Computing Services has partnered with a commercial vendor to offer digital certificates to qualified members of the university community. These certificates (typically used to provide service authentication and protocol encryption for web sites; e.g. HTTPS/SSL/TLS) are provided at no cost to individuals. The certificates are valid for up to three years and are recognized automatically by most popular browsers. In addition to the standard SSL certificates used on most web servers, several variations on these certificate are also available; these include Unified Communications certificates, Wildcard certificates, certificates with addition Subject Alternative Names, etc.
Why Use Digital Certificates
There are typically two reasons that motivate a web developer to use a digital certificate. The first reason is to provide encrypted transactions via HTTPS (SSL/TLS over HTTP). It is unwise and potentially irresponsible to host a web service inviting the transmission of confidential information unencrypted across the network wire. Unencrypted (plaintext) traffic is easily snooped by anyone on the campus network with the desire and basic knowledge about computer networking. Use of a digital certificate and the SSL/TLS protocol provides a convenient way to contain this threat using a protocol and cryptosystem that is native to nearly every browser and platform.
The second common motivator for using a digital certificate is to provide trust management by means of the credentials carried by the certificate. A certificate carries with it credentials verified by Carnegie Mellon University Computing Serivces. This means that by issuing a certificate, the university asserts that the web server in question is a registered machine on the university network. So the user is guaranteed the web service he or she is accessing is indeed one hosted by a machine on the campus network.
Important! No other assertion about the service can be implied from the knowledge that Carnegie Mellon University has signed a digital certificate. This signature asserts only that the web server is a registered machine on the campus network. It is still possible that the web service has offensive, illegal, and/or malicious intent.
Some examples of services that use digital certificates include NetReg and the University Directory.
To qualify for a signed digital certificate, all of the following conditions must be met:
- You must agree and conform to the Carnegie Mellon University Computing Policy.
- You must agree and conform to the Network Protocol Guidelines.
- The server must be in a domain registered to Carnegie Mellon University.
- The server cannot be in res.cmu.edu.
- If you are a student, you must have a faculty sponsor willing to submit the request on your behalf. Your certificate will expire in one semester.
- Best-effort advice and recommended third-party documentation is provided for the most popular web servers.
- You must agree to and abide by Comodo's Certificate Practice Statement.
Last Updated: 6/2/10