Last Updated: May 2011
Developing a Certification Authority for PKI at Virginia Tech
Virginia Tech began to explore how to integrate digital certificates into our infrastructure services after the Commonwealth of Virginia’s Council on Technology Services’ Privacy, security, and Access work group initiated discussions on digital signatures and public key infrastructure (PKI) in 1999. Virginia Tech’s Information Resource Management department conducted research on PKI and smart card technologies, with pilot projects that evaluated commercial software from Baltimore Technologies, Entrust, VeriSign, Microsoft, and open source solutions using OpenCA. Smart cards and tokens were tested from companies including Gemplus, Schlumberger, Dallas Semiconductor, Axalto, Maganet, and Aladdin. The research and pilot projects resulted in the establishment of the Virginia Tech Certification Authority (VTCA) in 2003.
The initial VTCA used OpenCA software on a combination of IBM and Dell servers running RedHat linux, with hardware security modules (HSM) certified at FIPS 140-2 Level 3. The CA software was upgraded in August, 2010, to use the Enterprise Java Beans Certificate Authority (EJBCA), running on Dell servers. EJBCA is an Enterprise class Open Source PKI certificate authority built on JEE technology. The transition to EJBCA and the addition of another production HSM to provide failover capability gave Virginia Tech the ability to scale its PKI to a 24x7 operation to meet the university’s growing demand for digital certificates.
A certification authority (CA) is a collection of hardware, software, people, policies, and procedures that facilitate the issuance of digital certificates within a PKI. CAs include a registration component to verify the appropriateness of the certificate requests and a certification component to issue the certificates. CA administrators use established procedures and application software to oversee the issuance of certificates. Virginia Tech’s HSM implements strong multi-factor authentication that requires the CA administrator to use a key token and associated PIN in order to access the private component of the HSM which contains the public/private key pair. The RSA cryptographic keys are generated onboard the HSM using a hardware-based random number generator.
Virginia Tech established a hierarchy of certification authorities, with a root and multiple subordinate CAs: a server CA for Web server SSL certificates, a middleware CA for secure transactions with our enterprise directory, and a user CA to issue personal digital certificates (PDCs).
In 2006, Virginia Tech began issuing the PDC onto the SafeNet (formerly Aladdin) eToken, a USB device certified at FIPS 140-2 level 2. SafeNet provides device drivers (middleware) that support the eToken on Windows, Macintosh, and Linux platforms. The eToken Properties Management Tool allows a Windows user to interact directly with the eToken. For non-Windows platforms, access to the certificate on the eToken is configured through the browser. To obtain a personal certificate, an individual presents two forms of picture identification to the registration authority administrator (RAA). The certificate is issued through a token administration system (TAS) that was written in-house. The RAA uses TAS to locate the individual's information in a Virginia Tech enterprise LDAP directory. If the pictorial representation, identity
information, and membership in the proper Virginia Tech community indicate the person is eligible to receive a certificate, the certification authority administrator (CAA) uses TAS to generate the certificate with its public and private keys onboard the eToken. The eToken pass phrase is set by the owner of the certificate at the time the certificate is placed on the token, thereby, securing the person's digital certificate with "something you have" and "something you know." The owner also uses the eToken PDC to digitally sign a usage agreement.
For security reasons, the private keys are generated in such a way that they cannot be exported off the tokens. The PDC can be used for authentication and for digital signatures, and does not support encryption, because encryption use would warrant key escrow, introducing the possibility that someone other than the owner could access the private key. The secure treatment of the private key ensures that when a person uses the PDC for digital signature, the signer cannot repudiate the signature. PDCs on eTokens are currently used by the Information Technology organization to digitally sign leave reports. Other university applications include digital signatures on Adobe PDF forms, and multi-factor authentication to web applications via the university’s Central Authentication Service.
Prior to March, 2011, certificates issued by the VTCA were only recognized within the university. In 2011, however, Virginia Tech established a contract with an external vendor to sign the Virginia Tech root. The VTCA began issuing externally-trusted SSL server certificates in March, 2011. These externally trusted certificates have been extremely popular, as they are issued at no cost to Virginia Tech users, and are recognized by most popular Web browsers and applications. The globally-trusted certificates provide a major step forward in maintaining website security by providing a trusted digital certificate without the expense of purchasing a commercial digital certificate for each website needing one. A next step will be to issue personal digital certificates (PDCs) that are globally trusted.
