Educause Security Discussion mailing list archives
Re: InCommon Certificate: Local vetting and management
From: Renee Shuey <rshuey () PSU EDU>
Date: Thu, 15 Dec 2011 07:40:56 -0500
I am submitting this response from one the individuals at Penn State responsible for our certificate service deployment, Matthew Scott. Please submit questions directly to him as I would not know the answers and would waste your time. ;) We wrote our own web-based management tool to handle requests, assignment of names and billing information. A department purchases a subscription, which everything is tied to. A subscription has one subscriber, who is vetted manually by our staff. We generally contact the director or dean of the unit purchasing to confirm identity and permission. Domains are then added to the subscription and we check those with our central Networking Services group. All of this is added and managed through the web tool. When those are in place, subscribers submit CSRs with any additional information and we process them. We have automated the verification, but we still process the request to Comodo manually. We did build an interface using the API for automated processing, but we did not go to production with it for various reasons. Management and renewals are the responsibility of the subscriber. We don't actually offer renewals, we simply issue new certificates. Matthew J. Scott Quod Scripsi, Scripsi Manager, SDI ES, CSS, ITS, PSU mjscott () psu edu ----- Original Message ----- From: "Martin Manjak" <mmanjak () ALBANY EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Sent: Wednesday, December 14, 2011 11:32:43 AM Subject: [SECURITY] InCommon Certificate: Local vetting and management We're planning on enrolling in the InCommon certificate program next FY and staff here were wondering what vetting and management processes other schools who have been using the service may have put in place. Specifically, how do you vet requests for certs? What, if any, workflow management tools do you use to track the status of a request? Who has the authority to submit the CSR at your institution? Who is responsible for managing/renewing the certificate once issued? If you prefer, you can respond off list by replying to mmanjak () albany edu. I'll summarize any responses I receive directly for the list. -- Martin Manjak CISSP, GIAC GSEC-G Information Security Officer University at Albany MSC 209 518/437-3813 The University at Albany will never ask you to reveal your password. Please ignore all such requests.
Current thread:
- InCommon Certificate: Local vetting and management Martin Manjak (Dec 14)
- Re: InCommon Certificate: Local vetting and management Renee Shuey (Dec 15)
- Re: InCommon Certificate: Local vetting and management--Summary of Responses Martin Manjak (Dec 16)