Description
Security Certificates (also known as Secure Socket Layer (SSL) or Transport Layer Security (TLS)) are used on leased equipment in the Platform Hosting environments within the data center and by external CDT customers. These certificates use a standard, widely accepted protocol to protect data as it moves across computer networks. Essentially, they act like a secure “envelope” for information, ensuring that sensitive data (i.e. passwords or customer detail) is encrypted and safe from interception during transmission over TCP/IP connections.
SSL Certificate Overview
- SSL/TLS and code signing certificates are used to secure digital communications and software for CDT and its customers. These certificates help ensure that data and applications are protected, trusted, and exchanged securely.
- SSL/TLS certificates encrypt data in transit between systems and users, preventing unauthorized access or interception of sensitive information. Code signing certificates are used to verify the authenticity and integrity of software, assuring users that code has not been altered and originates from a trusted source.
- SSL/TLS certificates may be issued for approved subdomains of ca.gov (i.e. api.ca.gov, mail.ca.gov, and wildcard subdomains such as *.xyz.ca.gov).
Delegated Admin only model
To align with upcoming industry-mandated reductions in SSL/TLS certificate lifespans (200 days in 2026, 100 days in 2027, and 47 days by 2029), CDT is transitioning to a Delegated Admin only model for certificate management. These changes are part of a phased plan adopted by the CA/Browser Forum to strengthen security and reduce the risk window for compromised certificates. Shorter certificate lifespans limit the amount of time a compromised or outdated certificate can remain in use, encourage faster adoption of updated cryptographic standards, and make automation essential for reliable certificate lifecycle management. Manual renewals will no longer be a sustainable option under these shortened lifecycles.
- Customers with Delegated Admin access can issue and manage their own certificates through CDT’s certificate management console for approved domains and URLs.
- CDT recommend customers explore automation options by 2029, with a 47-day certificate lifespan, manually issuing and installing certificates every 47 days may become impractical.
- This change ensures compliance with industry standards while maintaining efficient certificate management.
Included
Delegated Admin Model
- Contract management and licensing for certificate management software.
- Coordination between the customer and the certificate vendor for certificate issuance–related technical issues (installation is not included).
- Customer notifications for upcoming certificate renewals, based on the contact information provided in the Security Certificate Request.
- Support is provided only for technological products that are within vendor-supported versions and for services that have been contracted to CDT, to ensure availability, security, and integrity.
Scheduling
Delegated Admin Access Timeline
CDT’s goal is to provide timely, reliable, and cost-effective technology services. Requests for Delegated Admin access are typically fulfilled within 3–5 business days after the Case/Request has been submitted and approved by all required parties.
To avoid delays, please ensure all approvals are completed promptly once the request is submitted. Timely approvals help us process your request as efficiently as possible.
Requests requiring accelerated processing may be subject to an expedited fee, depending on availability and approval.
Roles & Responsibilities
| Task/Role | CDT | Customer |
|---|---|---|
| Issue and manage certificates: Use the Sectigo SCM platform to generate, renew, and revoke SSL/TLS and code signing certificates for approved domains. | X | |
| Maintain contact information: Ensure multiple emails and distribution lists are added in the External Requester field for renewal notifications. | X | |
| Monitor certificate expirations: Proactively track certificate validity to prevent service disruptions. | X | |
| Plan for automation: Consider automating issuance and renewal processes, especially as certificate lifespans shorten. | X | |
| Coordinate internally: Ensure coverage among multiple Delegated Administrators to avoid single points of failure. | X | |
| Provide platform access: Grant Delegated Administrators access to the Sectigo SCM certificate console. | X | |
| Offer guidance: Provide instructional resources, and best practices. Additional guidance can be requested via ServiceNow request | X | |
| Assist with technical issues: Support certificate issuance or platform-related issues through ServiceNow request. | X | |
| Maintain compliance oversight: Ensure certificates are issued in accordance with industry standards and organizational policies. | X | |
| Notify of updates: Communicate any major platform changes, lifecycle updates, or policy revisions to Delegated Administrators. | X |
Rates
Subscriptions for this service are included in the Statewide Innovation and State Web Portal fee. Additional fees may apply for non-standard or expedited services, subject to approval.
| Service Description | Service Identifier | Product Name | Unit of Measurement | Rate | Service Code | Notes |
|---|---|---|---|---|---|---|
| Statewide Innovation and State Web Portal | Statewide Innovation and State Web Portal | Monthly | Variable | Z801 |
Request Service
To request certificate-related service or assistance:
| Service Request Name | Link |
|---|---|
| Request for Secure Certificates Services (Service Options: Secure Certificates, Add/Delete Delegated Administrator, Add/Delete SSL Cert Notifications, Password Reset, Wild Card Certificate, and/or Question/Inquiry)
| Order Secure Certificates Services |
Note: We require all service requests to be submitted via ServiceNow to ensure proper tracking, timely processing, and accountability.
Training
Training is available through a video accessible at this link:
How to request an SSL/TLS certificate with manual certificate signing request (CSR) in SCM
If you need additional assistance:
- Submit a service request for Secure Certificates Services
- Select service option Question/Inquiry, and our team will schedule a session to walk you through the process
Best Practices
Plan for shorter certificate lifespans:
SSL/TLS certificate lifespans will continue to decrease (200 days in 2026, 100 days in 2027, and 47 days by 2029). Plan renewal processes accordingly to avoid service disruptions.
