SSL Certificates

Secure Sockets Layer (SSL) is a security protocol that provides an encrypted Internet connection. An SSL certificate is proof from an independent third party that your website belongs to the organization it says it does and that your users will be transmitting information via an encrypted connection. You should use an SSL certificate to protect any website or service that handles sensitive data such as login credentials.

Certificates can also be used to sign documents electronically or to sign code for distribution.

Free InCommon Certificates 

OSU is now registered for the InCommon Certificate service.  With this membership, OSU has unlimited access to SSL certificates at no additional cost to individual service providers.  All OSU-owned domains are covered.  The following certificate types are available: web server SSL certificates, extended validation certificates, code signing certificates, wildcard certificates and SAN certificates. The certificate authority (CA) is Comodo, an industry-standard CA trusted by most clients. 

Through the Comodo certificate management interface, OSU has the ability to delegate certificate administration to departments on campus.  

To request a certificate management account or to obtain a certificate through InCommon, please complete the InCommon SSL Certificate Request Form.

 

SHA2 Transition

Internet Explorer, Chrome, and Firefox will discontinue the use of HTTPS/SSL certificates created with SHA-1 encryption and will require the use of SHA-2 secure hash.  Google has announced that SHA-1 encrypted SSL certificates will be depricated beginning with Chrome 39 which was released to the public in November 2014. Chrome will use icons in the address bar to visually indicate degraded security. The visual indicators are sensitive to the certificate expiration date, with certificates expiring in 2017 targeted first, then those expiring in 2016. Certificates expiring in 2014 and 2015 will not be impacted.

By 1/1/2017, all major browsers will reject SHA-1 certificates.

Who is impacted?

Users of your websites may experience negative visual security indicators if the SHA-1 certificates are valid beyond December 31, 2015. Google Chrome users will begin seeing these warning beginning November 2014. Additionally, if a user is on Windows, they will not be able to access sites with SHA-1 certificates after January 1, 2017.

Recommended Actions

Web site/Service owners using HTTPS/SSL Certificates should take inventory of their certificates and plan on migrating affected SHA-1 SSL certificates to SHA-2 SSL.  Based upon the expiration date year of your certificate, the following course of action is recommended:

Expiration Year Recommended Action
2015 Request a new SHA-2 certificate as your expiration date approaches
2016 Request a new SHA-2 certificate before January 2015
2017 Request a new SHA-2 certificate now

Upgrade Steps

1. Review SHA-2 Compatibility

Most browsers, platforms, mail clients, and mobile devices already support SHA-2. However, some older operating systems such as Windows XP pre-SP3 do not support SHA-2 encryption.  Ensure your environment, including hardware and software, will support SHA-2 certificates.  Refer to the SHA-2 Compatibility page for a list of supported hardware and software.

2. Determine Certificate Expiration Date

If you are using certificates issued by InCommon/Comodo, you can use the Certificate Manager to generate a custom CSV of all of your certificates expiring on or after January 1, 2016.  To do this, click the 'Reports' tab, use the pull down menu to select Reports -> SSL Certificates, Current Status -> Issued, and Date Selection -> Expiration Date.  Set the To: date field to January 1, 2016.

You can verify this by browsing to your web site and clicking the icon in your browser to view the SSL certificate. On the details screen for the certificate look for the "signature hash algorithm". You can also use tools like OpenSSL to view the details of a certificate.

3. Replace SHA-1 Certificates with SHA-2 Certificates

To obtain a certificate from InCommon/Comodo, simply select one of the SHA-2 Certificate options in the 'Type' pull down menu.  You must re-enroll to obtain a SHA-2 certificate.  You cannot use the replace function.

4. Download and install new certificates

The issuer chain for SHA-2 differs from SHA-1. Incommon/Comodo recommends you update the Certificate chain on your server to make the SHA-2 certificates are trusted.  For further information, see this reference from Colorado State.  If you need SSL cert installation instructions, please see the Comodo knowledgebase.

5. Test Certificate Installation 

 The last step is to test your website(s) and make sure that the certificates are installed and working properly.

If you have questions or need assistance, please complete the InCommon SSL Certificate request form.

References

Gradually sunsetting SHA-1 (Google)

SHA1 Deprication Policy (Microsoft)

Transitioning your certificates to the stronger SHA-2 hashing algorithm (Comodo)