There are many security benefits to using digital certificates – encrypting Web transmission, certificate-based and multi-factor authentication, digital signatures for documents and e-mail, and encryption of e-mail and data at rest. The use of digital signatures reduces paper consumption and expedites university processes that previously required pen-and-ink signatures. The enhanced security of multifactor authentication enables us to have a high level of confidence in the identities of users who authenticate with their certificates and will allow us to increase security where appropriate for applications that provide access to sensitive data.
Digital signatures using the PDC on the eToken have had a positive impact in many areas. Information Technology employees digitally sign leave reports. The department of Electronic and Computing Engineering allows graduate students to digitally sign departmental forms.
The VTCA-issued personal digital certificates on eTokens will allow us to apply for InCommon Silver status with very few modifications to current infrastructure or processes. By issuing our own certificates, Virginia Tech retains control over identity assurance processes, and can completely manage the life cycle of a digital certificate and the associated keys. With the multi-factor authentication and strict identity proofing requirements, Virginia Tech should be well positioned to issue credentials to those individuals who will need to access services requiring the InCommon Silver level of assurance.
Developing a PKI in-house requires an in-depth knowledge of public key technology that most software developers do not possess. Virginia Tech has been extremely fortunate to have skilled developers, but when a position is vacated, the search for a new employee rarely results in hiring an individual who can “hit the ground running.” Sometimes the learning curve is steep, with a considerable amount of time invested before the employee can be productive independently.
While the encryption hardware and software are basic necessities for PKI, the most challenging aspect of the implementation involves the people, policies, and procedures. Virginia Tech structured its initial certificate policy (CP) and certification practices statements (CPS) according to the Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. The CPS document for the Global Qualified Server CA uses the template from our external signing authority, and also conforms to the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates published at http://www.cabforum.org.The overall CP and the CPS for each CA outline the terms and conditions under which a CA operates for issuing public key certificates. The certificates issued by any CA contain a URL referencing the CPS that governs that CA. The documents include descriptions of the issuance and revocation processes, the manner in which subscribers are identified, contact information for the CA, and certificate duration and renewal information. Since software and procedures must adhere to the policies and practices described in these statements, there is a large dependency on having a thorough understanding of the documented practices and procedures and appropriate personnel resources to implement them. Virginia Tech's CP and CPS documents are approved by the Virginia Tech PKI policy management authority and are digitally signed using certificates that chain to the VT Root CA.
Using standard, simplified policies in the higher education community may shorten the length of time it takes to implement PKI. On the other hand, those individuals who have participated in writing and approving the CP and CPS documents at Virginia Tech probably have a better understanding of the infrastructure than those who simply adopt an existing set of policies and practices. Writing institutional-unique procedures also gives the institution greater control over the security of the environment, so we believe the resulting Virginia Tech service is worth the time invested.
Next steps with PKI at Virginia Tech include issuing externally-trusted PDCs on eTokens, and issuing personal digital certificates (“soft” PDCs) stored in software rather than on the eToken. The soft PDCS will be issued via a self-service user interface to be developed in-house. The soft PDCs will support encryption. To fully support recovery of encrypted university data and e-mail, key escrow and retrieval policies, procedures, and software interfaces will need to be established.
- Virginia Tech Certification Authority
- X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
- CA/Browser Forum
- InCommon Certificate Service
The following resources are required to support the Virginia Tech Certification Authority:
- Hardware Security Modules
- Extended trust/Root key signing
- eToken client support
When compared to purchasing commercial certificates, obtaining certificates from the VTCA is extremely cost effective. A detailed cost-benefit analysis was done prior to issuing an RFP for external root key signing, and the resulting contract offered a very cost-effective solution for Virginia Tech. The external trust in the VTCA greatly enhances the usefulness of the certificates. Offering externally trusted certificates from the VTCA virtually eliminates the need for departments to purchase certificates from commercial providers.
In addition to cost savings, managing our own PKI allows us the flexibility to issue certificates of any type, with a variety of profile settings. We can ensure the certificates are issued in a very secure manner, according to our own policies, and we can implement key escrow on a selective basis.
The InCommon certificate service may be a cost effective solution for institutions that do not already have an established PKI or that do not have Virginia Tech’s requirement to generate personal certificates and keys on board the SafeNet eToken. As the InCommon service matures, we will keep a close watch on any capabilities that might benefit Virginia Tech.
4 (on a scale of 1 to 5, where 5 is Highly Replicable)
5 (on a scale of 1 to 5, where 5 is Highly Effective)