Use the Delegated Admin model effectively:
Ensure designated Delegated Administrators are trained and actively managing certificate issuance and renewals within the Sectigo SCM platform.
Add multiple contacts for notifications:
When issuing certificates in Sectigo SCM, include multiple distribution lists (DLs) and email addresses in the External Requester field. This ensures that renewal notifications and alerts are sent to multiple individuals well in advance of certificate expiration.
Avoid single points of failure:
Do not rely on a single individual for certificate management. Use shared accounts or multiple Delegated Admins to maintain continuity during staff absences or transitions.
Consider certificate automation:
Automation is strongly recommended, especially as certificate lifespans shorten. Automating issuance and renewal reduces manual effort and lowers the risk of missed expirations.
Monitor and renew certificates proactively:
Regularly review certificate inventories and expiration dates to ensure timely renewals and uninterrupted service availability.
Service Level Objectives
| Service option | Fulfillment timeframe SLO | Notes/dependencies |
|---|---|---|
| Delegated Administrator (Create access for Delegated Administrator to issue security certificate) | 95% within 5-10 Business Days depending on request type | Dependencies/Assumptions
|
| Questions/Inquiry (New Domain Name Enrollment, Password Reset, SSL Certificate Notification Suspension, Other) | 95% within 5-10 Business Days depending on request type | Dependencies/Assumptions
|
FAQs
1. Who issues and installs the certificates?
Under the Delegated Administrator model, departments are responsible for issuing and installing their own SSL/TLS and code signing certificates using the certificate management console.
2. Does my Delegated Admin account or password expire?
Delegated Admin accounts are subject to standard identity and access management policies. Password expiration and access reviews follow organizational security requirements.
3. What if we need help that is not available on this website?
If you need additional assistance, please open a ServiceNow request with Secure Certificate Services. Select the Questions/Inquiry option and include as much detail as possible so your request can be routed appropriately.
4. How many Delegated Administrators should we designate?
We recommend designating 2–3 Delegated Administrators or using a shared departmental account to ensure continuity and coverage.
5. Do we still receive renewal notifications?
Yes. Renewal notifications are sent based on the contact information associated with the certificate and Delegated Admin account. However, departments are responsible for monitoring and renewing their certificates.
6. Is certificate automation required?
Automation is not required but is strongly recommended, especially as certificate lifespans continue to shorten. By 2029, certificates will have a 47-day validity period, making manual issuance and installation impractical.
7. What happens if a certificate expires?
Expired certificates may cause service outages or security warnings. It is the department’s responsibility to monitor certificate expiration and ensure timely renewal.
8. Can Secure Certificate Services issue certificates on our behalf?
No. All certificate issuances will be handled by departments through the Delegated Admin model.
Note: The option to request us to issue a certificate is temporarily available but will be retired as certificate lifespans continue to shorten.
9. How do I know if my department needs to go through CDT to renew our SSL certificate, or who is impacted by CDT’s process change?
Your department is impacted by CDT’s process change only if your SSL certificate is procured through CDT.
- If your department obtains SSL certificates through CDT, you will need to follow CDT’s renewal process as certificate lifespans shorten industry wide.
- If your department does not procure certificates through CDT (for example, you obtain certificates directly from another certificate authority such as Let’s Encrypt or DigiCert), you do not need to open a ticket with CDT. You should continue to follow your own provider’s renewal process.
The upcoming SSL certificate lifespan reductions apply to all public certificates, regardless of provider, but CDT’s process changes apply only to customers using CDT’s certificate services.
10. How do I know if my department has SSL certificate services with CDT?
Your department likely has SSL certificate services with CDT if:
- Your SSL certificates were issued through CDT’s certificate portal (see also the FAQ: “How can I quickly tell who issued my SSL certificate?”).
If you are unsure, you may contact CDT’s service desk to confirm whether your certificates are managed through CDT. If you need additional assistance, please open a ServiceNow request with Secure Certificate Services. Select the Questions/Inquiry option and include as much detail as possible so your request can be routed appropriately.
11. If my department does not use CDT for SSL certificates, should I still open a ticket with CDT?
No. If your SSL certificates are issued and managed by another provider, you do not need to open a ticket with CDT. Please work directly with your system administrator or certificate issuer to ensure timely renewal.
12. Why is CDT communicating about SSL certificate lifespan change if I don’t use CDT?
SSL certificate lifespan changes are an industry-wide requirement that affect all public websites. CDT is sharing this information to raise awareness and help departments plan ahead, even if they do not currently use CDT’s services.
13. How can I quickly tell who issued my SSL certificate?
You can check this directly from your website:
- Go to your website in a browser (for example, https://<yourdomain>.ca.gov).
- Click the padlock icon (or site information; may differ by browser) next to the website address.
- View the certificate details.
- Look for the “Issued To” and “Issued By” fields.
- If the Issued To is State of California and the Issued By is Sectigo Limited, your department should follow CDT’s renewal process.
- If the Issued To and Issued By are different (for example, Let’s Encrypt or another provider), you do not need to open a ticket with CDT. You should work with your own system administrator or certificate provider.