This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the pale grey navigation bar above.
Section 1 - Overview
(1) This procedure is to be used for the procurement of SSL and End User Certificates. The procedure has been defined to ensure adequate separation of duties with respect to the issuing and management of University SSL and End User certificates.
Section 2 - Scope
(2) This procedure applies to all requests for SSL and End User Certificates and Authorisers, Approvers and Subscribers of the Quovadis TrustLink Enterprise service (Trustlink). This procedure applies to University Representatives.
Section 3 - Procedure
- A certificate must not be requested and authorised or approved by the same individual;
- Whoever is responsible for installing the certificate must generate the Certificate Signing Request (CSR);
- If the certificate will be installed by the ITD Infrastructure Services Group (ISG), ISG will generate the CSR and an ISG subscriber will submit a certificate request in TrustLink;
- If the certificate will not be installed by ISG, ITD Information Services will manage the certificate procurement:
- If the certificate will be installed by Information Services, Information Services will generate the CSR and an Information Services Subscriber will submit a certificate request in TrustLink.
- If the certificate will be installed by a Vendor or other UNE department or entity, the Vendor or other UNE department or entity will generate the CSR and attach it to a request for a certificate and email it to firstname.lastname@example.org .
- The IT Services Desk will assign the request to the IT Security queue.
- ITD Information Security will assign the request to Information Services.
- An Information Services subscriber will submit a certificate request in TrustLink.
- The private key associated with a certificate must be unique. Using the same private key for different certificates is prohibited. However, it is acceptable to re-use an existing private key for a certificate when renewing that certificate; and
- The term of certificates will be three years unless the request is for a certificate requested by a Vendor or other UNE department or entity whereby the certificate request will be made for the term of one year.
(4) Submitting a Certificate Request:
- Certificate requests must be made by a Subscriber using TrustLink; and
- The request will be electronically routed to an Approver to arrange authorisation of the request.
(5) Authorising and Approving a Certificate Request:
- When a certificate request is received from TrustLink, the Approver will request authorisation to approve the certificate;
- The Authoriser will determine if the certificate request is:
- Appropriate and fit for purpose; and
- Appropriate for the term requested
- The Authoriser will notify the Approver of the outcome by email;
- The Approver will approve or reject the request in TrustLink based on the Authoriser's notification;
- The Approver will notify the Subscriber whether or not their request has been approved;
- A notification that the certificate is available for download will be sent to the Subscriber by TrustLink;
- If the request has not been approved, the Approver will notify the Subscriber and provide the reason for the rejection; and
- The Approver will record the certificate approval in the ITD Certificate Register.
(6) Certificate Management:
- ISG will request, download, install and renew certificates where ISG has generated the CSR;
- Information Services will request, download, install and renew certificates where Information Services has generated the CSR; and
- If the CSR was generated by a Vendor or other UNE department or entity, Information services will download the approved certificate and provide it to the Vendor or other UNE department or entity to install. Information Services will notify the Vendor or other UNE department or entity when the certificate is due for renewal.
(7) Certificate Expiry Notifications:
- TrustLink will notify Subscribers at 30 days, 7 days and 1 day before certificates are due to expire; and
- ITD Information Security will send a monthly certificate expiry report to ISG and Information Services to mitigate the risk of certificates expiring.
(8) Revoking Certificates:
- Quovadis, Approvers and Subscribers may revoke certificates. Reasons for revocation include, but are not limited to:
- The Certificate Holder or Certificate Owner requests revocation of its certificate;
- The Certificate Holder indicates that the original Certificate Request was not authorized and does not retroactively grant authorization;
- QuoVadis obtains reasonable evidence that the Certificate Holder's Private Key (corresponding to the Public Key in the certificate) has been compromised, or that the certificate has otherwise been misused;
- QuoVadis receives notice or otherwise become aware that a Certificate Holder violates any of its material obligations under the Certificate Holder Agreement;
- The Certificate Holder fails or refuses to comply, or to promptly correct inaccurate, false or misleading information after being made aware of such inaccuracy, misrepresentation or falsity;
- QuoVadis determines, in its sole discretion, that the Private Key corresponding to the certificate was used to sign, publish or distribute spyware, Trojans, viruses, rootkits, browser hijackers, phishing, or other content that is harmful, malicious, hostile or downloaded onto a user's system without their consent;
- QuoVadis receives notice or otherwise become aware that a court or arbitrator has revoked a Certificate Holder's right to use the domain name or other information listed in the certificate.
