Digital Certificates and Local Certificate Authorities

Purpose

As of June 2008, 59 services at CSUSB use CSU San Bernardino certificates, including: Web Mail, MyCoyote, MeetingMaker, Wireless Authentication, the SSL VPN, the CSUSB Wiki, and a number of departmental web servers and Exchange servers. Replacing these certificates with commercial certificates from global certificate authority such as VeriSign would cost the campus a little over $53,000 annually.

By administrating our own local certificate authority, we can promote the use of secure services without concern over licensing terms or annual overhead cost. Indeed, many services currently secured using CSU San Bernardino certificates would be using less secure, unencrypted methods of authentication and communication without the flexible, low-cost digital certificates signed under the CSU San Bernardino Root Certificate.

In addition to cost savings, running a local certificate authority holds an advantage in the validation process. CSU San Bernardino is inherently closer to the knowledge necessary to properly identify and validate services hosted under the csusb.edu domain as compared to a global certificate authority, such as VeriSign. As the current administrator of the CSU San Bernardino Certificate Authority, the Information Security Office validates certificate requests to make sure digital certificates are only issued to services hosted on campus and to the appropriate college or division.

Providing services using certificates signed under the root certificate of a local certificate authority is only appropriate in established communities with existing familiarity and trust relationships. For example, it is appropriate to use locally signed certificates for services such as WebMail and MeetingMaker because these services are used by established members of the CSUSB community. It is more appropriate to use a certificate signed by a global certificate authority for services like CSU Mentor or Give to CSUSB where the users of those services may not already have an established relationship with the university.

Advantages and Disadvantages

Clients using certificates signed under the CSU San Bernardino Root Certificate take an active role in security by explicitly trusting the Root Certificate through a one-time installation. This has the advantage of raising awareness of the use and purpose of digital certificates. However, the need to install and trust the Root Certificate isn't obvious without awareness and education. People can become confused by security warnings from their web browser.

Modern web browsers, such as IE7 and Firefox 3 present intimidating warnings when they encounter a web service using a certificate signed under a root certificate that it has not been pre-programmed to trust. The CSU San Bernardino Root Certificate, the root certificate of a local certificate authority, will not be pre-programmed to be trusted by the browser. Consequently, users accessing services using CSU San Bernardino certificates will receive warnings until they install and trust the CSU San Bernardino Root Certificate.

Warnings can also occur when a site's web master includes insecure content on an otherwise secure site, even if certificate is from a global, trusted certificate authority.

The intent of the warnings is to prevent attempts at malicious activity like phishing and man-in-the-middle attacks from becoming successful. Before submitting personal information (such as a password), users should ideally be warned about malicious sites masquerading as legitimate sites and about any increase in risk that their information may be intercepted by an unauthorized third party.

Bypassing the warnings to access the site is not always straightforward, can require several steps, and is certainly not a best practice. To realize the advantages of using a local certificate authority, users need to install its root certificate into their browser thereby explicitly trusting it.

Trust the Root Certificate

To best utilize the current and future security enabled services provided by California State University San Bernardino, conveniently and without warning messages, users only need to go through a simple one-time procedure to install and trust the CSU San Bernardino Root Certificate. The Root Certificate and installation instructions are available at:

http://iso.csusb.edu/download/certs