Bulk issue of certificates
|
View:
New views
3 Messages
—
Rating Filter:
Alert me
|
 |
Bulk issue of certificates
by Robert Hazeltine
::
Rate this Message:
Hi
Before re-inventing the wheel, I am wondering if anyone has had experience in issuing certificates in bulk to a known group of, say, students (such as course intake). The usual process of presenting identification individually does not apply in this case and that step can legitimately be omitted - the student's identity has been well and truly established and documented before having to present to the RA operator. Incidentally, we are talking about the issue of thousands of certificates at least initially when we introduce PKI certicates. I suppose we could require the student to submit a certificate signing request and allow the RA Operator to process those automatically without face to face proof of identity. However, is there another way to do this. I am interested in what people think about how to handle this situation efficiently and what are the alternatives. If I can, I would like not to have the student re-prove identity. I am prepared to discuss off list if that helps. Regards Rob... Robert Hazeltine Phone: +61(2) 9678-7621 Senior Analyst/Programmer Mobile: 0410311656 BIS Hawkesbury Email: r.hazeltine@... University of Western Sydney ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users |
|
|
Re: Bulk issue of certificates
by Benjamin Bennett
::
Rate this Message:
Robert Hazeltine wrote:
> Hi > > Before re-inventing the wheel, I am wondering if anyone has had experience > in issuing certificates in bulk to a known group of, say, students (such > as course intake). The usual process of presenting identification > individually does not apply in this case and that step can legitimately be > omitted - the student's identity has been well and truly established and > documented before having to present to the RA operator. > > Incidentally, we are talking about the issue of thousands of certificates > at least initially when we introduce PKI certicates. > > I suppose we could require the student to submit a certificate signing > request and allow the RA Operator to process those automatically without > face to face proof of identity. However, is there another way to do this. > > I am interested in what people think about how to handle this situation > efficiently and what are the alternatives. If I can, I would like not to > have the student re-prove identity. I am prepared to discuss off list if > that helps. If your campus already uses kerberos authentication you might be interested in kerberized CA services which could automatically issue certificates based on authentication of the student's existing kerberos principal. The ones I know of are K.X509 [1], Heimdal kerberos [2] (implementing the server side of the kx509 protocol), and MyProxy [3]. [1] http://www.kx509.org [2] http://www.h5l.org [3] http://grid.ncsa.uiuc.edu/myproxy --ben ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users |
|
|
Re: Bulk issue of certificates
by Mike Wiseman-2
::
Rate this Message:
One way is to create a client script that generates the keypair/CSR and uses
SCEP to send it to the RA. Set it up so students authenticate using their NetID or something to run the script. Then direct them to install the issued cert from the RA or LDAP. These tasks can be done for most platforms using OpenSSL and sscep. I'm working on a similar plan using PKCS#11 smart cards. Mike Mike Wiseman Manager, Computer Security Administration Computing and Networking Services University of Toronto > > Hi > > Before re-inventing the wheel, I am wondering if anyone has had > experience > in issuing certificates in bulk to a known group of, say, students > (such > as course intake). The usual process of presenting identification > individually does not apply in this case and that step can legitimately > be > omitted - the student's identity has been well and truly established > and > documented before having to present to the RA operator. > > Incidentally, we are talking about the issue of thousands of > certificates > at least initially when we introduce PKI certicates. > > I suppose we could require the student to submit a certificate signing > request and allow the RA Operator to process those automatically > without > face to face proof of identity. However, is there another way to do > this. > > I am interested in what people think about how to handle this situation > efficiently and what are the alternatives. If I can, I would like not > to > have the student re-prove identity. I am prepared to discuss off list > if > that helps. > > Regards > > > > Rob... > Robert Hazeltine Phone: +61(2) 9678-7621 > Senior Analyst/Programmer Mobile: 0410311656 > BIS Hawkesbury Email: r.hazeltine@... > University of Western Sydney > > ----------------------------------------------------------------------- > -- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > Openca-Users mailing list > Openca-Users@... > https://lists.sourceforge.net/lists/listinfo/openca-users ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users |
| Free embeddable forum powered by Nabble | Forum Help |
