The purpose of the EUR X.509 public key infrastructure is to provide identification and authentication services to entities affiliated with the Erasmus University Rotterdam.
The EUR Certificate Authority (CA) assumes this role for EUR intranet purposes. It uses a self-signed CA certificate that is the root of a certificate hierarchy constructed in support of PKI-enabled services managed by the EUR. To increase flexibility and manageability, the EUR Root certificate is only used to sign subsidiary CA certificates that are designated for more specific purposes. Currently, four such specific purposes have been identified and implemented:
The reason for using different CAs for these purposes is that the mechanisms used for management of issued certificates will be different for each category. For instance, the certificate authority that issues machine certificates may elect to implement an automatic enrollment scheme with the understanding that identity verification is out-sourced to other systems (e.g. Active Directory)certificates for services: e.g. authenticated/secured infrastructure management systems secure IMAP service certificates for users: e.g. used for authentication and authorization purposes to EUR-internal services certificates for computers: e.g. to be used to secure remote sessions, setup VPN connections, etc. certificates for signing software packages
The following applies to all certificates issued by the EUR PKI framework:
Several sub-ordinate CA services are currently deployed that certify public keys of entities in these three classes:
Root CA certificate subject name: CN=EUR Root CA,DC=EUR,DC=NL Services CA certificate subject name: CN=Services CA,DC=EUR,DC=NL User CA certificate subject name: CN=User CA,DC=EUR,DC=NL Machine CA certificate subject name: CN=Machine CA,DC=EUR,DC=NL Campus Active Directory sub-ordinate CA certificate subject name: CN=AE Services CA,DC=campus,DC=EUR,DC=NL. This sub-ordinate CA is run as part of the CAMPUS.EUR.NL forest Active Directory services and is dedicated to supply auto-enrollment PKI services based on AD trust relationships.
The CA certificates (including public key info) and CA revocation lists are available at http://pki.eur.nl/. Note: the CA revocation lists must be renewed periodically lest clients complain about unverifyable certificate chains. Refer to the script /usr/local/etc/ssl/crlcron renew to assist with the renewal process.
3A:6B:72:AA:82:9A:06:73:D1:91:4C:40:43:61:FB:55:F8:0F:A6:DD
.
The certificate can be retrieved using the following links in
DER format or in
PEM format.
Intermediate CA certificates are also available for download:
Services in PEM format
Machine in PEM format
CAMPUS Active Directory auto-enroll services in DER format
TEST CAMPUS Active Directory auto-enroll services in DER format