1. Overview of PKI@Virginia Tech
Secure Enterprise Technology Initiatives
e-Provisioning Group
Frank Galligan
Fed/Ed XV PKI Coordination Meeting
June 14, 2007
Virginia Tech

2. Secure Enterprise Technology Initiatives
Background
Secure Enterprise Technology Initiatives
eProvisioning Group
Technical Support for University PKI Initiatives
Sponsorship For PKI Initiatives
Vice President for Information Technology
Funding from Executive Vice President
Virginia Tech
Blacksburg, Virginia - Southwestern VA
Research University - Ranking 56th in US
28,000 Full Time Students - Largest in VA
7,000 Faculty and Staff - PKI Target Group
Corporate Research Center - Location of CC
Virginia Tech

3. Personal Certificates
VTCA Architecture
Virginia Tech
Root CA
Offline CA
4/10/2003
Online CA
Subordinate CAs
Server CA
Middleware CA
4/10/2003
7/23/2004
User CA
9/20/2006
Other CAs
As Needed
417 Issued
105 Issued
444 Issued
Personal Certificates
Aladdin
eToken
SSL Web Server
Certificates
Middleware
Certificates
Virginia Tech

4. Six Projects: A Coordination Challenge
PKI Project Structure
Six Projects: A Coordination Challenge
Infrastructure
Integration
Token Administration System
Policy
Device Selection
Documentation and Communication
Virginia Tech

5. VTCA Design Methodology
Architecture: Hierarchical Model
High Assurance Level: FIPS Level 3 HSM
Standards: PKCS, CryptoAPI, PCSC, X509 v3
Commercial or OpenSource: OpenCA 0.9.x
Deployment Model: Phased, Smart Devices
Scope: Initially for Internal Use
Administration: RA,CA,HSM,SYS,APP
CP and CPS Documents: PMA, RFC 2527
Virginia Tech

6. VT Personal Digital Certificates
Token Administration System - TAS
Two Phase Certificate Enrollment Process
- Phase I Registration Authority Admin Station
Applicant Hokie ID scanned to retrieve LDAP record
Applicant provides two photo IDs for validation
Applicant creates a password for their eToken
- Phase II Certification Authority Admin Station
Applicant authenticates using their eToken password
TAS generates RSA keys onboard eToken and creates CSR
TAS sends CSR to User CA, returned cert stored on eToken
Applicant digitally signs VT Usage Agreement
TAS automatically sends with instructions to applicant
eToken Password Resets, Certificate Revocation
Virginia Tech

7. Virginia Tech Personal Certificate Profile VT PKI Applications
PKI Integration
Virginia Tech Personal Certificate Profile
Encryption Disabled
VT PKI Applications
Digitally Signed Leave Reports/Work Flow
VPN Authentication
S/MIME , MS Office Word and Excel, Adobe Acrobat
Client SSL Authentication, CAS (Central Authentication Server)
Other Digital Signature Applications
Grant Proposals
Travel Vouchers
Various Departmental Forms
Phone Bills
Virginia Tech

8. References Virginia Tech Home Page www.vt.edu Virginia Tech PKI
Virginia Tech PDCs
Virginia Tech Certificate Policy
Virginia Tech eAladdin eToken News
Personal Digital Certificates at Virginia Tech – Internet2 Presentation
Virginia Tech

9. Overview of PKI@Virginia Tech
Secure Enterprise Technology Initiatives
e-Provisioning Group
Frank Galligan
Fed/Ed XV PKI Coordination Meeting
June 14, 2007
Virginia Tech