TLS/SSL certificate requirements

In order to be issued an SSL certificate, the server must meet the following requirements:

1. A minimally acceptable grade (currently B) on the Qualys SSL Labs test or equivalent. The TestSSL shell script may be used instead in situations where the SSL Labs site cannot reach the server (RFC1918 address space, non-webservers). Sites accepting Waterloo credentials directly should score an A.

2. Regardless of grades, servers refusing TLS 1.2 connections may not be issued a certificate. This is due to changes in security settings on common web browsers.

3. The Common Name (CN) on the certificate should ideally match the DNS name (or a CNAME) of the server hosting the service. The CN must be for a name which is resolvable by the intended audience. That is, Waterloo-internal names (.private, .nexus, and others) must not appear in the CN if the service is intended to be accessible by the general public.

4. Updated information security policy classification and contact addresses in the authoritative data source for this information. The current authoritative source is Infoblox.

It is strongly recommended that the contact for the issued certificate be a generic email address, rather than the address of an individual. Reminders will be sent solely to that address, and IST does not monitor for upcoming expirations.

Any questions should be sent to ist-ca@uwaterloo.ca.

Related links

• Mozilla configuration generator

• Microsoft IIS configuration helper