Self-Signed Certificates

ISO Position Paper

Position Title: Self-Signed Certificates

Position Audience: Princeton IT Professionals

Contact: Information Security Office: InfoSec@princeton.edu

Position Release: Date August 10, 2017


Problem Statement

Some devices are configured to use “self-signed” certificates. However, these are not issued by any
validating authority and are, therefore, not trustworthy. Self-signed certificates are commonly used by web
servers that seek to distribute malicious data or imitate a legitimate site. In addition, users establish poor
security habits when accepting the warning notice of a self-signed certificate.
When cost is an issue, it is also a common practice for self-signed certificates to be used in nonproduction environments leading to certificate warning messages.

ISO Position

It is the position of the ISO that all certificates utilized on campus devices be issued through the Office of
Information Technology (OIT) certificate service.
Princeton University faculty, staff, and students should use only authorized certificates on University
devices. The University has a contract with the InCommon certificate authority for an unlimited amount of
certificates. These certificates are provided at no cost to the campus community through OIT.

Additional Information

Certificates: How to request a digital certificate for a web server at Princeton University
Data Transmission and Encryption Standards position paper
InCommon Certificate Use for SSL/TLS position paper

Data classification: Public