In order to understand the InCommon Certificate Service and the Certificate Services Manager (CSM) which is the graphical user interface, some definitions are useful.

Domain

Identifies one or more servers. DNS name(s).

• iastate.edu is a domain
• abc.iastate.edu is a domain contained within iastate.edu
• x.abc.iastate.edu is a domain contained within abc.iastate.edu
• *.x.abc.iastate.edu is a domain that includes all systems contained within x.abc.iastate.edu

Department

An entity that has administrative control over one or more domains. This might be a university department, but could also be a college or other unit.

RAO

Registration Authority Officer. A person who has the authority to manage digital certificates for the institution (ISU) and, hence, the institution's domains.

DRAO

Department Registration Authority Officer. A person who has the authority to manage digital certificates for a department and, hence, the department's domains.

(Note: There are tools provided in ASW to aid with some of the steps described here. See the "Tools" section below. Please do keep reading, however, so that you will have a clue about what the tools do.)

In order to begin issuing certificates, some setup needs to be done. Certificates may be "owned" either by a department or by an individual. Ownership typically depends on the certificate type.

An SSL certificate is generally assigned to a server and, hence, is likely to be department owned. Any SSL certificate issued within a domain (e.g., iastate.edu) controlled by the university can simply have ownership assigned to the university. (Think of it as a "department" encompassing all other departments.) However, it makes the system more manageable to have ownership assignment parallel the hierarchy of the DNS system. That is, certificate ownership is assigned to the department that owns the corresponding qualified DNS domain.

The service provides for an ownership hierarchy with department and domain objects defined in the CSM. The domain entries are delegated to departments. Each SSL certificate resides in the corresponding CSM domain. To get a department entry, an email requesting the entry should be sent to Certificate-Request@iastate.edu . The email must include the name of the unit and the physical address. If the entry is being established for a recognized university unit (college, department, etc.) the official university name should be used. If the requesting unit is part of another "official" university unit, please include that name as well. For domain entries, the request is also via email to Certificate-Request@iastate.edu . The email must identify the owning department. Department and domain entries may be requested in the same email. There may be multiple domain entries for a department. Domain entries can be added to a department entry as needed.

Finally, you need to decide whether you wish to manage your own SSL certificates. A DRAO can be created in the CSM and designated to be responsible for certificates for one or more departments. If you are managing one or two systems and do not wish to establish your own account in the CSM, you may request that ITS staff generate your certificates.

If you wish to obtain a DRAO account, read on. Otherwise, you may skip this paragraph. A DRAO entry cannot be created until the department entry exists. A DRAO may have authority over more than one department. Again, the request is by email to Certificate-Request@iastate.edu . It must include name, email address, phone number, desired login name, and department(s) for which the person is DRAO. Note that more than one DRAO may be created for a department. Normally, the login name will be the same as the person's netid, subject to availability. Email requesting creation of a DRAO account may be combined with the other requests noted above. Once the DRAO account is created, the person will be contacted by phone with the password for the new account.

If you wish to have ITS staff generate your SSL certificates, please send requests to Certificate-Request@iastate.edu . You must include the system name; the software platform (e.g., Apache/Mod SSL, MS IIS 5, É); the name, address, email address, and phone number of the responsible person; the appropriate CSR (Certificate Signing Request); and certificate characteristics (e.g., duration (typically one, two, or three years), wild-card, etc.).

Please note that if your university unit has designated a DRAO to handle certificate needs, you should make your requests to that person.

ITS staff may ask for validation of any request for service or record creation under this system. Such validation would normally be by telephone call to the appropriate college or department office.

In signing code, you accept responsibility for the integrity of the code. Please understand that if you sign malicious software, the fact of the signature makes it traceable.

Code Signing certificates are requested through a process different from that used for SSL certificates. While a Code Signing certificate has a department name associated with it, it is issued to an individual. ( Here, "individual" is defined as someone having a name and a valid ISU email address. Hence, "individual" could be a work group.) The person making the request sends email to Certificate-Request@iastate.edu . The email must include:

A request for a certificate will be entered. The result will be an email to the requestor with a link to a site that will complete the CSR and create the request to the vendor. The person requesting the certificate must follow the supplied link and complete the process. Otherwise, the request is incomplete and no certificate will be issued.

For your convenience, forms have been created in ASW for some requests. Sign on to ASW . Select the "Request for Services" item and then the "Certificate" item. There, you will find three choices. The "SSL" selection is a form which will collect the information and generate the email to request a digital certificate. (As noted above, if your unit has a DRAO, your requests should be made to that person.)

The Code Signing section collects the information needed for a Code Signing certificate.

The DRAO section generates a request to become a DRAO. You may request to be authorized at either the department or college level. ASW will, based on your University records, also generate the information required for the "department" entry and the "domain" entry, if these are needed. If your request is out of the ordinary (e.g., requesting to become DRAO for a department or college not your own), you should simply send email as described above.

Web pages protected by SSL often carry a seal from the authority which issued the certificate. Should you wish to use such a seal, Comodo's can be obtained from Trust Logo .

The present configuration covers systems within iastate.edu and any of its subdomains. If there is a need to add other domains, that can be done with one caveat. Iowa State University must be the administrative authority of record for the domain. When an InCommon registration officer calls the phone number listed in the WHOIS information for the domain in question, they must find that ISU staff have the authority to act for the domain.

At this point, you may ask "So now that I've been made a DRAO, what do I do?" Documentation, demos, and a pointer to the CSM login page can all be found at the InCommon Certificate Service web site. Go to InCommon Federation and select Certificate Service from the menu. One of the first things you should do is login to the CSM and change your password.