Versions Compared

Version Old Version 2 New Version Current
Changes made by

Former user

Aziz Usmani

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

What is covered by this policy?

...

Once the certificate is submitted via the web-form, cert-auth will submit the CSR to InCommon. InCommon, will ensure that the signature length is (SHA2) and that the key length is up to standard. Currently the key length has to be = or larger than 2048 bits. The cert-auth will then approve approves the certificate.


Turn-around Time


CUIT will sign CSRs and configure keys/certificates, as needed, within 5 business days of their request. If new certificates for non-columbia.edu domains are requested, requests will take longer (generally 5 business days longer) since domain owners will need to authorize InCommon to allow CUIT to sign certificates for that domain.

...

How long are certificates valid?

Certificates can be obtained for a 1 or 2 year period.  comply with industry standards and remain valid for one year from their issuance date. Warning emails will be sent by InCommon to the certificate owners as the expiration date nears.  For CUIT systems managed by the Systems Sourcing and Engineering Team, a Service Now incident will be automatically opened to track the certificate renewal.  For other CUIT Systems, the Client Services group will manage those certificates in collaboration with the Service Owners.


Exceptions:

CUIT assumes no responsibility for the expiration of certificates on non-CUIT systems.  It is the certificate owner’s responsibility to request a new cert when needed.  For Certs which are for non CUIT Systems, expiration notices are not processed as the certificate owner also receives the request and can renew if needed.


SSL Termination at F5

For Systems behind the F5 Load balancers, SSL termination occurs at the F5 where wildcard certs are utilized.


Reusing CSRs

Certificate Signing Requests (CSR) shall not be reused. Users must generate and submit new CSRs whenever certificates are renewed.

...

  • Common name
  • Type, if applicable (regular, wildcard, multi-domain)
  • External requester email address (renewal notices will be sent to this address)
  • Expected certificate name


Domain validation