SSL/TLS Certificate Standard
Table of Contents
- What are SSL/TLS Certificates?
- University of Guelph SSL/TLS System, Application, or Website Requirements
- University of Guelph SSL/TLS Certificate Requirements
- Self-Signed Certificates
- What are the security risks associated with SSL/TLS Certificates?
- How do I obtain an SSL/TLS certificate?
Transport Layer Security (TLS), formerly Secure Sockets Layer (SSL), allows for encrypted communication over networks. When properly configured, TLS employs strong cryptography to encrypt network connections and authenticate the endpoints. This is frequently referred to as encryption of 'data in transit' or 'data in motion'.
Any University of Guelph system, application, or website that uses Central Login Credentials for authentication, or that transmits/receives University data is required to:
- Use TLS version 1.2 (or higher) to maintain encrypted communications channels between endpoints.
- Ensure that TLS is maintained and configured in the most secure manner possible, and
- Use Secure Hypertext Transport Protocol (HTTPS) connections based on server-side certificates signed by a trusted third-party certificate provider (such as Entrust or DigiCert) and avoid use of plaintext HTTP where technologically possible.
TLS certificates must meet ALL of the following criteria:
- A minimum key size of 2048 bits must be used
- Certificates must be not be expired (the ‘valid from’ date must be in the past and the ‘Valid to’ date must be in the future)
- A maximum certificate lifetime of 13 months (This is now the industry standard as Apple, Google, and Mozilla have set restrictions on publicly rooted digital certificates in their respective web browsers that expire in more than 13 months)
- The subject of the certificate (CN) must match the fully qualified domain name of the service the certificate is protecting
- The Organization field must be set to ‘University of Guelph’ when user credentials or sensitive information is being exchanged
- When renewing a certificate, a new keypair must be generated each time
Self-signed certificates are only permitted for:
- Development and test systems which contain no Confidential (S3) or Restricted (S4) data, are segregated from the production network, and are prohibited from connecting to external resources.
- Application server to database server connections within the University data centre.
- Internally hosted infrastructure systems (e.g. LDAP servers, load balancers, etc.) with no end-user connections.
Outdated Versions of SSL or TLS - Transport Layer Security (TLS) is an updated and more secure version of SSL. Over SSL's lifetime, significant risks have been identified by security researchers which have led to improvements in the TLS protocol. Running the most current version of TLS is required to ensure communications remain secure.
- Expired or Untrusted Certificates - Expired or untrusted certificates can be taken advantage of by attackers. For example, if users are accustomed to seeing an expired certificate and ignoring warnings, these unsafe practices may lead to potential harm when accessing a malicious site.
Weak Keys - SSL certificates signed using RSA keys less than 2048 bits are considered weak as they are increasingly vulnerable to cracking by powerful modern computers. A successful attack of this nature would provide an attacker with clear text access to encrypted data in motion.
Weak Encryption Configuration - Hashing algorithms are used to provide a certificate with a digital signature to ensure that its contents have not been altered. These algorithms come in various types and some have been cracked and are subject to attack. If successful, a bad actor could impersonate a trusted source and access all communications between endpoints.
Improperly Signed Certificates - Improperly signed certificates may be rejected by specific applications or services.
For these reasons, Information Security uses third-party tools to monitor the University's publicly available SSL/TLS certificates. When security issues are detected we will contact system owners to resolve the issue. Failure to do so may result in disconnection from the network in order to protect the campus network.
Tools are available to ensure you have configured your server correctly and that certificates meet the above criteria. Qualys SSL Labs is a well respected web-based tool that you can use to scan sites that are publicly reachable on the internet.
Computing and Communications Services (CCS) provides an SSL/TLS certificate administration service through a partnership with Entrust. More information on the service and cost is available here - https://www.uoguelph.ca/ccs/service/ssl-certificate-administration-service. We have partnered with a well-known and trusted CA (Entrust) in an effort to provide long-term compeitive pricing and ease of administration.
This service provides several advantages over purchasing directly from a commercial Certificate Authority:
- Assistance with CSR and key pair generation
- Review of your configuration to ensure authorization to use server certificates and potential use of existing University wildcard certificates
- Discounted certificate prices
- Notification of upcoming certificate expiry
Information Security strongly recommends the use of the centrally-managed SSL/TLS certificate service. However, at this time it is not mandatory and other trusted certificate authorities can be used as long as certificates meet the conditions listed above.
CCS Information Security
Last Updated: April 20, 2021