X.509 Certification Practice Statement for the Class 1 Server Certification Authority
March 28, 2006
OBJECT IDENTIFIER 1.3.6.1.4.1.6760.5.2.3.2.1
Release 1.0, Version 0.0

X.509 Certification Practice Statement for the Class 1 Server Certification Authority
March 28, 2006
Ammended June 18, 2009
OBJECT IDENTIFIER 1.3.6.1.4.1.6760.5.2.3.2.1
Release 1.0, Version 2.0

Add all changes for Migration Project here!

The VTCA Root CA has digitally signed a copy of the VTCA CP, using SHA-1 with RSA encryption and its primary PKC signing key. The digitally signed copy of the C1SCA CPS is available online at http://www.pki.vt.edu/vtc1sca/cps/.

The C1SCA has a copy of the VTCA CP and CPS which has been digitally signed by the chairman of the VTPKI-PMA who has the primary responsibility for approving policies/standards of the Virginia Tech Public Key Infrastructure (PKI) and the related Certificate Authorities operating within it.

• A digitally signed copy of the VTCA CP(Certificate Policy) is availalbe at http://www.pki.vt.edu/rootca/cp.
• A digitally signed copy of the C1SCA CPS(Certification Practice Statement)  is available at http://www.pki.vt.edu/vtc1sca/cps.

The primary community served by the C1SCA consists of those DPEs that provide online services to the Virginia Tech community.
The C1SCA also provides certificates for the RA administrators of the C1SCA.
In the absence of a Virginia Tech User Certification Authority, the C1SCA issues a limited number of personal digital certificates to the community specified in the X.509 CPS for Virginia Tech Class 1 Server CA Digital Signature Pilot Project for the Office of the Executive Vice President and Chief Operating Officer. Whenever the Virginia Tech User Certification Authority is able to provide personal digital certificates, the Virginia Tech Class 1 Server CA Digital Signature Pilot (DSP) Project for the Office of the Executive Vice President and Chief Operating Officer certificates will be revoked.
The C1SCA does not issue a PKC to any entity that is not included in its defined communities. A Relying Party can assume that the holder of a PKC issued by the C1SCA has a relationship to Virginia Tech.

The primary community served by the C1SCA consists of those DPEs that provide online services to the Virginia Tech community.
The C1SCA does not issue a PKC to any entity that is not included in its defined communities. A Relying Party can assume that the holder of a PKC issued by the C1SCA has a relationship to Virginia Tech.

Information Resource Management is the Registration Authority for the C1SCA.

Identity Management Services is the Registration Authority for the C1SCA.

Questions about interpretation of this CPS are directed in writing to Information Resource Management. Concerns about possible abuse of this CPS, are directed in writing to the Virginia Tech Public Key Infrastructure Policy Management Authority (VTPKI PMA).       
Information Resource Management 1700 Pratt Dr. Blacksburg, VA 24060

Questions about interpretation of this CPS are directed in writing to Identity Management Services. Concerns about possible abuse of this CPS, are directed in writing to the Virginia Tech Public Key Infrastructure Policy Management Authority (VTPKI PMA).       
Identity Management Services 1700 Pratt Dr. Blacksburg, VA 24060

In addition to the obligations stipulated in the VTCA CP a Subscriber MUST:
• read and agree to the terms and conditions of this CPS
• notify Information Resource Management immediately upon either suspected or known compromise of the private key associated with a PKC issued by the C1SCA

In addition to the obligations stipulated in the VTCA CP a Subscriber MUST:
• read and agree to the terms and conditions of this CPS
• notify Identity Management Services immediately upon either suspected or known compromise of the private key associated with a PKC issued by the C1SCA

Interpretation of this CPS is the responsibility of the PMA and Information Resource Management.

Interpretation of this CPS is the responsibility of the PMA and Identity Management Services.

Interpretation of this CPS is the responsibility of the PMA and Information Resource Management.
Initial registration requires the signature of the applicant for the service and signature of the department head. The signature of a higher level manager in the reporting line may be substituted. IRM verifies that the signatures comprise appropriate authentication and that the signing party is the appropriate authority. The registration process also provides contact information for the individual person who has responsibility for the client.

Interpretation of this CPS is the responsibility of the PMA and Identity Management Services.
Initial registration requires the signature of the applicant for the service and signature of the department head. The signature of a higher level manager in the reporting line may be substituted. IMS verifies that the signatures comprise appropriate authentication and that the signing party is the appropriate authority. The registration process also provides contact information for the individual person who has responsibility for the client.

