Introduction

Staff members can become Department Registration Authority Officers (DRAOs) and receive delegated authority to approve issuance of SSL certificates for their department and domain.

IT Services has contracted with InCommon to receive unlimited SSL certificates for domains that IT Security controls, signed by root CA provider Sectigo. All certificates are free for departments and end users. For more information, see Overview of Available Digital Certificates.

Note: The delegation of authority is a feature of the InCommon Certificate Service but is not required if you simply would like to obtain signed certificates. 

Certificate Service Manager (CSM)

The Certificate Service Manager is a web application that provides the interface for all activities using the InCommon service, including approval of certificates for signing, delegation of authority, etc.

Certificate signing requests (CSRs) can be submitted through various means but eventually must be approved by someone with authority for that department and domain. Approved certificate requests are signed and delivered (via email/download) by Sectigo.

The CSM has some notable features:

• Optionally, end users can submit CSRs through the CSM so that administrators need only to approve or decline a request (no data entry)
• Scanning of and reporting on deployment of SSL certificates
• Customizable notifications for administrators
• Customizable email templates for communication with end users

The campus RAO can demonstrate and explain these and other features.

Terms and Concepts

Acronym	Term	Description	Who
	Organization	The highest level administrative unit on campus in the InCommon system.	UChicago
	Department	Generic term for an administrative unit within the Organization - a domain can be delegated to a department.	Any administrative unit within the Organization
MRAO	Master Registration Authority Officer	Administrator of the entire InCommon system.	InCommon
RAO	Registration Authority Officer	Campus authority for InCommon Certificate Service.	UChicago IT Security
DRAO	Department Registration Authority Officer	Staff delegated certificate approval authority by RAO for specific department(s).	1 or 2 staff for an administrative unit

Roles and Responsibilities

Registration Authority Officers (RAO)

IT Security members serve as the Registration Authority Officers (RAO) for the University. The responsibilities of the campus RAOs include:

• Policy authority and system administrator for The UChicago
• Contact with InCommon and (for high-level issues) Sectigo
• Certificate approver for certificates of higher risk (e.g. wildcard, Extended Validation)
• Delegator of authority to approve certificates
• Support for DRAOs and in some cases tier-2 support for end-users

Departmental Registration Authority Officers (DRAO)

One or two representatives of a department can serve as Departmental Registration Authority Officers (DRAO). DRAOs are the delegated authorities who can approve SSL certificates for a specific delegated domain using the CSM. In return, DRAOs are responsible for processing certificate requests from their departmental users and related work as described below. The campus RAO which delegates the authority is also available to assist in configuring the CSM as needed and for general troubleshooting.

A candidate for a DRAO should:

• Be a full-time professional IT staff member and have good knowledge of and prior experience with handling SSL certificates (generating CSRs, installing certificates, etc.)
• Have technical support responsibilities for an administrative unit (division, school, department, etc.) that has an ongoing need for certificates for a subdomain of *.uchicago.edu (e.g. *.example.uchicago.edu) or a domain that is outside of the uchicago.edu namespace (e.g. *.example-uc-site.org) but uses campus DNS for its authoritative domain name service.
• Note that DRAOs will not be delegated the ability to sign certificates for *.uchicago.edu.

DRAO Responsibilities include:

1. Understand how to use the CSM. Report any issues, questions, or concerns to the RAO.
2. Take reasonable steps to publicize the service to your relevant departmental users.
3. Process certificate requests from your departmental users. Verify that requests for certificates are legitimate before approving them. If the DRAO does not personally know the person making the certificate request and their business need for the certificate, provide due diligence to contact a responsible person within the department who can vouch for the request's legitimacy. When in doubt, make a phone call or personal visit to a manager in the relevant area. Document any request validation completed outside of personal knowledge.
4. Record requests/approvals and any necessary request validation for at least three years and make available to RAOs upon request. This can be done entirely within the CSM or with an external system such as a request tracking or ticketing system.
5. Stay current with announcements of service updates, etc. from the campus RAO via the DRAO email list and respond to RAO requests for information in a timely way.
6. Provide basic tier 1 support to your departmental users to help them understand their certificate options, generate CSRs, and install certificates and certificate chains. Sectigo and your campus RAO provide documentation for end users that you can use. Support issues that need escalation can be directed to the campus RAO and/or Sectigo.

Becoming a DRAO

If you have questions about this service or are interested in becoming a DRAO please email certs@uchicago.edu or call 773.702.2378.

External Resources for InCommon DRAOs

Sectigo/InCommon documentation

• Sectigo Certificate Service Manager (CSM)
• InCommon's Documentation on the Certificate Service
• Sectigo Knowledge Base