Non-profit, member-based IT support for research & educational institutions

Guide for Getting Started with Digital Certificates

Draft 11-27-01

Exploring Access to External Content Providers with Digital Certificates - CREN/Mellon Project

In conjunction with CNI Fall 2001 Task Force Meeting San Antonio, Texas December 1, 2001


Section One: We want to setup a CA, what do we need?

Section Two: We want to setup a CA, how do we operate it?

Section Three: How do we launch a Campus CA?

Section Four: How do we issue Client Certificates with our Campus CA?

Section Five: What is a Sample Timeline for a Digital Certificate Pilot?

Section Six: Browser and Root Questions

Section Seven: How Do the Members of the Community Learn about Digital Certificates?

Section Eight: How do Content Providers Prepare for Digital Certificates?

Section Nine: Related Higher Ed Initiatives

Guide for Piloting Digital Certificates

Working towards Increased Communications Security with Digital Certificates

This document is a very preliminary draft of a guide for higher education campuses interested in increased security for campus and intercampus communications using digital certificates. The most immediate purpose for this guide is to support an expanded pilot of digital certificates in higher education being launched at a seminar on December 1, 2001 in San Antonio. This guide is a compilation of existing and original documents. Major contributions to this guide are from the work of the HEPKI group, including James Jokl, Jeff Schiller, David Wasley, and many more.

This draft will be revised over time in cooperation with the institutions launching and running digital certificate pilots and the members of the community. Vendors, content providers providing applications and users of the services will also provide feedback and content for this guide.

The use of digital certificates has expanded only slightly over the past 4 years. In fact, we often josh about the fact that use of digital certificates is two years out, and has been for four years now. Whether or not use of digital certificates is still emerging or has, in fact, emerged depends on where you are in the landscape of higher education. A few campuses, such as MIT and UT- Health Science Center at Houston have been successfully using digital certificates for 2-5 years. A few campuses have been setting up digital certificate pilots, such as Georgia Tech and Princeton and Minnesota. Most institutions seem to be waiting for a clearer understanding of how digital certificates can best be used and what benefit they will bring to campuses. Also, the use of digital certificates requires a change in the web applications and the increased benefits have not been compelling up to now.

As we in the community have become more knowledgeable about this technology and the increased security it can provide, we have been searching for an application that will allow us to implement the technology in a contained environment. As we all know, implementing new technology in a contained or pilot program is usually a necessary preamble to refining the technology, building in increased user-friendliness, and lowering costs.

What is the purpose of the guidebook? The purpose of this guidebook is to provide the basics of implementing the use of digital certificates for a pilot program. The guide can hopefully assist in developing the conceptual and technology uses of digital certificates. The two applications that we think will be driving the use of certificates is increased security in campus and intercampus communications— this means signed email — and managing access to remote resources easily from wherever one might be.

There are nine sections in this guidebook. All are in draft form. Additional sections will be prepared following the December 01 meeting. It is hoped that participants of the pilot will adopt some of the sections/concepts for further development. As mentioned, the content represents the contributions of many groups, such as the HEPKI-TAG and HEPKI-PAG groups, CA vendors, and content providers, such as JSTOR.

The guide is structured as a set of short FAQs on key topics in the area of setting up and operating a campus CA. There are not answers to every possible question, and the current answers and questions will no doubt be refined over time.

The sections are organized around the setting up of a Certificate Authority Service on Campus to provide the digital certificate service to the campus community. These digital certificates can be used for the two primary interactions of (1) authenticating and authorizing oneself for web applications, and (2) for sending and receiving secure email. The primary purpose of the first use of digital certificate is to provide a “step-up” from user name and password authentication and to provide more convenience in accessing web applications and services from off campus venues.

Acknowledgements for the content in this guidebook are sprinkled liberally throughout the guide. In addition to the specific contributions noted throughout and mentioned above, the CREN group should be acknowledged, especially Michelle Gildea for her yeoman’s work on gathering content and the write-ups on the vendors and the setting up of a CA. Other acknowledgements go to Jon Dornback and Ann Symonds of the CREN group for their contributions specific to this guide, and to Jim Reynolds and Amanda Powell for their general support. If anyone or any source has been omitted or inaccurately attributed, please let us know so that we can make corrections for the next version. Comments, suggestions and ideas are most humbly requested.

Judith Boettcher