CalNetPKI is a free IST service that provides a certificate authority (CA) to the campus for use in a variety of security-related tasks. A public-key infrastructure (PKI) is a system used to verify the validity of each party that is involved in an electronic transaction through the binding of a digital certificate. The certificates issued are standard X.509 certificates, which are interoperable with both Microsoft and non-Microsoft products. Available certificates include those that are used for:
- Code signing
- Encrypting websites via SSL
- Digitally signing and encrypting email
- Encrypting files and folders with EFS
- Securing network traffic with IPSec
In order for a certificate from CalNetPKI to work properly, a root CA certificate must be installed as trusted on the client computer. Computers that are running Microsoft Windows XP or Windows Server 2003 and higher, and are members of the CalNet Active Directory (CalNetAD) forest, have this root certificate installed automatically. In addition, the root certificate can be easily installed on non-Windows or nonmember computers.
Certificates are normally purchased through a third party, such as VeriSign or Thawte, for a fairly high price — the aim of CalNetPKI is to provide similar functionality to what these outside organizations offer at no cost to the campus for internal tasks. If you need to purchase a certificate for an on-campus-only (intranet) or development web server, for example, CalNetPKI is an excellent choice to use as a CA. However, if you need a certificate for use on a public website or to sign/encrypt an email to an external contact, a traditional CA is probably your best bet because the root certificate for more recognized CAs, such as VeriSign, is already installed in most web browser clients.
You can read more about CalNetPKI or request a certificate by going to the CalNet Active Directory CalNetPKI website, or by browsing our expanding set of CalNetPKI articles in the IST Knowledge Base.