Implementing the InCommon Certificate Service

InCommon Documentation

Click here for the InCommon Participant Operational Practices.

UC Berkeley Background

  • Over 30,000 students, approximately 10,000 staff and faculty, over 40,000 active hosts
  • Central and Distributed IT support
    • Central bIT department manages many hosts for campus departments
    • Local departments manage many of their own devices
  • Central bIT Enterprise Windows team already offered a PKI service which allowed personal enrollment for a variety of certs and resold Verisign SSL machine certificates
  • CalNet - Identity Management team chosen to run new InCommon Certificate Service, gradually replacing the existing service as the InCommon service expands to cover a wider range of certificates
  • CalNet team a small, technical staff - plan to delegate certificate administration broadly

Initial Rollout

  • Chain of trust established through various levels of the organization
  • Central administration - CIO approves RAO status for CalNet team - initial testing and central processing of cert requests

Initial delegation

  • Central bIT DRAOs - DCIO approves DRAO status for central bIT staff to approve SSL certs for centrally managed hosts

Broad-scale delegation - in progress

  • Establish a delegation model similar to our existing CalNet deputy process, where we delegate identity vetting, account creation, and passphrase reset responsibility to trained and "deputized" departmental staff.
  • Departmental DRAOs, recruited by sending requests to high-level departmental IT managers in large campus departments (Law School, Business School, EECS, etc) to appoint DRAOs
  • For each department, gather enrollment information and set up DRAO account
  • Continue seeking delegated admins as requests come in to central management team. Plan in-person trainings as DRAOs are identified.
  • Train delegated administrators - approximate 1 hour in-person training required for all DRAOs.
  • After training our first round of central bIT DRAOs, they have raised a number of interesting questions.

Announcing the Service to Campus

We took a variety of approaches to announce the serviceto campus:

  • General announcement email to various listservs on campus used by IT staff.
  • Published an InCommon Certificate Services page, including an FAQ, on our website.
  • Described the service at various committee meetings and campus forums.