- QuoVadis receives notice or otherwise becomes aware of a material change in the information contained in the certificate or if QuoVadis determines that any of the information appearing in the certificate is not accurate;
- A determination, in QuoVadis' sole discretion, that the certificate was not issued in accordance with the terms and conditions of the CP/CPS;
- QuoVadis' right to issue certificates by law, regulation, or policy expires or is revoked or terminated;
- QuoVadis' Private Key for that certificate has been compromised;
- Such additional revocation events as QuoVadis publishes in its CP/CPS or deems appropriate based on the circumstances of the event; or
- QuoVadis receives notice or otherwise becomes aware that a Certificate Holder has been added as a denied party or prohibited person to a blacklist, or is operating from a prohibited destination under the laws of QuoVadis' jurisdiction of operation.
(9) New Subscriber Requests:
- New Subscribers must be authorised by an Authoriser;
- Send your request to be a Subscriber by email to an Authoriser;
- The Authoriser will determine if the subscriber request is appropriate for the position held;
- If the subscriber request is authorised, the Authoriser will inform an Approver by email to arrange for a subscription invitation to be sent to the requester;
- The Approver will send a subscriber invitation via TrustLink; and
- If the subscriber request is not approved, the Authoriser will notify the requester by email and provide the reason for the rejection.
(10) Subscribers Responsibilities:
- A Subscriber has certain responsibilities under the QuoVadis user agreements including, but not limited to:
- Provide accurate and complete information, both in the Certificate Request and as otherwise requested by QuoVadis;
- Take all reasonable measures necessary to maintain sole control of, keep confidential, and properly protect at all times the Private Key that corresponds to the Public Key to be included in the requested certificate(s) (and any associated access information or device — e.g., password or token);
- Not install and use the certificate(s) until it has reviewed and verified the accuracy of the data in each certificate;
- Install the certificate only on the server accessible at the domain name listed on the certificate, and/or to use the certificate solely in compliance with all applicable laws;
- If the Certificate Holder generates their keys, then they will generate them in a secure manner in accordance with industry leading practices;
- Promptly cease using a certificate and its associated Private Key, and promptly request that QuoVadis revoke the certificate, in the event that: (a) any information in the certificate is or becomes incorrect or inaccurate, or (b) there is any actual or suspected misuse or compromise of the Certificate Holder's Private Key associated with the Public Key listed in the certificate; and
- The Certificate Holder will promptly cease all use of the Private Key corresponding to the Public Key listed in a certificate upon expiration or revocation of that certificate.
Authority and Compliance
(11) The Procedure Administrator makes these procedures.
(12) University Representatives must observe these Procedures in relation to University matters.
(13) These Procedures operate as and from the Effective Date.
(14) Previous Procedures relating to the Procurement of SSL and End User Certificates are replaced and have no further operation from the Effective Date of this new Procedure.
Section 4 - Definitions
(15) Approver means the ITD Information Security Manager, the ITD Senior Information Security Officer or the ITD Information Security Officer.
(16) Authoriser means the ITD Associate Director Infrastructure Services, the Associate Director Information Services or the Information Security Manager.
(17) CSR means certificate signing request.
(18) Effective Date is the date on which this Rule will take effect.
(19) Procedure Administrator is the Director, Information Technology.
(20) Subscriber means a person who has been subscribed to TrustLink by an Approver and who has a requirement to raise a Certificate Request in TrustLink.
(21) University Representative means a University employee (casual, fixed term and permanent) contractor, agent, appointee, UNE Council member, adjunct, visiting academic and any other person engaged by the University to undertake some activity for or on behalf of the University. It includes corporations and other bodies falling into one or more of these categories