Completion Report
Project Summary
The Consortium of Certificate Authorities have proposed that the lifespan of TLS certificates be reduced to 90 days. ISG issues more than 1748 certificates and it will not be possible to manually renew these if the lifespan is to be reduced. Although there is no date yet for the imposition of this change, the University wishes to prepare a process to automate certificate renewal.
The project was to deliver an ACME based solution for updating certificates on a number of common technologies that consume certificates.
|
|
Description of the Objective |
Success Criteria |
Achieved |
|
|
Description of the Deliverables needed to achieve the objective |
|
|
|
Objective 1 |
Identify In-Scope Certificates |
|
Y |
|
Deliverable D1.1 |
Document technologies in scope for automated renewal of certificates |
Agreed list of in-scope technologies |
Y |
|
Deliverable D1.2 |
Document certificates to be automatically renewed |
Agreed list of in-scope certificates |
Y |
|
Objective 2 |
Automate Renewal of Certificates |
|
Y |
|
Deliverable D2.1 |
Test tool(s) for issuing certificates |
Approve tool(s) |
Y |
|
Deliverable D2.2 |
Test process(es) for automatic renewal of certificates
|
Sign off testing for each technology |
Y |
|
Deliverable D2.3 |
Test process for wildcard certificates
|
Sign off testing for wildcard certificates |
Y |
|
Deliverable D2.4
|
Test process(es) to handle exceptions and edge cases
|
Sign off process(es) for exceptions and edge cases |
Y |
|
Deliverable D2.5 |
Implement process(es) for automatic renewal of certificates for each technology managed by ITI |
At least one certificate for each in-scope technology is automatically renewed |
Y one exception in regard to certificates on the CIS network which have to automated solution available. |
|
Objective 3 |
Share solutions with University Colleagues |
|
Y |
|
Deliverable D3.1 |
Make solutions available to university colleagues |
Document solutions for each technology and make docs available |
Y |
|
Deliverable D3.2 |
|
|
|
|
Objective 4 |
Monitoring and Reporting |
|
Y |
|
Deliverable D4.1 |
Review methods for reporting on and monitoring certificate expiration |
Identify where changes may be required |
Y |
|
Deliverable D4.2 |
Update methods/processes reporting on and monitoring certificate expiration |
Implement changes where required |
Y |
|
|
|
User/Owner |
MoSCoW |
Set By |
Met |
|
Requirement 1 |
Identify certificates for which automatic renewal is required to support ISG services
|
Graeme Wood |
M |
Sponsor |
Y |
|
Requirement 2 |
Provide solutions for automatic renewal of certificates for each technology supporting ISG services |
Graeme Wood |
M |
Sponsor |
Y |
|
Requirement 3 |
Implement automatic renewal for certificates required for ITI services |
Graeme Wood |
S |
Sponsor
|
Y |
|
Requirement 4 |
Implement processes to manage exceptions and edge cases |
Graeme Wood
|
S |
Sponsor
|
Y (manual interventions and processes in place) |
|
Requirement 5 |
Share solutions with partners in university and provide documentation for their use. |
Graeme Wood
|
S |
Sponsor
|
Y |
|
Requirement 6 |
Ensure monitoring and reporting on certificate expiration is maintained |
Graeme Wood |
S |
Sponsor |
Y |
Benefits
1. Improved reliability as manual updates will not be required
2. Improved security as certificates may be renewed more frequently
3. Improved supportability as use of wildcard certificates will be reviewed
4. Knowledge sharing within ISG and with university colleagues
5. Less effort required for renewing certificates as a BAU task
Lessons Learned - Issues and Risks
The project benefited from Kenny MacDonald involved to bring some existing knowledge and practice from the College of Science and Engineering and to reflect it more widely back to them once we'd implemented central solutions.
Project Audit
No audit
Outstanding issues
INSITE not available to all CO's. Access will be reviewed post-project.
CIS network does not have n automated solution available. Manual intervention required.
Some certificates with multiple SANS cause issues. Will use digicert.