authX: USC PKI Lite CA

The University of Southern California's PKI Lite Certificate Authority issues X.509 certificates for hosts and persistent services only.

At this time, the USC PKI Lite CA has a posted public Certificate Policy (CP) that is under review. The CP currently being vetted by the University is based on the PKI Lite policy developed by Internet2.

If you have questions regarding the USC PKI Lite CA, please send email to USC PKI Lite systems administration, including "USC PKI Lite query" in the subject field.

Technical desiderata for the USC PKI Lite CA:

Technical desiderata for the USC KCA:

It is the policy of the USC PKI Lite CA to sign certificates for hosts or persistent services only, and only for hosts or persistent services within the usc.edu domain. A special arrangement has been made with the USC Information Sciences Institute (part of the USC Viterbi School of Engineering) to allow the USC PKI Lite CA to also sign certificates for hosts or persistent services from the isi.edu domain. If you have a CSR for the isi.edu domain, please send it to the ISI Registration Authority.

If you would like to use PKI authentication but prefer a PKI certificate signed by a non-USC certificate authority (CA) such as Verisign, Thawte, or godaddy, you are free to submit a certificate signing request (CSR) to any outside CA. The outside CA should contact the office of Todd Dickey, the Senior Vice President for Administration, to obtain verification of the identity of the person submitting the CSR, and approval of the CSR. The outside CA may contact the publicly posted network administrator for USC instead, which is the wrong thing to do. That network administrator is within ITS, but ITS cannot verify the identity of a person submitting a CSR or approve a CSR for a CA outside of the University. We urge any department thinking of submitting a CSR to an outside CA to make arrangements ahead of time with the office of Todd Dickey, the Senior Vice President for Administration, and to indicate to the outside CA that the CA should contact that office for verification or approval.

If you need a CSR signed by the USC PKI Lite CA, please send the CSR in an email to the CSR signing-request queue. Before the CSR can be signed, you will be contacted by systems staff to verify your identity and that you sent the CSR. Verification will require an in-person visit to CAL, at which time you will need at least one picture ID (University ID works) plus a hardcopy of the CSR to compare against the one included in email.

To be approved for signing, a CSR must meet these criteria:

The CN is for a host within the usc.edu domain
-OR-
the CN is for a persistent service (e.g., PubCookie) running on a host within the usc.edu domain.
The country is set to United States (C=US)
The state is set to California (ST=California)
The organization is set to "University of Southern California" (O=University of Southern California)
The organizational unit is set to the organization within the University that is responsible for the host or persistent service the certificate will be used for
(for example, OU=Information Technology Services)
If an email address is given, that it is a valid address within the usc.edu domain.
That the key is at least 1024 bits.

If a previously-signed certificate has expired, you must submit a new CSR. Expired certificates will not be renewed.

If you want to generate a CSR under Solaris Unix, please see Generating a CSR under Solaris.

If you want to generate a CSR under Windows, please see this MS knowledge base article.

User certificates are created by the USC KCA using KX.509. A formal Certificate Policy for the USC KCA is being written, but has not yet been publicly posted.

If you wish to arrange for a formal cross-certification between a CA that you use and/or administer, and the USC PKI Lite CA, please send email to USC PKI Lite systems administration, including "CA cross-cert query" in the subject field.

Last updated 02 Mar 2006 by shelley