All public key certificates used by or with Agency-owned or operated systems must be issued by an authorized certificate authority (CA). Self-signed or automated self-generated certificates, including those generated by portable document format creators/readers for the purposes of digitally signing electronic documents, are not authorized for use (EXCEPTION: Development and testing systems may use vendor self-generated certificates during initial configuration of the system. A certificate issued by an authorized CA must be installed prior to entering the operations and maintenance phase of the system lifecycle).

Any public key certificates issued after October 1, 2015, must be signed using an SHA2 family hashing function unless technically unfeasible (in which case a control exception must be submitted and approved with a remediation date no later than September 30, 2016). At the time of this writing, the CAs authorized to issue public key certificates for Agency systems are:

• InCommon Certificate Service – The Comodo Group, on behalf of the InCommon Federation, issues client, server and code signing certificates to institutions of higher education, including the Agency. Certificates issued by InCommon are the only certificates authorized for use as individual digital identity signatures (such as those used for signing documents with Adobe Acrobat or emails with S/MIME) or authenticating Agency-owned or operated servers with hostnames in the tamu.edu domain.

• Internet Security Research Group (aka Let’s Encrypt) – The Internet Security Research Group issues server certificates under the “Let’s Encrypt” campaign to websites as part of their mission to to reduce financial, technological, and education barriers to secure communication over the Internet. Let’s Encrypt certificates are authorized for use to authenticate Agency-owned or operated servers with hostnames in any commercially available top level domain (e.g., .com, .org, and .net).

• Texas A&M Transportation Institute Private Root CA – The Texas A&M Transportation Institute Private Root CA issues server certificates to Agency-owned or operated systems for internal authentication and system-to-system communication only. These certificates are not signed by a publicly trusted CA and trust must be established on a per-client basis. These certificates may not be used on public facing information systems. The root CA certificate is published in the Network & Information Systems knowledgebase for reference.

All Agency-owned or operated systems must be capable of establishing a trust chain with the certificate authorities identified above. For TTI domain-joined systems, this is accomplished automatically via group policy. For other systems, information resource owners or custodians may be required to manually install root CA certificates. Owners and custodians are responsible for ensuring any certificates installed on an information system under their control establish a successful trust chain up to an authorized CA.