Because I2A2 makes extensive use of the Secure Sockets Layer (SSL), that makes it rely heavily on Public Key Infrastructure
(PKI) certificates. (See SSL - The Secure Sockets Layer for more
information on SSL.)
Certificates (also sometimes called X.509 certificates) embody an increased layer of security for two reasons:
- They use the public and private key PKI infrastructure.
- They have an elaborate method for establishing the trustworthiness of a certificate.
Note that this doesn't imply certificates are perfectly secure. They are just more secure than simple password
They are also a basic requirement for SSL.
Purdue Certificate Authority
Purdue certificates are self-signed -- i.e., they are issued by Purdue. (Currently an I2A2 development team member issues
The chain of trust for Purdue certificates begins at the Purdue public certificate, issued by I2A2 in the name of the Purdue Certificate Authority (CA). That certificate is freely available in the I2A2 Apache Web Server Package, in DER format, in PEM format, and in PKCS7 format. The PEM format is preferred by UNIX OpenSSL and can be used by Microsoft Internet Explorer. DER and PKCS7 are binary formats, preferred by Microsoft and NetScape browsers, and software tool kits.
You can download a Purdue public certificate in a desired format by clicking on a "...format" link in the preceding paragraph.
When used with OpenSSL, the PEM format file may be installed in a file of certificates or in an individual file in the OpenSSL certificate authority (CA) directory. Installed as an individual file it must have a symbolic link to it in the CA directory, typically prepared by the OpenSSL x509 utility's -hash option. Consult your OpenSSL documentation -- e.g., the OpenSSL verify(1) manual page -- for more information on OpenSSL methods for storing CA certificates.
PUIDs and Certificates
Purdue certificates use an X.509 certificate protocol extension, called an OID, to store the PUID. (See SSL for more information on how the PUID is stored in the certificate.)
Certificates are used by I2A2 for two purposes:
- To support Secure Sockets Layer (SSL) connections;
- To provide a combined and more secure identification and authentication of I2A2 system users.
Obtaining a Purdue Certificate
Until a formal Purdue Certificate Authority has been established, there is no regular method for obtaining a Purdue
Small numbers of Purdue certificates can be made available by an I2A2 development team member, generally based on a specific, substantiated, and documented request. Send e-mail to the acting Purdue CA for more information.