This document gives a business perspective on client certificates.

Activation Process

Before client certificates can be issued, the subscriber's InCommon Executive contact must complete the Client Certificate Request form.

Information About Key Escrow - Is it Enabled or Not?

See the technical page regarding key escrow for background information.

if your organization subscribed to the InCommon Certificate Service after 8 March 2011, then key escrow was not enabled by default.

All organizations created after 8 March 2011 have key escrow turned off, but RAOs may still enable key escrow for new departments if they wish.

If your institution subscribed prior to 8 March 2011, it is highly likely that your organization was created in the Certificate Manager prior to 8 March 2011. In that case, you have key escrow enabled. If you began issuing SSL certificates prior to 8 March 2011, then you have key escrow enabled.

Encryption and Key Escrow

Use cases that involve the long-term encryption of data or documents raise the issue of key backup and recovery. Accordingly, key escrow, a service offered for no additional fee to subscribers of the InCommon Certificate Service, provides for backup storage of users' private keys. Whether or not you need key escrow is a question that should be addressed early on, before you begin deploying client certificates in production.

In any case, you should seek the advice of technical and legal experts before making a decision regarding key escrow.

Policy Issues

Issuance of client certificates must comply with the corresponding Certification Practices Statement (CPS). Two campus requirements of particular note in the Client CPS are:

4.2.1 Performing Identification and Authentication Functions
3.1.5 Uniqueness of Names

Section 4.2.1 stipulates that user's email addresses must be be validated by the Subscribing institution. Section 3.1.5 stipulates that Subject Distinguished Names (DNs) should be assigned to individuals "in perpetuity" and must uniquely map to one individual. See the CPS for Standard Assurance Client Certificates for the official language and enumeration of the requirements.


InCommon strongly recommends that organizations follow a "Client Certificate Checklist" prior to using client certificates in production. Such a checklist might include:

Client Certificate Checklist