Security Certificates

Description

Security Certificates (also known as SSL, TLS or X.509 certificates) are used on leased equipment in the Platform Hosting environments within the data center and by external CDT customers. These certificates are a non-proprietary protocol for securing data communications across computer networks and provide data encryption while in transit for TCP/IP connections.

As an alternative, CDT also offers delegated administrator access to customers who prefer to generate and manage their own certificates. Customers utilizing this option are provided access to CDT’s certificate console and are granted permission to issue certificates under approved third-level domains or specific URLs within root domains.

CDT provides version(s) of certificates in accordance with current certificate industry standards. Certificates are offered on both dedicated and virtual server platform configurations. CDT is authorized to offer certificates only for the following domains:

.ca.gov
.california.gov
.cahwnet.gov
.state.ca.us

Included

Contract management and licensing for certificate management software.
Liaison between the customer and the certificate vendor for technical issues.
Customers notifications of upcoming renewals in accordance with the contact information provided on the Security Certificate Submittal.
Technology products must be within vendor supported versions to sustain availability and integrity.

Scheduling

CDT’s goal is to provide timely, comprehensive and economical technology services. Requests for new certificates will typically be available 3 to 5 business days after the Case/Request has been approved by all parties. Certificate renewals are processed a week prior to the current certificate expiration date. If a renewal is needed earlier, please note the requested delivery date on the Case/Request. Certificates expire on the final day of issuance at 1700 hours. Delays in the Case/Request process, or server availability to obtain the certificate, may impact the timeliness of the certificate delivery. A 25-calendar day window is provided immediately following delivery of a certificate for testing, revocation or changes.

Roles & responsibilities

Task/Role	CDT	Customer
Submit ServiceNow request for all Certificate and Sectigo service needs.		X
Issuance of all certificates including new and renewals.	X
All certificate installations including new and renewed certificates.		X
All new Wildcard SSL certificates. Note: Security Assurance Group approval (via a ServiceNow request) is required prior to requesting a new certificate.		X
Create CSR files.		X
Debug issues with CSR files.	X	X
Facilitate EV certificates with Sectigo and Customer. Note: Customer submits ServiceNow Request.	X
Co-ordinate with Customer regarding issuance of the certificate. Note: Customer submits ServiceNow Request.	X
Add certificate issuance sub-domains under subdomain.ca.gov domains for a department. Note: Customer submits ServiceNow Request.	X
Provide delegated administration to a requesting Customer/Department. Note: Customer submits ServiceNow Request.	X
Provide support for issues related to SSL/Certificate issuances. Note: Customer submits ServiceNow Request.	X
Work with Sectigo Support for issues related to SaaS based patches and other service-related escalations. Note: Customer submits ServiceNow Request.	X
Reporting and modifications of existing certificates and administrators. Note: Customer submits ServiceNow Request.	X
Provide ServiceNow ticket management related to Secure Certificate services. Note: Customer submits ServiceNow Request.	X
Manage contract and renewal of Sectigo contract.	X
Notify Certificate_Services@state.ca.gov of changes to the certificate contact(s).		X
Provide a distribution list or a minimum of three email addresses to CDT which will be used to receive the certificate alert notifications.		X

Rates

Subscriptions to this service are available. The costs are included in the Statewide Innovation and State Web Portal fee.

Request service

Service Request Name	Link
Add, Change or Delete Security Certificates and/or CSR Files Request to Add, Change, and Delete Security Certificates and CSR files, or ask a general question by submitting a Case/Request. A completed Security Certificate Submittal is required for new certificates and renewals prior to the start of work. Please submit one form per URL, except in the case of SAN certificates. All information must be included in, or attached to the Case/Request. Multiple submittal forms may be attached to a single Case/Request. Customers requesting to use the delegated administration option should submit the Delegated Administrator Security Certificate Submittal to initiate service setup. Cases/Requests for individual certificates are not necessary.	Order Security Certificate Services

Service Request Name

Link

Add, Change or Delete Security Certificates and/or CSR Files
Request to Add, Change, and Delete Security Certificates and CSR files, or ask a general question by submitting a Case/Request.

A completed Security Certificate Submittal is required for new certificates and renewals prior to the start of work.

Please submit one form per URL, except in the case of SAN certificates. All information must be included in, or attached to the Case/Request.

Multiple submittal forms may be attached to a single Case/Request.

Customers requesting to use the delegated administration option should submit the Delegated Administrator Security Certificate Submittal to initiate service setup. Cases/Requests for individual certificates are not necessary.