The CN component of a Subject name in a PKC issued by the C1SCA is directly representative of the digital processing entity or natural person to which the PKC is issued.

The CN component of a Subject name in a PKC issued by the C1SCA is directly representative of the digital processing entity to which the PKC is issued.

The Subject names for a digital processing entity PKC are issued using the following format:
serialNumber=<unique number assigned by the CA at PKC issuance>,
CN = <digital processing entity identifier>, (i.e.; host name, application name)
OU = <department name>,
O = Virginia Polytechnic Institute and State University,
L = Blacksburg
S = Virginia,
C = US,
DC = vt,
DC = edu
The Subject names for a natural person entity PKC are issued using the following format:
serialNumber=<unique number assigned by the CA at PKC issuance>,
CN = <name of natural person>,
OU = Employee,
DC = vt,
DC = edu
The community designation must be a "Departmental Name" with any roles (i.e.; Web Server, Application Server) that pertain to those belonging to the community of digital processing entities that provide online services to the Virginia Tech community.
The community designation must be an "Employee" with an "RA Operator" role for those belonging to the community of certificates for the RA administrators for the C1SCA.
The community designation must be an "Employee" with an "EVP User Pilot" role for those belonging to the community of certificates for the Digital Signature Pilot Project for the Office of the Executive Vice President and Chief Operating Officer.

The Subject names for a digital processing entity PKC are issued using the following format:

CN = <digital processing entity identifier>, (i.e.; host name, application name)
OU = <department name>,
O = Virginia Polytechnic Institute and State University,
L = Blacksburg
ST = Virginia,
DC = vt,
DC = edu,
C=US

The Subject name in a PKC refers to a unique and identifiable digital processing entity or person. Including the serial number that is assigned by the CA ensures the uniqueness of the Subject name. A unique Subject name may not be reused.

The Subject name in a PKC refers to a unique and identifiable digital processing entity. The accuracy of the DN details is checked by the registration authority using identification information provided during the enrollment process.  A subscriber's DN must be unique and must not be assigned to different subscribers. Only when a subscriber possesses a number of certificates with different key uses can a DN appear several times, although the respective serial numbers of the issuing CA always remain unique.

IRM will verify that the person listed as department head is the head of department, as claimed. IRM confirms any designations with the department head. Once signatures are on file, IRM will verify signatures associated with requests.

IRM will verify that the person listed as department head is the head of department, as claimed. IMS confirms any designations with the department head. Once signatures are on file, IMS will verify signatures associated with requests.

The C1SCA revokes PKCs after receiving a valid revocation request. IRM initiates revocation when the departmental unit that has requested the certificate is no longer an identifiable university unit.

The C1SCA revokes PKCs after receiving a valid revocation request. IMS initiates revocation when the departmental unit that has requested the certificate is no longer an identifiable university unit.

Certificate Revocation Requests are accepted from:
• the Subscriber
• the Subscriber's department head
• IRM

Certificate Revocation Requests are accepted from:
• the Subscriber
• the Subscriber's department head
• IMS

A Certificate Revocation Request (CRR) is initiated through:
• submission of the online CRR form that contains the Certificate Revocation Identification Number (CRIN) from the CSR
• the signing of the CRR form by the appropriate department head
• creation of the CRR by the RAA on behalf of the subscriber
The C1SCA RAA approves and digitally signs the CRR. All CRRs are processed by the RAA immediately upon receipt. The CAA revokes the certificate and issues a new CRL within two business days of approval by the RAA.

A Certificate Revocation Request is initiated through:

• Users email IMScerts@vt.edu and request the certificate be revoked.
• Users include the certificate common name and serial number in their revocation request.
• The C1SCA RAA approves the CRR. All Revocation Requests should be processed by the RAA immediately upon receipt.
• When approved, the CA immediately revokes the certificate and issues a new CRL within two business days of approval by the RAA.

Online Revocation/Status Checking (OCSP) is not available.

Online Revocation/Status Checking (OCSP) is available.

The audit logs are consolidated and reviewed on a regular basis by IRM.

The audit logs are consolidated and reviewed on a regular basis by IMS.

Access to audit logs is controlled by IRM, and access is restricted to authorized employees only.

Access to audit logs is controlled by IMS, and access is restricted to authorized employees only.

