SSL/TLS Certificate Case Study

img
How GlobalSign is Powering High-Volume SSL/TLS Certificate Management for the University of Waterloo
Challenges

What we like about GlobalSign is its reputation and track record as a commercial Certificate Authority (CA). We have a strong level of trust with GlobalSign
– Mike Patterson, Manager, Information Security Operations Information Security Services, University of Waterloo

The University of Waterloo is consistently recognized as the “the most innovative University in Canada,” thanks to its renowned academic and cutting-edge research programs. Before the University signed an initial contract with GlobalSign back in 2009, they were using an internal Certificate Authority (CA) to issue a few dozen certificates each year. That number has steadily risen to about 700-800 certificates every year, or 15-20 certificates a week, as the University has grown and increased its digital activities. In addition to the central IT group, there are six faculty groups – Math, Engineering, etc. – each of which have smaller, sub-groups and dedicated IT teams.

The central challenge for University of Waterloo is for the individual teams on campus to be able to manage and issue their own certificates – some groups have up to 100 certificates under their umbrella. Making sure all of the websites and applications associated with these groups, across the university, remain secure is a substantial task.

IT managers realized that the University would need an external CA to help manage and stay on top of SSL/TLS certificate issuance and renewals, as well as provide other valuable services to help create a safe network environment for users.

Solution Requirements
  • Secure connections to University web servers and applications. A prestigious University with a vast internal and external web presence and thousands of regular users, SSL/TLS certificates are necessary to keeping Waterloo’s networks running securely and reliably.

  • Scale with the University. As the number of services and requests continue to grow, IT team members must be able to issue new certificates quickly and easily.

  • Delegate certificate issuance to internal groups. Ideally each faculty group would have the ability to issue certificates with limited involvement from the central IT team.

  • Enable IT efficiency and autonomy. IT administrators want the ability to remain as self-sufficient as possible and maintain control over who gets certificates, when, and for what.

img
Solution

With GlobalSign’s Managed SSL (MSSL) solution, the University of Waterloo has access to unlimited OV certificates for publicfacing websites and servers as well as intranet SSL/TLS certificates for securing internal servers and applications.

Besides the primary University web domain, there are several related organizations that have their own domain – for example, for the University’s Student Federation – adding up to a total of approximately 50 sub-domains. All of these are secured using OV and Intranet SSL/TLS certificates issued and managed through GlobalSign.

GlobalSign’s MSSL solution is flexible enough to allow Waterloo’s central IT group to continue using their desired workflow around the approval and issuance of certificates, running each request through a series of tests to make sure the order meets certain internal requirements.

Since 2009, the University of Waterloo has expanded their portfolio of GlobalSign solutions to include code signing certificates. Engineering faculty at the University have written their own set of software distribution tools, and they use GlobalSign certificates to sign them. Code signing certificates are typically used to verify the identity of a software developer and visually indicate that signed applications and software are in fact legitimate and have not been tampered with or intercepted by cybercriminals.

The University has also started issuing more S/MIME certificates, enabling users to digitally sign their emails – a contractual requirement for certain groups on campus and a helpful tool for decreasing the likelihood that a phishing attack will be successful. Several hundred of these certificates are being used on campus to enable secure email, and more users are requesting the service for their own departmental needs.

Results
  • IT teams and end users alike can rest easy knowing the University of Waterloo’s expansive digital presence is secure

  • New SSL certificates can be issued and then managed on-demand, as the University continues to grow

  • Additional services such as code signing and S/MIME certificates are being utilized across the campus to help prevent cyber attacks and add assurance that software and emails are legitimate