-
Created by
Frank Galligan, last updated by Carl E Harris Jr on Jul 18, 2009
2 minute read
The eProvisioning group within SETI has scheduled an upgrade of the VTCA on July 17-20, 2009 in order to migrate the certificates services provided by the Virginia Tech Root, Class 1 Server and Middleware CA's from OpenCA to a new enterprise class EJBCA (Enterprise Java Beans Certificate Authority) system. EJBCA is a scalable open source PKI Certificate Authority built on J2EE technology which will allow Virginia Tech to better maintain and accommodate the current and future demands for public key technology at the university.
The PKI upgrade to EJBCA requires a few updates to the VTCA CP (Certificate Policy) and CPS (Certificate Practice Statement) documents for the VT Root, Class 1 Server and Middleware CAs. These updates have been published on the Security Community EJBCA Wiki for your review and comments at the following locations:
VTCA Class 1 Server CPS Updates
Major changes can be summarized as follows:
1. A department name change from IRM (Information Resource Management) to IMS (Identity Management Services).
2. VTCA CP and CPS documents are digitally signed by the chairman of the PMA instead of the CA.
3. The subordinate Class 1 Server and Middleware CA join the User CA as online certification authorities.
4. The CAA (Certification Authority Administrator) role has been redefined. The new online CAs will authorize the issuance of a certificate after a request has been approval by two RAAs (Registration Authority Administrator). No physically presence of a CAA operator at the server console is required.
5. Class 1 Server and Middleware CAs no longer issue natural person certificates. Natural person certificates are only issued by the User CA.
6. CA servers use the network backup facility provided by Information Technology instead of a local offline backup utility. The requirement to encrypt backups of the CA application has been dropped since sensitive information on these servers is limited to CA private keys which are securely stored on a HSM device.
7. Interoperation with CAs external to the VTCA policy domain will be allowed for the purpose of root key signing when approved by the PMA.
8. OCSP (Online Certificate Status Processing) responder services are now available.
9. The certificate serial number has been dropped from the subject entry of all certificates. This information was redundant since the serial always appears as an extension in a certificate.
10. The subject entry of the Middleware Client certificate profile has been updated to include a "SN=unique number" value to satisfy a special uniqueness requirement requested by the Middleware Group.
11. Certificate extension information is provided by links to externally maintained documents instead of hard coding the extensions in the policy documents.