[unisog] PKI survey

David Ressman davidr at portnoy.uchicago.edu
Mon Nov 1 18:32:00 GMT 2004

Greetings all!

We're preparing for an (eventual) overhaul of our PKI setup, and I'd
like to hear from people about what they're doing.  You can respond to
me personally, and I'll summarize the responses and send them back to
the list.  I'll answer the questions for the University of Chicago so
you can have a little background if you wanted to offer some (much
appreciated) advice.  If you have any favorite informational resources,
I'd appreciate it if you would share those as well.

1. Are you using PKI campus-wide in any capacity now?

   We sign certificates generated by local web servers.  We've had some
   (very limited) success getting people to import our root certificate
   into their web browsers.

   We also use another CA that's been signed by our "main" CA to
   generate and distribute certificates (via SCEP) to use with our VPN
   concentrator for IKE SA negotiation so we can avoid things like
   pre-shared key Xauth and the like.

2. Are you planning a new campus-wide PKI project, or expanding your
   existing PKI in a new capacity?  Are you planning on integrating your
   campus-wide PKI with a Windows CA for use in Active Directory?

   We're not sure what we're going to do!  A few years ago we tried to
   introduce Kerberos to the campus, but it was never widely adopted,
   and it finally died a slow, lingering death last year.  We're very
   hesitant to promote the use of PKI for something that won't take off.

3. What PKI (CA/RA/etc.) software are you using?  What software aren't
   you using and why not?

   Right now, we're just using openssl as a CA and OpenSCEP (orphaned
   by its developer) to do our SCEP generation and distribution.
   Needless to say, that leaves a lot to be desired, and that's what's
   driving our desire to overhaul our setup.  I don't know too much
   about the alternatives.  I was going to take a look at OpenCA and
   RSA Keon, because SCEP support is a requirement.  I'd be delighted
   to hear about any of your experiences with any software.

4. How do you authenticate the certificate chain to the clients?  

   This is the biggie for us.  Our CA's certificate has been signed by
   the CREN CA.  Even though I2 is going to continue the CA service,
   there's just no hope of having their CA key imported into all of the
   client software our users need to use.  As a result people are
   abandoning our CA service and just buying their certificates from
   someone like Verisign or GeoTrust.  We tend to proxy those
   purchases, so it's a big time drain for us with no benefit.

   Ideally, we want to have someone like RSA or GeoTrust sign our CA
   outright, or use some kind of online validation service.  It's not
   exactly clear to me which types of online verification mechanisms are
   ready for prime-time, and which are not.  I realize that this could
   potentially be very expensive, but we think it'll be worth it in the



David Ressman                       Network Security Officer
(773) 702-4789         The University of Chicago Network Security Center

More information about the unisog mailing list