Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID




Open Source Client Cert Installation and Device Configuration Tool Pilot Project

What is InCert?
Developed in partnership with Indiana University with assistance from the University of Virginia, InCert is the open source solution to one of the primary obstacles to large-scale implementation of client certificates: installation and lifecycle management of the certificates on the client device(s). Moreover, InCert is architected to be a full-service end user device network on-boarding tool with the ability to perform functions such as setting device security policies, performing network registration functions, configuring wireless and VPN profiles, and a wealth of other campus-configured services. Currently in Beta, we are actively seeking campuses to participate in a pilot of the existing functionality and/or to contribute to the expansion of the service. If your campus would like to be considered for participation in the InCert Pilot Program, or if you have any questions, please send email to: incert-info AT internet2 DOT edu.

Why use InCert?
While InCert can be used without client certificates, one of InCert's primary purposes is to ease the complications associated with the use of digital certificates for a variety of standard assurance applications including web authentication (typically to the campus SSO environment), wireless LAN authentication, VPN authentication, signed electronic mail, and other PKI-enabled applications that leverage the native operating system certificate store. Some common certificate-enabled applications and their requirements are discussed in the Client Certificate Deployment Roadmap document. InCert effectively enables the use of client certificates and their strong anti-phishing characteristics by fully automating certificate installation and application configuration for the end user.

InCert will perform tasks (depending upon client platform) such as obtaining certificates for the user, installing them in the appropriate key store(s) on the user's workstation, installing intermediate certificates (as needed), handling certificate life-cycle management, and configuring appropriate workstation applications to use certificates for authentication.

InCert is designed to be customizable by each campus for their particular environment via configuration files located on a central server as opposed to coding changes.

InCert was developed using InCommon's Client Certificate Service but can be adapted for use with other Certificate Authorities (CA) by writing replacement back-end CA interface code.

NOTE WELL: All Internet2 Activities are governed by the Internet2 Intellectual Property Framework.


NOTE WELL: All Internet2 Activities are governed by the Internet2 Intellectual Property Framework.

What Is InCert?

InCert is free/open source software product available from Internet2/InCommon. Campuses can use to install client certs on user devices. InCert can also be used to apply a default configuration to the device, for example to ensure that devices require a password for access, etc.

What Sort of "Devices" Does InCert Support?

InCert works best on computers running Microsoft Windows Vista, 7, or 8. A subset of InCert capabilities are also available on Mac OS/X computers, and on Apple devices running IOS. Android, Linux and other operating systems aren't currently supported.

What's The Concept for How InCert Would Be Used?

In most instances, sites will offer InCert to users via a link on a secure campus web site. After logging in, users would download an InCert installer (or a signed XML bundle, in the case of Mac OS/X and IOS), which will then bootstrap the system's configuration and/or the installation of client certificates, running against a locally-hosted configuration server and client cert proxy gateway.

What Are These "Client Certificate" Things You Keep Mentioning?

Client certs (sometimes called "personal certs" or "PKI certs") are used by some sites as a way to do secure user authentication without relying just on passwords. Client certs can also be used for S/MIME signing or encrypting email. Sites can use locally-generated client certs, or client certs from the InCommon Certificate Program.

We Note That This Is A "Pilot" Program. What Does That Mean?

InCert is a brand new tool. As such, we need the community's help in testing and proving its soundness. This pilot program is the vehicle by which a small number (six to twelve) interested campuses will be able to help with those trials. If you choose to help, please recognize that you may/will likely encounter bugs, as in any new software. There may also be functionality that may be missing. For example, InCert can't currently support Android or Linux, and client certs are only installed in the default system cert store, and not also in secondary certificate stores such as the one internal to/used by Firefox/Thunderbird.

I'd Like to Help Improve InCert, Or Change How It Configures Our Users' Systems.

As an open source project, we welcome contributions from the community. InCert source code will be available from GitHub. It's under an Apache 2.0 open source license. When it comes to tailoring how InCert configures user devices, InCert was designed to be modular, so you can omit any steps you don't want or need, or extend InCert with new unique functionality needed by/developed locally on your campus.

Why Is InCommon/Internet2 Making InCert available?

InCommon/Internet2 believe that client certificates are an important security technology that should be more widely used in higher education. While there are other products that can be used to drop certs on user devices (such as XpressConnect™ from CloudPath, a popular commercial product in use on many campuses, or the Eduroam Configuration Assistant Tool, an installer that's focused primarily on installing the certificates that Eduroam requires), InCommon/Internet2 wanted to offer a general purpose and readily extensible open source tool to support use of client certs on campus.

How Can My Campus Participate in the Pilot? What If We Have Questions?

If your campus would like to be considered for participation in the InCert Pilot Program, or if you have any questions, please send email to: incert-info AT internet2 DOT edu (obviously any interested site can also simply download, install, and begin to use the software directly from GitHub, when available).

InCert v0.5 includes the following functionality. Future plans are for additional functionality and support for Android devices.

  1. Windows: Native client for Microsoft Windows 8, Windows 7, and Windows Vista. The client directly configures the workstation.
  2. Apple: Web service for Apple OS X (Lion and later) and iOS devices (iOS 4 and later). The web service provides a signed configuration profile.
      Windows Apple   Android (draft)
Functional Area #
8[1] 7 Vista iOS OSX  
Certificate Management 1 Install a certificate and private key in PKCS12 format into the user's native store. This includes the installation of intermediate certificates, handling user authentication, etc. X X X X X X
2 On each user login, check if certificate will expire in the next 30 days. If so, prompt the user to obtain a new certificate. X X X     [5]
Network Device On-Boarding Process 3 Download profile and configure wireless for EAP-TLS for Campus SSID X X X X X X
4 Download profile and configure wireless for EAP-TLS for eduroam SSID X X X X X X
5 Download and configure other campus wireless profiles X X X X X X
6 Computer MAC address registration (Wired and Wireless). X X X     [5]
7 Ability for the user to rerun the tool as needed to fix settings (without obtaining a new certificate each time). X X X     [5]
8 Customizable MSI installer. X X X      
9 XML-driven utility configuration with XSD schema. X X X      
10 Create a restore point. X X X      
Device Security 11 Configure the workstation's firewall (if exists) X X X     [5]
12 Enforce a passcode or password policy; if the user deletes this policy requirement, delete the certificate; enforce an inactivity timeout. [2] X X X X X[3] X
13 Configure a password-protected screen saver. X X X   X[4] X
14 Require password-based workstation login. X X X      
15 Configure Windows Update. X X X      
16 Apply native VPN profile support (if exists)           [5]


  1. Windows RT excluded.
  2. For iOS & OS X, a default passcode/password policy of >= 4 characters with a 5 minute timeout is used. For other options, see
  3. For OS X, the password policy cannot be enforced until the user attempts to change their password.
  4. For OS X, a logout or restart is required for the screen saver policy to take effect.
  5. Desired functionality

NOTE WELL: All Internet2 Activities are governed by the Internet2 Intellectual Property Framework.


InCommon® Client Certificate Deployment Roadmap