Installing a certificate does not harden or secure a server by itself—teams should ensure systems are appropriately configured and maintained before requesting certificates. Requests that remain open for extended periods with unresolved vulnerabilities may be closed and require re-submission after remediation (or an approved exception).

To comply with the UCOP Encryption Key and Certificate Management Standard, UCSF services must use SSL/TLS certificates issued through the UCSF IT Security certificate service (or approved by the UCSF CISO). Third-party CA certificates (e.g., Let’s Encrypt, GoDaddy SSL, SSL Dragon) are prohibited.

Certificate lifetime and domain validation (effective March 2026)
Beginning March 12, 2026, industry requirements reduce the maximum lifetime of publicly trusted SSL/TLS certificates and shorten how long Domain Control Validation (DCV) can be reused for additional issuance/reissuance:

• Maximum certificate validity: Up to 199 for certificates issued on/after the March 2026 enforcement window.

• DCV reuse period: DCV may be reused for up to ~198; after that, domains must be revalidated before additional issuance/reissuance.

Support scope

IT Security can assist with certificate service questions and request workflow issues. For ACME, support typically includes account/access topics and credential delivery; client configuration and troubleshooting is generally handled by local administrators or platform teams.