Units that manage a significant number of SSL certificates may obtain the Department Registration Authority Officers (DRAO) role and receive delegated authority to approve their own certificates. The delegation of authority is not required if you simply would like to obtain signed certificates. 

Terms and Concepts

Acronym	Term	Description	Who
	Organization	The highest level administrative unit on campus in the InCommon system.	UChicago
	Department	Generic term for an administrative unit within the Organization - a domain can be delegated to a department.	Any UChicago unit
MRAO	Master Registration Authority Officer	Administrator of the entire InCommon system.	InCommon
RAO	Registration Authority Officer	Campus authority for InCommon Certificate Service.	UChicago Information Security
DRAO	Department Registration Authority Officer	Staff delegated certificate approval authority by RAO for specific department(s).	Designated unit IT staff
CM	Certificate Manager	The Certificate Manager is a web application that provides the interface for all activities using the InCommon service, including requesting and approving SSL certs.	Sectigo Certificate Manager

Roles and Responsibilities

Registration Authority Officers (RAO)

Information Security members serve as the Registration Authority Officers (RAO) for the University. The responsibilities of the campus RAOs include:

• Policy authority and system administrator for UChicago
• Contact with InCommon and (for high-level issues) Sectigo
• Certificate approver for certificates of higher risk (e.g. wildcard, Extended Validation)
• Delegator of authority to approve certificates
• Support for DRAOs

Departmental Registration Authority Officers (DRAO)

A small number of representatives of a department can serve as Departmental Registration Authority Officers (DRAOs). DRAOs are the delegated authorities who can approve SSL certificates for a specific delegated domain using the CM. In return, DRAOs are responsible for processing certificate requests from their departmental users and related work as described below. The campus RAO which delegates the authority is also available to assist in configuring the CM as needed and for general troubleshooting.

A candidate for a DRAO should:

• Be a full-time professional IT staff member with a good knowledge of and prior experience with handling SSL certificates (generating CSRs, installing certificates, etc.)
• Have technical support responsibilities for an administrative unit (division, school, department, etc.) that needs to manage a significant number of SSL certificates for domains controlled by the University. Delegation of authority for domains is preferably accomplished using subdomains of *.uchicago.edu (e.g. *.example.uchicago.edu) or a domain that is outside of the uchicago.edu namespace (e.g. *.example-uc-site.org). In limited circumstances an individual hostname within uchicago.edu can be delegated but not the entirety of *.uchicago.edu.

DRAO Responsibilities include:

1. Understand how to use the CM. Report any issues, questions, or concerns to the RAO. Stay current with announcements of service updates, etc. from the campus RAO via the DRAO email list and respond to RAO requests for information in a timely way.
2. Publicize the service to your Unit. Provide RAOs with your unit IT's contact information.
3. Process certificate requests from your departmental users. Verify that requests for certificates are legitimate before approving them. Provide tier 1 support to your users to help them understand their certificate options, generate CSRs, and install certificates and certificate chains. Support issues that need escalation can be directed to the campus RAO and/or Sectigo.

Become a DRAO

If you have questions about this service or are interested in becoming a DRAO please email certs@uchicago.edu.

External Resources for InCommon DRAOs

• Sectigo Certificate Manager (CM)
• Sectigo Knowledge Base
• InCommon's Documentation on the Certificate Service