Non-profit, member-based IT support for research & educational institutions

CREN-signed institutional certificates are intended for institutions that are operating their own institutional certificate authority. Operating an institutional certificate authority requires a minimum set of hardware, software and personnel knowledgeable in the basics of digital certificate technology.
What are Institutional Certificates?

Why Use Institutional Certificates?

How to Apply for a CREN-signed Institutional Certificate



CREN CA Pricing Chart

What are Institutional Certificates? Top

CREN-signed campus certificates for institutions are part of the CREN CA certificate authority. These certificates are created when the CREN CA Service signs an institution's public key that is generated with the public/private key pair from the campus ca application. Campuses then use the corresponding private key to issue client certificates for faculty, staff, and students. Having CREN sign an institution's public key creates assurance that certificates with an institution's name in the issuer field are actually from that institution's digital certificate application. This campus certificate can also be used to issue web server certificates. The CREN CA Repository on the CREN site holds the institutional certificates that have been issued to date.

Why Use Institutional Certificates?  Top

Why do I want to run a Certification Authority on my campus?
You may want to run your own campus CA to support a wide range of applications. A certification authority can be a key component of a secure campus infrastructure.

If you set up a CA on your campus, you can use digital certificates to manage student, faculty, and staff access to virtually any campus web application and resource -
from logging on to register for classes, to access library or class resources, to submit homework assignments, to review grades or financial aid information. Digital certificates can even be used for controlling access to buildings or rooms with a digital certificate embedded in a token such as an access card. Users with digital certificates can also use these certificates to sign email, providing more secure campus communications.

Learn more about how campuses are using digital certificates by visiting You can also visit the HEPKI-TAG site. You will have to scroll down the page to the "Information and Suggestions for Institutional PKI Implementors" area.


How to Apply for a CREN Institutional Certificate  Top

The 123's of how to apply for a CREN-signed Institutional Certificate.
Apply Using a Short, 2-Page FormApply for an Institutional Certificate

The application process for a CREN Institutional Certificate has two phases:

  • Application and registration process that validates the Institutional Representatives, and sets up secure communication channels
  • Request, issuance and acceptance of the Institutional Certificate

Download the CREN CA Application - Version 3.0 (August 1, 2002)
[Download in Microsoft Word or PDF Format]

An institution's Member Representative fills out the application form and then it is signed by the Campus Certificate Authority Executive Officer. You may find it helpful to also download and print the
Step-by-Step Guide - Version 3.0 (August 1, 2002)
[Download in Microsoft Word or PDF Format]

This Step by Step Guide has detailed email templates to guide institutional contacts through the application and signing process.

To renew a CREN Institutional Certificate, an institution's Member Representative must fill out the following renewal application form and then have it signed by the Campus Certificate Authority Executive Officer. - Version 3.0 (August 1, 2002)
[Download in Microsoft Word or PDF Format]

Begin Communicating SecurelyBegin Communicating Securely

PGP (Pretty Good Privacy) is another security tool similar to digital certificates. One advantage of PGP is that individuals and small groups can begin using PGP for securing their email with little overhead. At CREN, we use PGP to set up a secure communication channel with a technical contact at an institution during the process of requesting a CREN-signed institutional certificate.

The PGP Personal Public Keys that are distributed and signed during the application process are not to be confused with the Public Keys being generated for inclusion in the CREN-signed Institutional Certificates.

The PGP software may be found at the location below:
[Download a free version of PGP now from:]

For installation tips and more information on PGP, download the CREN PGP One-Pager:
[Download: Microsoft Word or PDF Format]

Locate public keys of the CREN staff at:

Documents and Policies for the CREN CADocuments and Policies for the CREN CA

I. The policies that govern the CREN CA are currently in a combined Certificate Policy/Certificate Policy Statement.

CREN CP/CPS - Version 3.0 (January 27, 2000)
[Download: Microsoft Word or PDF Format]

The CREN CP/CPS details and controls the application process from the initial verification of the institutional requestor and the request for certificate process, through the issuing, acceptance, using, suspending, revoking, and renewing of CREN CA certificates.

II. The policies created by the HEPKI groups relating to the practices of a CA are included in the following CP/CPS.

HEPKI-Lite CP/CPS - Version -v 4.3 (Dec 19, 2001)
[Download: Microsoft Word or PDF Format]

The HEPKI-Lite CP/CPS describes the recommended best practices for a campus certificate authority implementing a PKI-Lite environment. A PKI-Lite enviornment is a full-featured PKI technology deployed with existing campus standards for identification and authentication (I & A) and security. The other two documents supporting a PKI-Lite Trust enviornment are the HEPKI-TAG Certificate Profiles, and the Relying Party Statement.


Scenarios Top

Institutions have been implementing pilots and tests of CREN-signed Institutional Certificates. Here are some scenarios. If you have a scenario to share, please contact us at

Internet2 Meeting May 16, 2002
PKI & the CREN-signed Columbia CA
University of Minnesota Scenario May 16, 2002

CNI Spring Task Force Meeting April 16, 2002
Dartmouth presentation by Larry Levine
Getting Started with Digital Certificates: Is PKI-Lite Real PKI?
Session Handout: Summary of MIT, Dartmouth, Georgia Tech and CREN

Other University Scenarios
Georgia Tech Scenario June 8, 2001
Princeton Scenario June 6, 2001
University of Tennessee Scenario June 16, 2000
University of Minnesota Scenario June 14, 2000
MIT Scenario April 30, 2000

View the CREN PKI Scenario Archive

Resources   Top

Certificates at MIT
This page is the resource used to support and guide MIT students, faculty and staff through the process of learning about and securing digital certificates. It can be used as a template and starting point for other institutions designing web sites for supporting digital certificate use by their campus community.

Digital Certificates: What Are They, and What Are They Doing in My Browser?
This is a pre-publication copy of an article published in the August 2002 issue of Syllabus You can also visit the Syllabus site for the above article and other interesting Syllabus articles.
[Download: Microsoft Word or PDF Format]

Security on Campus: An Interview with Jeffrey I. Schiller MIT
This article is an inteview with Jeff Schiller, MIT's network manager and security architect for MIT's Information Technology Architecture Group (ITAG). This is also published in the August 2002 issue of Syllabus. Jeff provides insights about the “negative deliverable”—security.
[Download: Microsoft Word or PDF Format]

Also, choose from a variety of PKI Resources from CREN, CREN Members, EDUCAUSE, Internet2, PKI vendors and more.

CREN CA Pricing Chart:  Top

Learn about the various membership dues and service fees along with the benefits associated with becoming a CREN member.

Digital Certificate Products and Prices

Digital Certificate Service
Member Prices
Non-Member Prices
  Certificates Included Annually with Membership Additional Certificates Initial Certificate Service Additional Certificates
Institutional Certificates with 5-year validity period. 1-3 certificates $200 1-3 certificates $750-$5000/yr dependent on Institutional Budget $200
CREN Web Server Certificates with 2-year validity period. 1-25 $49 or bundle of 10 for $450 $600 for first certificate $49 or bundle of 10 for $450
CREN RA Client Certificates for Campus Registration Authority w/12-13 month validity period. 1-5 NA 1-5 certificates
Client Certificates approved by RA Client w/ 12-13 month validity period. 100 $500 per 100 100 client certificates $500 per 100
Technical Support No Charge $300 for annual subscription

*CREN reserves the right to modify its yearly rates and discounts without notice. Modified rates will apply to new contracts and to contracts up for renewal, but will not affect existing contracts.


Corporation for Research and Educational Networking