Non-profit, member-based IT support for research & educational institutions

Background Questions

Uses of the CREN Certificate Authority Service

Overview of the Process

Technical Questions

If you have a question not listed here, please email it to cren@cren.net so that we can reply and post it to this FAQ.

What is a certificate?

A certificate allows one institution the security it needs to complete on-line research in a safe environment. The certificate verifies the authenticity of the sender of an electronic message and verifies the integrity of the message (that is, that the message has not been altered). The certificate provides a trusted third party check of authenticity. You can view a sample CREN digital certificate here.

The CREN root certificate was re-issued as a result of consultation with the community. View the CREN certificate with the eight year validity period here.


[Top of Page]

How is a certificate used?

CREN's Certificate Authority Services will implement a high-level certificate authority that will verify the individual certificate authorities at CREN's member institutions. Users at different institutions will be able to automatically verify the authenticity of certificates they receive from each other's site, simply by configuring their browser software for CREN's top-level certificate authority.


[Top of Page]

What is the primary focus of the CREN CA for higher education?

The primary focus of the CREN CA is to support interinstitutional resource sharing in research, teaching and learning, for the community-wide needs of faculty, staff and students. This means that while faculty, staff and students may have other digital certificates for other purposes, the CREN digital certificate will be primarily used for access to resources residing in databases, and electronic libraries, and other resources owned by institutions and content vendors.


[Top of Page]

Why does higher education need to provide this service for its community? Why not use a private company offering digital certificates?

Cost is the primary reason for CREN providing this service for higher education. As e-commerce expands, the need to manage and limit its associated costs will also grow. As CREN is dedicated to serving the needs of higher education, CREN can be more sensitive to any special higher education requirements, including cost constraints. By using the CREN Certificate, a university can issue an unlimited number of certificates.


[Top of Page]

Why are digital certificates important for libraries and campuses?

One compelling reason that digital certificates are important for libraries and campuses is the national movement to use digital certificates for authentication and authorization for secure interactions over the network. Digital certificates provide a single method of authentication and access control for all internal, academic and administrative applications. Digital certificates also provide a single method of authentication and access control for remote faculty and staff and for remote applications, including emerging applications developed for Internet2. The CREN certificate authority establishes a point of trust between institutions, eliminating the need to establish multiple one-to-one relationships.


[Top of Page]

How does my institution obtain an institutional digital certificate from CREN?

The CREN Certificate Authority Application page provides an overview of the CREN CA services and the procedures for applying for a CREN institutional digital certificate. This page includes links to the business documents supporting this service, such as the Application Form for the CREN CA, the detailed Operations and Procedures document and the Certification Practices Statement.


[Top of Page]

How does a campus get ready for setting up a certificate authority on campus?

The three major components of PKI infrastructure are:
  • Certificate Authority (CA). The CA provides all of the services required to issue, store, manage, and revoke certificates for an institution.
  • LDAP Authentication Database. An LDAP database stores information about people and servers who have been authorized to receive certificates. Typically, the directory contains a unique identifier for the individual, demographic information and the public key, once the certificate is issued.
  • Attribute Server. An attribute server is an optional component that may be used to exchange information that is not contained in a certificate but may be needed for authorization decisions.
(Note: A group of vendors formed a Directory Integration Forum in July of 1999 to help develop standards for the interoperability of directory applications and to certify software that simplifies the management of directories from different vendors. Key vendors, such as Microsoft, Netscape and Sun were not members of this forum at its formation. This is something to watch.)


[Top of Page]

When will this service be available?

MIT, Princeton, and Georgia Tech began the process of the initial pilot in August of 1999. The service will be extended to another small group of institutions in September and the rollout for other institutions will follow.

It is important to note that the CREN Certificate Authority service is a top-level or "bridge authority" service. The first step is for an institution to set up a campus-level Certificate Authority.


[Top of Page]

How much will this Certificate Authority Service cost?

Currently this service will be included in the annual membership fees of CREN member institutions.


[Top of Page]

What impact will the use of digital certificates have on students and faculty?

Students and faculty will have more freedom and convenience in accessing campus resources and remote network resources from wherever they are. Students and faculty will also have to learn about the importance of securing their private key. A private key is usually stored on a laptop, smart card, or on a floppy disk -- something that a person will always have with them.


[Top of Page]

Will users have to configure a browser in any special way?

Uses may have to configure their browsers to recognize the CREN certificate, as the CREN certificate does not come loaded in the browsers already. However, as the CREN certificate is intended mostly for use with other servers rather than individuals, this step may be able to be managed at the administrative level rather than the user level.

Additionally, the CREN certificate and public key likely will be stored on the campus server as well as in various places on the network, including the CREN repository. With this in place, students, faculty and staff can request and load the CREN CA onto their computers.


[Top of Page]

What is the size of the CREN CA?

CREN's initial self-signed root will be 2048 bits; the minimal length of the institutional certificates will be 1024 bits. You can view a sample CREN digital certificate here.


[Top of Page]

Is the CREN certificate a client side or server side certificate?

The CREN certificates will be institutional certificates, or a top-level certificate, probably residing on servers.


[Top of Page]

If you have a question not listed here, please email it to cren@cren.net so that we can reply and post it to this FAQ.