Phone: (909)537-7677
Email: support@csusb.edu
Knowledgebase: Technical
Digital Certificates and Local Certificate Authorities
Posted by Kenneth Baugh on 02 May 2017 03:58 PM

Digital Certificates and Local Certificate Authorities

The use of the CSU San Bernardino Root Certificate

Purpose

Before the InCommon Unlimited Certificate Service was available, CSU San Bernardino utilized digital certificates signed by a local certificate authority.

In June 2008, 59 services at CSUSB used CSU San Bernardino certificates, including: Web MailMyCoyoteWireless Authentication, the SSL VPN, the CSUSB Wiki, and a number of departmental web servers and Exchange servers. At the time, replacing these certificates with commercial certificates from global certificate authority such as VeriSign would have cost the campus a little over $53,000 annually.

By administrating our own local certificate authority, we promoted the use of secure services without concern over licensing terms or annual overhead cost. Indeed, many services secured using CSU San Bernardino certificates would have been using less secure, unencrypted methods of authentication and communication without the flexible, low-cost digital certificates signed under the CSU San Bernardino Root Certificate.

Internet Explorer 7 showing a mail.csusb.edu as 'Identified by CSU San Bernardino Root CA'

In addition to cost savings, running a local certificate authority held an advantage in the validation process. CSU San Bernardino was inherently closer to the knowledge necessary to properly identify and validate services hosted under the csusb.edu domain as compared to a typical global certificate authority, such as VeriSign. As administrator of the CSU San Bernardino Certificate Authority, the Information Security Office validated certificate requests to make sure digital certificates were only issued to services hosted on campus and to the appropriate college or division.

Providing services using certificates signed by a local certificate authority was only appropriate in established communities with existing familiarity and trust relationships. For example, it was appropriate to use locally signed certificates for services such as WebMail because these services were used by established members of the CSUSB community. It was more appropriate to use a certificate signed by a global certificate authority for services like CSU Mentor or Give to CSUSB where the users of those services may not already have an established relationship with the university.

Advantages and Disadvantages

Clients using certificates signed under the CSU San Bernardino Root Certificate took an active role in security by explicitly trusting the Root Certificate through a one-time installation. This had the advantage of raising awareness of the use and purpose of digital certificates. However, the need to install and trust the Root Certificate wasn't obvious without awareness and education. People became confused by security warnings from their web browser.

IE7 Certificate Error from 2008

Web browsers in 2008, such as IE7 and Firefox 3 presented intimidating warnings for web sites using a certificate signed under a root certificate that it had not been programmed to trust. The CSU San Bernardino Root Certificate, the root certificate of a local certificate authority, would not have been programmed to be trusted by the browser provider. Consequently, users accessing services using CSU San Bernardino certificates would receive warnings until they themselves installed and trusted the CSU San Bernardino Root Certificate.

Warnings also occurred when a site's web master included insecure content on an otherwise secure site, even if the certificate was from a global, trusted certificate authority.

The intent of the warnings was to prevent attempts at malicious activity like phishing and man-in-the-middle attacks from becoming successful. Before submitting personal information (such as a password), users were warned about malicious sites masquerading as legitimate sites and how that increased the risk that private information might be intercepted by an unauthorized third party.

Bypassing the warnings to access the site was not always straightforward, and was certainly not a best practice. To realize the advantages of using a local certificate authority, users needed to install its root certificate into their browser thereby explicitly trusting it.

Trust the Root Certificate

Root Certificate with IE - Step 5

To best utilize the security enabled services provided by California State University San Bernardino, conveniently and without warning messages, users only needed to go through a simple one-time procedure to install and trust the CSU San Bernardino Root Certificate.

The procedure was eventually phased out as the campus transitioned to using InCommon certificates.