Educause Security Discussion mailing list archives

Re: InCommon Certificate: Local vetting and management

From: Renee Shuey <rshuey () PSU EDU>
Date: Thu, 15 Dec 2011 07:40:56 -0500

I am submitting this response from one the individuals at Penn State responsible for our certificate service 
deployment, Matthew Scott.  Please submit questions directly to him as I would not know the answers and would waste 
your time. ;)

We wrote our own web-based management tool to handle requests, assignment of names and billing information. A 
department purchases a subscription, which everything is tied to. A subscription has one subscriber, who is vetted 
manually by our staff. We generally contact the director or dean of the unit purchasing to confirm identity and 
permission. Domains are then added to the subscription and we check those with our central Networking Services group. 
All of this is added and managed through the web tool.

When those are in place, subscribers submit CSRs with any additional information and we process them. We have automated 
the verification, but we still process the request to Comodo manually. We did build an interface using the API for 
automated processing, but we did not go to  production with it for various reasons.

Management and renewals are the responsibility of the subscriber. We don't actually offer renewals, we simply issue new 
certificates.


Matthew J. Scott
Quod Scripsi, Scripsi

Manager, SDI
ES, CSS, ITS, PSU
mjscott () psu edu

----- Original Message -----
From: "Martin Manjak" <mmanjak () ALBANY EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Sent: Wednesday, December 14, 2011 11:32:43 AM
Subject: [SECURITY] InCommon Certificate: Local vetting and management

We're planning on enrolling in the InCommon certificate program next FY
and staff here were wondering what vetting and management processes
other schools who have been using the service may have put in place.

Specifically, how do you vet requests for certs?

What, if any, workflow management tools do you use to track the status
of a request?

Who has the authority to submit the CSR at your institution?

Who is responsible for managing/renewing the certificate once issued?

If you prefer, you can respond off list by replying to
mmanjak () albany edu. I'll summarize any responses I receive directly for
the list.

-- 

Martin Manjak
CISSP, GIAC GSEC-G
Information Security Officer
University at Albany
MSC 209 518/437-3813

The University at Albany will never ask you to reveal your password.
Please ignore all such requests.

Current thread:

InCommon Certificate: Local vetting and management Martin Manjak (Dec 14)
- Re: InCommon Certificate: Local vetting and management Renee Shuey (Dec 15)
- Re: InCommon Certificate: Local vetting and management--Summary of Responses Martin Manjak (Dec 16)