The CalNetPKI certificate service offering is divided
into three groups:
User Certificates
User certificates are issued to users. |
 |
User |
Smartcard |
EFS |
Encrypted E-mail |
| Certificate |
|
|
|
|
|
| |
Purpose |
|
Client Authentication
Secure E-mail |
Client Authentication
Smartcard Logon
Secure E-mail |
Encryption |
Encryption |
Template Name
UCB.User. |
|
|
Smartcard Logon
Smartcard User |
EFS |
Encrypted E-mail |
| Requirements |
|
This certificate retrieves the user's e-mail address
from CalNetAD, by default, the e-mail field is blank. The ability
to sign e-mail requires the user's e-mail address to be included
inside the certificate. If the e-mail address is not populated,
the certificate request will fail. |
This certificate requires a Schlumberger smart
card and reader. |
The EFS private key is stored in the user's profile.
For EFS to work properly, users must have persistent profiles. If
users use multiple computers or use EFS on a network share, users
must have roaming profiles. |
The encrypted e-mail certificate
private key is stored in the user's profile. In order to decrypt
e-mail, users must have persistent profiles. If users use multiple
computers, users must have roaming profiles. |
| Description |
|
The User certificate is used for smart card logon,
VPN authentication, and signing e-mail. |
The smart card user certificate is used for smart
card logon, VPN authentication, and signing e-mail. |
The EFS certificate is used to encrypt files via
EFS. As a public institution with data retention requirements, this
certificate requires a recovery key. The recovery key can be used
by administrators, in accordance with campus policy, to decrypt
the encrypted files. |
The encrypted e-mail certificate
is published in the directory. When an encrypted e-mail is sent,
the sender encrypts the message with the recipient's certificate.
As a public institution with data retention requirements, this certificate
requires a recovery key. The recovery key can be used by administrators,
in accordance with campus policy, to decrypt the encrypted files.
|
| Platform |
|
|
|
|
|
|
Windows 2000
Web Based Enrollment |
|
Free
$70 Setup (Custom) |
$140 Setup |
$140 Setup |
$140 Setup |
|
Windows XP
Auto
or
Web Based Enrollment |
|
Free
$70 Setup (Custom) |
$140 Setup |
$140 Setup |
$140 Setup |
Windows Server 2003
Auto
or
Web Based Enrollment |
|
Free
$70 Setup (Custom) |
$140 Setup |
$140 Setup |
$140 Setup |
Windows Vista
Auto or
Web Based Enrollment |
|
Free
$70 Setup (Custom) |
$140 Setup |
$140 Setup |
$140 Setup |
Other
Web Based Enrollment |
|
Free
$70 Setup (Custom) |
$140 Setup |
n/a |
$140 Setup |
|
|
|
|
|
| Request Certificate |
|
|
|
|
|
| Items in red will be offered
at a future date |
Machine Certificates
Machine certificates are issued to workstations, servers, and network
devices. |
| |
Computer |
SSL |
RAS and IAS Server |
Network Device |
| Certificate |
|
|
|
|
|
| |
Purpose |
|
Client Authentication
IPSec |
Server Authentication
IPSec |
Client Authentication
IPSec
Server Authentication |
Client Authentication
Server Authentication |
Template Name
UCB.Machine. |
|
Computer Authentication
Computer Authentication (Manual request)
Computer Authentication (Web request)
IPSEC |
Web Server
Web Server (Manual request) |
RAS and IAS Server |
CEP Encryption |
| Requirements |
|
Each computer must have a resolvable DNS name
or the certificate request will fail. |
SSL certificates require a resolvable DNS name.
Verification of DNS name ownership is required to process the certificate
request. |
RAS and IAS server certificates require a resolvable
DNS name. Verification of DNS name ownership is required to process
the certificate request. |
Network device certificates require a resolvable
DNS name. Verification of DNS name ownership is required to process
the certificate request. |
| Description |
|
The computer certificate is used for computer
to computer authentication, computer VPN authentication, and IPsec
communication between machines. |
The SSL certificate authenticates a server to
a connecting client. SSL certificates are used for encrypting
web, e-mail, and VPN traffic. |
The RAS and IAS server certificate is used by
the Microsoft Remote Access Server for VPN connections. |
The network device certificate is used by network
devices for VPN and firewall communication encryption. |
| Platform |
|
|
|
|
|
|
Windows 2000
Web Based Enrollment |
|
Free
$70 Setup (Custom) |
$25 per Certificate |
n/a |
n/a |
|
Windows XP
Auto
or
Web Based Enrollment |
|
Free
$70 Setup (Custom) |
n/a |
n/a |
n/a |
Windows Server 2003
Auto
or
Web Based Enrollment |
|
Free
$70 Setup (Custom) |
$25 per Certificate |
$25 per Certificate |
n/a |
Windows Vista
Auto or
Web Based Enrollment |
|
Free
$70 Setup (Custom) |
$25 per Certificate |
$25 per Certificate |
n/a |
Other
Web Based Enrollment |
|
Free
$70 Setup (Custom) |
$25 per Certificate |
n/a |
$25 per Certificate |
|
|
|
|
|
| Request Certificate |
|
|
|
|
|
| Items in red will be offered
at a future date |
Administrative Certificates
Administrative certificates are generally issued to administrators
and specialized users to perform functions not covered by user or
machine certificates. |
| |
Code Signing |
Smartcard Enrollment Agent |
Encryption Key Recovery |
| Certificate |
|
|
|
|
| |
Purpose |
|
Signing |
Client Authentication
Signing |
Key Recovery |
| |
Template Name
UCB.Administrative. |
|
Code Signing
|
Enrollment Agent
Enrollment Agent (Computer) |
Key Recovery Agent
EFS Recovery Agent |
| |
Requirements |
|
|
This certificate requires a Schlumberger
smart card and reader. Enrollment agents are very powerful, use
of this certificate requires a secured machine approved by the CalNetAD
Enterprise Administrators. |
Encryption key recovery certificates are only
issued to administrators. The key recovery certificate must be used
in accordance with campus policy when decrypting encrypted files. |
| |
Description |
|
The code signing certificate is used to sign
published code for the verification of code source and integrity. |
The smartcard enrollment agent
certificate allows an administrator to request a smart card certificate
on behalf of another user. Administrators preparing smartcards for
other users need this certificate. |
The encryption key recovery certificate is used
to recover a certificate's private key. The key recovery is done
to recover encrypted data when the users private key is lost. As
a public institution with data retention requirements, some encrypted
data must be recoverable, check campus policies for more information.
|
| Platform |
|
|
|
|
|
Windows 2000
Web Based Enrollment |
|
$25 per Certificate |
$70 per Certificate |
$25 per Certificate |
| |
Windows XP
Auto
or
Web Based Enrollment |
|
$25 per Certificate |
$70 per Certificate |
$25 per Certificate |
| |
Windows Server 2003
Auto
or
Web Based Enrollment |
|
$25 per Certificate |
$70 per Certificate |
$25 per Certificate |
| |
Windows Vista
Auto or
Web Based Enrollment |
|
$25 per Certificate |
$70 per Certificate |
$25 per Certificate |
| |
Other
Web Based Enrollment |
|
$25 per Certificate |
n/a |
$25 per Certificate |
|
|
|
|
| Request Certificate |
|
|
|
|
| Items in red will be offered
at a future date |