The C1SCA audit log is backed up on the same schedule as the rest of the data on the C1SCA host using a backup utility (vtBackup) which was developed at Virginia Tech. Backup audit logs of the C1SCA are protected against unauthorized viewing, modification, or deletion by encrypting the backup and storing it in a separate secure physical location offsite from the C1SCA host.
The audit logs for the C1SCA RA are backed up using the central IT Legato Networker network backup service for the host on which the RA resides.

The C1SCA audit log is backed up on the same schedule as the rest of the data on VTCA servers using VT Information Systems and Computing network backup service providing:

• Scheduled daily backup of server files and directories
• Offsite storage in compliance with computing standards
• Restoration of files as needed

Archived records are protected against unauthorized viewing, modification, and deletion by using cryptographic protection and offsite storage in a physically secure and trustworthy location. The cryptographic protection is implemented using a 512 bit DES3 symmetric key that is unique to each backup instance. The DES3 symmetric key is then encrypted using 4096 bit RSA public key encryption.

Archived records are protected against unauthorized viewing, modification, and deletion by using offsite storage in a physically secure and trustworthy location. The offsite backup location provides the following key features:

• Storage in a secure, fire resistant Vault Room.
• A stable, secure storage environment: The room is maintained at a constant 70 degrees and 35% - 55% humidity. It's secured with intrusion alarms and motion detectors.
• Controlled access: The interior door to the building remains locked at all times. After admittance to the building, access to the Vault Room can only be obtained with the use of a valid VT ID card entered into the cipher lock.
• Enhanced fire protection: Constructed with a concrete floor, and walls, the Vault Room is rated to withstand as a minimum three hours of fire. Additionally the entire building has an automated fire suppression system and a fire alarm wired into the campus police office.

Daily backups created with vtBackup serve as archives for the C1SCA CA application. The backups created with Legato Networker serve as archives for the C1SCA RA application.

Daily backups created using the network backup service provided by Information Systems and Computing serve as archives for the C1SCA CA application.

On request by the auditors, IRM will authorize Operations Center personnel to retrieve media containing archived information from the offsite storage location. To view the CA archive, it must be decrypted. The private key needed to decrypt the symmetric key used to encrypt the backups is stored on removable media labeled "Backup Encryption RSA Key Pair" at the offsite storage location. A duplicate copy of the private key is stored on a BIO drive kept in a locked file cabinet in the eProvisioning office area.

On request by the auditors, IMS will authorize Operations Center personnel to retrieve media containing archived information from the offsite storage location.

The encrypted backup media of the C1SCA are stored in an offsite physically secure and trustworthy location.

The backup media of the C1SCA are stored in an offsite physically secure and trustworthy location. 

In the event of a system failure, there are sufficient backups that can be used to restore the C1SCA system. These backups are made on a daily schedule using the vtBackup utility and maintained for a period of 90 days. The daily backups are incremental with the exception of full backups which are done on the first day of each month, The most recent 14 daily backups are stored at a secure offsite location which can only be accessed by authorized personnel.

In the event of a system failure there are sufficient backups that can be used to restore the C1SCA system. Full monthly, weekly differential, and daily incremental backups are created durinng normal daily scheduled backups by the Information Systems and Computing network backup service. The backup media of the C1SCA are stored in an offsite physically secure and trustworthy location.

The Certification Authority Administrator (CAA) role is appointed by the Office of the Vice President for Information Technology. The CAE's responsibilities are:
• certificate generation and revocation
• CRL generation
• electronic certificate issuance for a C1SCA RAA
• administration of the C1SCA hardware security module

The Certification Authority Administrator (CAA) role is appointed by the Office of the Vice President forInformation Technology. Primarily, a CAA's responsibilities are: 
• Certificate profile, certificate template, and audit parameter configuration
• Develop VTCA key generation and backup procedures
• Assignment of VTCA security privileges and access controls of users
• Install and configure new CA software releases
• Startup/Shutdown of the VTCA

The Registration Authority Administrator (RAA) role is constituted by IRM. The RA's responsibilities are:

The Registration Authority Administrator (RAA) role is constituted by IMS. The RAA's responsibilities are:

Standard extensions, when populated, are described in an appropriate Certificate Profile which is published at

PKCs issued from the C1SCA have the following values in their Key Usage field:
• digital signature
• non repudiation
• key encipherment
• data encipherment

Standard extensions, when populated, are described in Certificate Profiles published at:http://www.pki.vt.edu/vtc1sca/cps

OCSP is supported but not currently implemented.

An OCSP (Online Certificate Status Protocol)responder service is available.