLS certificates. When security issues are detected, we will contact system owners to resolve the issue. Failure to do so may result in disconnection from the network in order to protect the campus network.

Tools are available to ensure you have configured your server correctly and that certificates meet the above criteria. Qualys SSL Labs is a well respected web-based tool that you can use to scan sites that are publicly reachable on the internet.

How do I obtain an SSL/TLS certificate?

Computing and Communications Services (CCS) provides an SSL/TLS certificate administration service in an effort to provide long-term competitive pricing and ease of administration. More information on the service and cost is available here - https://www.uoguelph.ca/ccs/service/ssl-certificate-administration-service.

This service provides several advantages over purchasing directly from a commercial Certificate Authority:

• Assistance with CSR and key pair generation
• Review of your configuration to ensure authorization to use server certificates and potential use of existing University wildcard certificates
• Discounted certificate prices
• Notification of upcoming certificate expiry

Information Security recommends the use of an automated, public certificate authority such as Let’s Encrypt whenever feasible. For certificates that require longer validity periods, the use of centrally-managed SSL/TLS certificate service is strongly recommended. However, at this time it is not mandatory and other trusted certificate authorities can be used as long as certificates meet the conditions listed above.

Additional Resources

• Mozilla SSL Configuration Generator - https://ssl-config.mozilla.org/
• Qualys SSL Server Test - https://www.ssllabs.com/ssltest/
• CA/Browser Forum Certificate Authorities List - https://cabforum.org/about/membership/members/
• Certbot certificate automation software - https://certbot.eff.org/
• Let’s Encrypt (a free, automated certificate authority) - https://letsencrypt.org/

CCS Information Security
Last Updated: October 17, 2024