Order Security Certificate Services

Service level objectives

Service option	Fulfillment timeframe SLO	Notes/dependencies
New Secure Certificates (Customer Install)	95% within 5 Business Days	Dependencies/Assumptions (applies to all the requests for new SSL certificate) Customer submits accurate Common Name and Subject Alternate Names (if applicable) Customer provides Distribution List (DL) or three email addresses as contact email addresses for this certificate Customer provides correct .csr file to Office of Digital Services (ODS) secure certificate team Process includes: Customer Initiates Request – 1 Day Customer submits request and provides .csr file to service request CDT/ODS/DevSecOps: Secure Certificate Services Team Review – 2 Days Secure Certificate Team – reviews request, validates .csr files, confirms contact information, and gathers additional information (as needed) CDT/ODS/DevSecOps: Secure Certificate Services Team Issues Certificate – 2 Days Secure Certificate Team – approves and issues the SSL certificate via Sectigo portal; and links/enrollment details are emailed to the customers Secure Certificate Team – checks with the customer for the receipt of the enrollment details and closes the service request
New Secure Certificates (CDT Install)	95% within 10 Business Days	Dependencies/Assumptions (applies to all the requests for new SSL certificates) Customer submits accurate Common Name and Subject Alternate Names (if applicable) Customer provides Distribution List (DL) or three email addresses as contact email addresses for this certificate Complete build-out of server/environment Customer or CDT internal service/platform team provides correct .csr file to ODS secure certificate team Process includes: Customer Initiates Request – 3 Days Customer submits request; and customer or CDT internal service/platform team provides .csr file to service request CDT/ODS/DevSecOps: Secure Certificate Services team Review – 2 Days Secure Certificate Team – reviews request, validates .csr files, confirms contact information, and gathers additional information (as needed) CDT/ODS/DevSecOps: Secure Certificate Services team Issues Certificate – 2 Days Secure Certificate Team – approves and issues the SSL certificate via Sectigo portal; and links/enrollment details are emailed to CDT’s internal service/platform team Secure Certificate Team – checks with CDT’s internal service/platform team to ensure receipt of the enrollment details and closes the service request CDT internal service/platform team installation - 3 Days CDT installs (or CDT coordinates with external vendor to install) the certificate
Secure Certificates Renewal (Customer Install)	95% within 5 Business Days or within requested completion date if the renewal request is submitted 20 days prior to the expiration date	Dependencies/Assumptions (applies to all the requests for renewal of SSL certificates) Customer submits accurate Common Name and Subject Alternate Names (if applicable) Customer provides Distribution List (DL) or three email addresses as contact email addresses for this certificate Customer provides correct .csr file to ODS secure certificate team Certificate renewal request should only be submitted 20 days prior to the expiration date of the certificate and not before that Process includes: Customer Initiates Request – 1 Day Customer submits request and provides .csr file to service request CDT/ODS/DevSecOps: Secure Certificate Services team Review – 2 Days Secure Certificate Team – reviews request, validates .csr files, confirms contact information, checks for the expiration date of the SSL certificate, and gathers additional information (as needed) CDT/ODS/DevSecOps: Secure Certificate Services Team Renew Certificate – 2 Days Secure Certificate Team – approves and renews the SSL certificate via Sectigo; and links/enrollment details are emailed to the customers Note: Certificate installation should be close to the expiration date to maximize length/usage of SSL certificate Secure Certificate Team – checks with customer to ensure receipt of the enrollment details and closes the service request
Secure Certificates Renewal (CDT Install)	95% within 10 Business Days or within requested completion date if the renewal request is submitted 20 days prior to the expiration date	Dependencies/Assumptions (applies to all the requests for renewal of SSL certificates) Customer submits Common Name and Subject Alternate Names (if applicable) Customer provides Distribution List (DL) or three email addresses as contact email addresses for this certificate Customer or CDT internal service/platform team provides correct .csr file to ODS secure certificate team Certificate renewal request should only be submitted 20 days prior to the expiration date of the certificate and not before that Process includes: Customer Initiates Request – 3 Days Customer submits request; and customer or CDT internal service/platform team provides .csr file to service request CDT/ODS/DevSecOps: Secure Certificate Services team Review – 2 Days Secure Certificate Team – reviews request, validates .csr files, confirms contact information, checks for the expiration date of the SSL certificate, and gathers additional information (as needed) CDT/ODS/DevSecOps: Secure Certificate Services team Issuing Certificate – 2 Days Secure Certificate Team – approves and renews the SSL certificate via Sectigo; and links/enrollment details are emailed to CDT’s internal service/platform team Note: Certificate installation should be close to the expiration date to maximize length/usage of SSL certificate Secure Certificate Team – checks with CDT’s internal service/platform team to ensure receipt of the enrollment details and closes the service request CDT internal service/platform team installation - 3 Days CDT installs (or CDT coordinates with external vendor to install) the certificate
Questions/Inquiry (New Domain Name Enrollment, Password Reset, Delegated Admin, SSL Certificate Notification Suspension, Other)	95% within 5-10 Business Days depending on request type	Dependencies/Assumptions Customer provides relevant information and appropriate contact details Customer provides correct Domain Name and delegated Department Name (for New Domain Name Enrollment) Customer specifies permission requirements (for Delegated Administrator) Customer provides accurate Common Name (for SSL Certificate Notification Suspension) Process includes: Customer Initiates Request – 1 Day Customer submits request and provides relevant information, appropriate contact in the request details section of service request CDT/ODS/DevSecOps: Secure Certificate Services Team Review and Completes Request (5-10 Days) Secure Certificate Team – Reviews and validates work/request details and gathers additional information (as needed) Secure Certificate Team – Communicates with customer on status, completes and closes service request once customer confirms receipt of requested/required information

FAQs

1. Is there a document that outlines the process, technical questions, and roles and responsibilities?

Yes. To request a copy of the Guidelines or the Submittal Process document, please contact us by telephone at (916) 464-4311 or email at ServiceDesk@state.ca.gov. In addition, if you would like the document in an alternative format or request any other reasonable accommodation, we will work with you to make that information available.

2. Who applies the certificates?

Certificate application is included in the offering with an associated cost where CDT manages customer web servers, certificate procurement, installation, and administration.

Self-managed is a no-cost option which offers customers delegated administrator access. Customers utilizing this option are provided access to CDT’s certificate console and are granted permission to issue certificates under approved, third level domains or specific URLs within root domains.

3. Does my ID or password expire?

The ID does not expire. The password expires every 90 days.

4. Does CDT provide training for the delegated administrator portal?

Once enrollment is complete, each customer is emailed a PowerPoint presentation along with their login information. If additional training is required, a personal training session is scheduled.

Security Certificates

On this page