Digital Certificates at Virginia Tech

To promote the use of digital certificates, the e-Provisioning Group has established the Virginia Tech Certification Authority (VTCA). The VTCA is responsible for issuing and managing digital certificates and public keys for Virginia Tech-affiliated entities. The VTCA assures the identity and the authenticity of the entities to which it issues digital certificates by using approved policies and procedures outlined in the Virginia Tech X.509 Certificate Policy (PDF, 152 KB) document.

Contents

• Introduction
• Virginia Tech Certificate Components
  • For Desktop Users
    • Root Certificate Download and Installation
    • Personal Digital Certificates
  • For Server Administrators
    • Middleware Certificate
    • Server Certificate
• General Documentation
  • Frequently Asked Questions
  • Glossary of Terms
  • Policies
  • Presentations
• Obtaining Further Assistance

Introduction

The VTCA is the core of the Virginia Tech Public Key Infrastructure (PKI), which is a set of comprehensive system policies, procedures, people, and technologies working together to allow secure and confidential communication between internet users. This includes the ability to issue, maintain, and revoke digital certificates. To reinforce security measures, digital certificates are digitally signed by a third party known as a certification authority. PKI provides the critical element of trust in electronic transactions as well as communications. It provides a means for relying parties to know that another individual's or entity's public key actually belongs to that individual or entity.

Digital certificates provide secure connections to electronic services and can be issued to organizations and devices in addition to people. A Certification Authority is a trusted third party that verifies the identity of an entity registering for a digital certificate. Once a Certification Authority authenticates the requesting entity's identity, it issues a digital certificate to the requesting entity binding his or her identity to a public key. All digital certificates have an explicit start date and an explicit expiration date. Most applications check the validity period of a certificate when the digital certificate is used.

For more information about digital certificates, see the following:

• The Corporation for Research and Educational Networking (CREN)'s PKI Resources
• RSA Laboratories' Public-Key Cryptography Standards
• Internet2's Certificates and PKI

Virginia Tech Certification Authority Components

Digital certificates are electronic identity credentials which use encryption to support secure access to a large number of Web services and applications on campus. Initially, the VTCA is issuing server certificates, which are digital credentials that reside on a server and set up a secure connection between that server and a client or another server. This secure connection uses PKI through either a Secure Sockets Layer (SSL) session or a Transport Layer Security (TLS) session. The relationship between PKI and security lies in the fact that the public and private keys can be used for encryption, or hiding the content of data as it is being transmitted over the network.

For Desktop Users

In order to realize the security benefits of digital certificates issued by the VTCA, all faculty, staff and students are encouraged to install the VTCA root certificate on their Web browsers. After installing the Virginia Tech root certificate, applications using certificates will automatically recognize and accept certificates issued by the VTCA.

If the root certificate is not installed in your Web browser, you may receive security warning messages or pop-up windows asking if you trust the VTCA when accessing secure services that use VTCA issued certificates. Depending on your operating system and browser settings, you may see these warning messages every time you access secure servers which are using certificates issued by the VTCA. Downloading and installing the VTCA root certificate into your browser will help you prevent these recurring messages from appearing.

Root Certificate Download and Installation

You will need to complete the installation of the root certificate for each browser you use on your computer and for each different computer. For example, you may use one computer at work and another one at home. Also, if you are using an older version of your browser, please upgrade your browser before installing the certificate.

To install the root certificate, choose one of the following sets of instructions according to the browser you use:

• Firefox
• Internet Explorer 7/8 in Windows
• Safari in Mac OS X v10.3/10.4

Personal Digital Certificates

Your Virginia Tech personal digital certificate (PDC) is an identity credential for online processes. Like your PID, it is assigned to you and you alone. Unlike a PID that requires only that you know the PID and the password, your PDC requires something you have as well as something you know. With these two factors, there is stronger assurance that your online identity is truly you.

Virginia Tech employees are eligible for a PDC. See the Virginia Tech Personal Digital Certificates page.

For Server Administrators

Middleware Certificate

The Virginia Tech Middleware Application Certification Authority (CA) enables SSL authentication and encryption for application servers connecting to the Virginia Tech ED (Enterprise Directory) authentication and authorization services using SSL, or TLS protocols.

• To review the formal policy, refer to the Virginia Tech X.509 Certificate Policy (PDF, 152 KB) document.
• To obtain a Middleware Client Certificate, refer to Requesting a Virginia Tech Middleware Client Certificate.
• To use OpenSSL, refer to Using OpenSSL to Make a Request for a Virginia Tech Certification Authority (VTCA) Server or Application Certificate.

Middleware Certificate Profiles:

• Virginia Tech Middleware CA Certificate Profile (PDF, 89 KB)
• Virginia Tech Middleware Client Certificate Profile (PDF, 35 KB)
• Virginia Tech Middleware Server Certificate Profile (PDF, 36 KB)
• Virginia Tech Middleware SALTR Profile (PDF, 36 KB)

For more information on ED, refer to the Enterprise Directory page.

Server Certificate

The Virginia Tech Class 1 Server Certification Authority enables SSL authentication and encryption services for networked application servers such as Web servers or e-mail. Application servers connecting to Virginia Tech computing resources with authentication and authorization services must use a digital certificate in order to communicate over a secured communication channel using SSL or TLS protocols.

• To review the formal policy, refer to the Virginia Tech X.509 Certificate Policy (PDF, 152 KB) document.
• To obtain an SSL Server Certificate, refer to Requesting a Virginia Tech Class 1 Server Certificate.
• To use OpenSSL, refer to Using OpenSSL to Make a Request for a Virginia Tech Certification Authority (VTCA) Server or Application Certificate.

Server Certificate Profiles:

• Virginia Tech Class 1 Server CA Profile (PDF, 90 KB)
• Virginia Tech Class 1 Application Server Profile (PDF, 129 KB)
• Virginia Tech Class 1 Web Server Profile (PDF, 129 KB)

General Documentation

• Frequently Asked Questions
• Glossary of Terms
• Policies
  • Virginia Tech PKI Policy Management Authority (PDF, 22 KB)
  • Virginia Tech X.509 Certificate Policy Document (PDF, 152 KB)
  • Certification Practices Statement
• Presentations
  • Client SSL Authentication (PPT, 74 KB)
  • DCSS Fall 2004 Presentation - VTCA Service (PPT, 398 KB)
  • DCSS Fall 2003 Presentation - Introduction to the VTCA (PPT, 215 KB)
  • Security Task Force Presentation - Strong Authentication Technologies (PPT, 7121 KB)

Obtaining Further Assistance

If you need help installing VTCA certificates or have other questions, please contact 4help by using the Help Request Form (http://4help.vt.edu) or by calling (540) 231-HELP (4357).