authX:Scheduled Administrative Activities
authX: USC PKI Lite CA
The University of Southern California's PKI Lite Certificate Authority issues X.509 certificates for hosts and persistent services only.
At this time, the USC PKI Lite CA has a posted public Certificate Policy (CP) that is under review. The CP currently being vetted by the University is based on the PKI Lite policy developed by Internet2.
If you have questions regarding the USC PKI Lite CA, please send email to USC PKI Lite systems administration, including "USC PKI Lite query" in the subject field.
Technical desiderata for the USC PKI Lite CA:
It is the policy of the USC PKI Lite CA to sign certificates for hosts or persistent
services only, and only for hosts or persistent services within the
If you would like to use PKI authentication but prefer a PKI certificate signed by a non-USC certificate authority (CA) such as Verisign, Thawte, or godaddy, you are free to submit a certificate signing request (CSR) to any outside CA. The outside CA should contact the office of Todd Dickey, the Senior Vice President for Administration, to obtain verification of the identity of the person submitting the CSR, and approval of the CSR. The outside CA may contact the publicly posted network administrator for USC instead, which is the wrong thing to do. That network administrator is within ITS, but ITS cannot verify the identity of a person submitting a CSR or approve a CSR for a CA outside of the University. We urge any department thinking of submitting a CSR to an outside CA to make arrangements ahead of time with the office of Todd Dickey, the Senior Vice President for Administration, and to indicate to the outside CA that the CA should contact that office for verification or approval.
If you need a CSR signed by the USC PKI Lite CA, please send the CSR in an email to the CSR signing-request queue. Before the CSR can be signed, you will be contacted by systems staff to verify your identity and that you sent the CSR. Verification will require an in-person visit to CAL, at which time you will need at least one picture ID (University ID works) plus a hardcopy of the CSR to compare against the one included in email.To be approved for signing, a CSR must meet these criteria:
If you want to generate a CSR under Solaris Unix, please see Generating a CSR under Solaris.
If you want to generate a CSR under Windows, please see this MS knowledge base article.
User certificates are created by the USC KCA using KX.509. A formal Certificate Policy for the USC KCA is being written, but has not yet been publicly posted.
If you wish to arrange for a formal cross-certification between a CA that you use and/or administer, and the USC PKI Lite CA, please send email to USC PKI Lite systems administration, including "CA cross-cert query" in the subject field.
Last updated 02 Mar 2006 by shelley