Versions Compared

Old Version 15

changes.mady.by.user Dean Woodbeck (internet2.edu)

Saved on

compared with

New Version 16

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Tip
titleA Note about Organizations and Departments

In the Certificate Services Manager (CSM) web interface, the organization and department constructs do not constitute a parent/child hierarchy. Organization settings are settings that apply to issued certificates when no department is specified. Department Likewise department settings are independent of organization settings. Consequently, for example, an organization may or may not have key escrow enabled, but this is completely independent of whether or not any particular department has key escrow enabled. As another example, just as only one key usage template may be applied to a department, so only one key usage template may be applied to an organization. In many ways, an organization is just another department, at least in the CSM.

...

If an organization is to issue client certificates, the MRAO assigns one key usage template (KUT) to that organization. Likewise if a department is to issue client certificates, the RAO assigns one KUT to that department. Thus only one KUT can be configured per organization or department. This means, for example, that if your Physics department wishes to use two types of certificates (e.g.say, signing-only and encryption-only), then you will have to create two departments in the CSM, something like "Physics-Signing" and "Physics-Encryption." Alternatively, depending on your deployment requirements, you may wish to architect your departments by function rather than by academic unit. For example, you could create three departments for the entire campus, say, "Standard Signing Cert," "Standard Encryption Cert," and "Standard Dual-Use Cert." How you create your departments is, of course, up to you.

...

Info
titleImportant Note

All current organizations created prior to 8 March 2011 have key escrow enabled. The only way to change this is to create a new organization instance in the CSM.

InCommon made the decision about key escrow many months in advance of deploying client certificates, when SSL was the only service in operation and the key escrow functionality in CSM was still in its infancy. Since we didn't want to disable potentially useful functionality for an entire organization's life cycle, we chose to enable escrow for all organizations.

...