TLS requirements
- Jia Wen Li
- Mike Patterson
Updated: 2025-01-31 for new requirements.
Scope
These requirements apply to all University of Waterloo servers that offer services using the TLS protocol.
Requirements
TLS servers must score an A or higher on the Qualys SSL Labs test or equivalent. The TestSSL shell script may be used instead in situations where the SSL Labs site cannot reach the server (RFC1918 address space, non-webservers).
The Common Name (CN) on the certificate should match the DNS name (or a CNAME) of the server hosting the service. The CN must be for a name which is resolvable by the intended audience. That is, Waterloo-internal names (.private, .nexus, and others) must not appear in the CN, or Subject Alternative Name (SAN), if the service is intended to be accessible by unmanaged computers, including the general public.
It is encouraged that a certificate issued for a server with multiple names (extra A records, CNAMEs, etc) have all names on the same certificate, and the webserver configured to respond to each name separately (e.g. Host statements in Apache).
TLS servers on the campus network must be registered with IST with information including Policy 46 confidentiality classification and contact address of the server’s systems administrator(s). The current authoritative source for this information is IST’s IPAM service.
For TLS certificates issued by IST, it is strongly recommended that the contact for the issued certificate be a generic email address, rather than the address of an individual. Reminders will be sent solely to that address, and IST does not monitor for upcoming expirations. Any questions about IST-issued TLS certificates should be sent to ist-ca@uwaterloo.ca.