Policy, Service Levels & FAQs

Policy

Please review the Digital Certificate Policy. This policy applies to digital certificates used at UCSC, including certificates ordered through this service.

Supervisors of DRAOs must notify the RAOs and Service Manager when the DRAO's role changes or when they leave the university. Notification can be done via ITR ticket: Web Services > SSL Certificates.

Standards

Qualys SSL Labs "SSL/TLS Deployment Best Practices" describe current industry standards for SSL/TLS implementations. UCSC implementations are expected to meet these standards. Servers that achieve a "Grade A" or higher rating on the Qualys SSL Labs Server Test are considered to meet these Standards.

• IMPORTANT: When using the SSL Labs server test, always check “Do not show the results on the boards” when running the Server Test so results are not posted publicly.
• NOTICE: UCSC runs periodic reports on the grade servers with InCommon SSL certificates score on the Qualys SSL Labs server test. The Digital Certificate Service Manager will follow up with DRAOs as needed.

ITS advocates the standard of enabling SSL by default on all UCSC-administered web pages, and encourages administrators to move toward this goal. Testing has shown minimal performance impact, and there are definite security advantages. This is also recommended in the SSL Labs Best Practices linked above.

FAQs

• InCommon Certificate Service FAQ
• More information about InCommon
• Also see "Get Help" below for a link to additional internal FAQs and KBs

Service Level Details

The Service Level Agreement (SLA) for the Digital Certificate Service is available on the ITS SLA web page. This service has vendor-defined maintenance windows on Wednesdays from 11-11:30 PM and Saturdays from 3:59-4:30 PM.

Digital certificate requests generally take three to five business days to fulfill for SSL certificates and up to 10 business days for code-signing certificates. Orders may take longer depending on multiple variables, such as:

• A new (unregistered) or existing (registered but not via our service) domain that does not contain "ucsc.edu" as part of the domain name.
• Planned or unplanned outages of the InCommon service and/or the Certificate Authority (Comodo).
• Quantity of requests and/or bulk orders.
• Orders containing incorrect information.
• Orders that are inconsistent with policy.
• Code-signing certificates require the requester to reply to an email from InCommon. A delay in this reply can delay the issuance of the certificate.
• Some complex certificate types are not available through InCommon, such as certificates requiring unique data types, (e.g., EKU for VMWare).

A new Department Registration Authority Officer (DRAO) request may take up to two business weeks to complete. Requests for a DRAO require vetting and facilitation to ensure proper configuration of the system, and training for the nominated employee (as DRAO). 

Get Help

If you are having problems with a digital certificate and need assistance:

• Contact the ITS Support Center: Support is available Monday-Friday, 8AM to 5PM. 
• Contact your local IT Divisional Liaison
• Internal service documentation for ITS Certificate Service Providers (login required)