ISO Position Paper
Position Title: Self-Signed Certificates
Position Audience: Princeton IT Professionals
Contact: Information Security Office: [email protected]
Position Release: Date August 10, 2017
Some devices are configured to use “self-signed” certificates. However, these are not issued by any
validating authority and are, therefore, not trustworthy. Self-signed certificates are commonly used by web
servers that seek to distribute malicious data or imitate a legitimate site. In addition, users establish poor
security habits when accepting the warning notice of a self-signed certificate.
When cost is an issue, it is also a common practice for self-signed certificates to be used in nonproduction environments leading to certificate warning messages.
It is the position of the ISO that all certificates utilized on campus devices be issued through the Office of
Information Technology (OIT) certificate service.
Princeton University faculty, staff, and students should use only authorized certificates on University
devices. The University has a contract with the InCommon certificate authority for an unlimited amount of
certificates. These certificates are provided at no cost to the campus community through OIT.
Data classification: Public