Introduction

The ability to print digital certificates for your users is really just one small component of the overall work involved in a successful campus-wide PKI deployment.  Many campus PKI projects have been less than successful by not focusing enough on the whole product and the usability of the applications they support with certificates.  If deployed properly, digital certificates can build a more secure environment while also being more convenient for users than traditional password-based systems.  Some examples of campus-based certificate-enabled applications include:

• Web Authentication
  Most web servers and browsers make certificate-based authentication easy to implement and use.  A typical campus implementation might use certificates instead of passwords for authentication to the central campus Web SSO system.  The use of certificates eliminates the risk associated with phishing attacks.
• VPN Authentication
  Like web authentication, once a user has a certificate installed on their workstation, it can typically be leveraged easily by most IPSEC and SSL VPN systems.  The use of certificates for VPN authentication eliminates the need for users to type their password and often removes the need to maintain an additional password database.  Simply clicking on the connect button provides a secure VPN path.
• Wireless Authentication
  The use of certificates and EAP-TLS and certificates for authentication to the campus wireless networks improves security and is a significant ease of use enhancement for end users.  From a user's perspective, when their device is within range of a campus Access Point, it securely connects in the background.  No captive portal, entering passwords, or other such inconvenient mechanisms.  Certificate-based wireless authentication also removes significant risk from rogue access points being used to capture user passwords.  Migrating to EAP-TLS for wireless authentication also prepares a campus for simple configuration into eduRoam.
• Signed Electronic Mail
  A campus certificate infrastructure makes it possible to promote S/MIME-based digital signing of electronic mail messages.  Official announcements, mailing list issues, client interoperability, webmail, client configuration, etc.
• Digital Signatures
  Signing other documents, such as in the Microsoft Office Suite and Adobe products
• Encrypted Electronic Mail
  Focus on where it is good and where the danger lurks.  Discuss key usage options.
• Globus and Grid Computing

All certificate-based applications depend on the user's certificates and their associated private keys being pre-installed in appropriate location(s) such that they are accessible to applications as needed but still under the control of the user.  Some PKI-enabled applications require setup on the user's workstation and others, such as VPN clients, often require workstation firewall tuning for successful operation.  The level of user acceptance, and thus the success of the overall project, often depends on how easy it is for users to have their certificates installed in all of the needed locations, have their workstation applications preconfigured for certificate use, and how well users are warned when expiring certificates need to be replaced.

Service and Security Considerations

The first consideration for making certificate-enabled services function transparently for users is to have their certificate and private key installed in all of the needed location(s) on their workstation.  This is typically done with the certificates installed in a non-exportable way.  Basic workstation security settings such as a password protected screen savers can also ve verified as part of the installation process.  Certificate store requirements for the common applications listed above are summarized in the table below:

InCommon PKI Subcommittee Project Roadmap

Parking Lot

Mobility, higher assurance certificates, 2-factor authentication, SSH, preferred certification ldap publication,