rectangle 008BB0

What are TLS Certificates?

The Information Security group of I+TS facilitates the purchase of Sectigo (formerly known as Comodo Group) TLS (formerly known as SSL) Certificate products for University server administrators. TLS is the acronym for Transport Layer Security.

What does this cost?

Most certificate products are covered under a single agreement maintained by the Office of the CIO so there is no chargeback for orders.

Who can manage obtaining these certificates?

The service now provides delegated certificate ordering and management capability with Sectigo’s Sectigo Certificate Manager, a web application. If your unit is interested in managing its own cert products, please send an email to security.admin@utoronto.ca for more information.

Alternatively, order them through ITS; see below.

How do I order a certificate?

Please use this link for instructions.

Which type of certificates are available?

The following certificate products are available for order. Please use the form below.

  1. Server certificates: these are used to protect one domain name. Note that all of these certs include ‘www.’ as well as the fully qualified domain name specified. A single certificate can be used with unlimited logical or physical servers.
  2. Wildcard certificates: these are used to protect a range of domain names under a single domain level, eg. ‘*.mysubnet.utoronto.ca’. It does not include the single name ‘mysubnet.utoronto.ca’.
  3. Unified Communication (multi-domain) certificates: these are used to protect a range of domain names with no restriction.

Why use this service?

This service provides advantages over purchasing direct from a commercial Certificate Authority

  • The site validation process for the utoronto.ca or toronto.edu domains is completed.
  • There is no cost to most cert products.
  • The Information Security group in I+TS adds a departmental contact vetting process to ensure authorization to use server certificates (see note for more details below).
  • Notification of imminent cert expiry is provided at least two weeks before the expiry date.
  • Note on certificate issuance verification: The certificate issuance validation feature that is provided with this service adds an extra degree of assurance for site administrators and end users. Before cert orders are processed, the site administrator authorization is vetted by checking the authoritative ‘/etc/networks’ file. If the admin is not present in that database, they are requested to have someone who is validate the request. Note that this may delay the issuance of the the certificate.
  • Site users can be assured of this validation process when they see the Sectigo cert on a University website. This is a step above how a commercial CA handles validation for low cost products – such CAs compare the requestor with the owner of the domain name only.

 

Technical Aspects

Web Server TLS Configuration

It is highly recommended that configuration of HTTPS websites follow current standards for the acceptance of cryptographic algorithms. One excellent source of these standards is the following Mozilla site:

https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

In particular, we recommend that the ‘intermediate compatibility’ configuration be deployed on websites.

Testing your site

Website settings can be evaluated using one of the many vendor testsites including https://www.ssllabs.com/ssltest/. Click the ‘Do not show the results on the boards’ box.

If you have questions about the results of the test or need a reference on TLS configuration, please consult: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations.


For TLS digital certificate services, please see our Contact page.