About eduPKI

eduPKI was a response to the need for better coordination to address security requirements of the services being developed in the project. Examples of services that can use eduPKI include SA2 connectivity services and eduroam, plus future services that will have security and trust requirements.


Digital certificates are issued by Certification Authorities (CAs) and are widely used to guarantee secure and reliable communication between servers, users, or between a user and a server. Examples of this are: a user connecting to a Web server securely using a web browser; or two users exchanging an email securely.


Federating existing Certification Authorities (CAs)

eduPKI builds on existing NREN CA services, federating them to make all participating CAs available to GÉANT’s services. A federated approach brings increased efficiency since a number of national CAs are already well-established and used within the NREN environment.


eduPKI aims to enable GÉANT services to obtain digital certificates from CAs operated by NRENs participating in the project that meet those services' requirements. Europe’s NRENs are encouraged to join the federated eduPKI service. While eduPKI relies on existing national CAs where possible, it operates a dedicated CA for test purposes and supports users belonging to an NREN that does not provide any CA service.


eduPKI structure​

To achieve its goal eduPKI offers three main facilities:

  • Policy Management Authority (PMA): Defines procedures to assess GÉANT services' requirements and categorises them into profiles and procedures to assess existing national CA operations against the agreed profiles.

  • A dedicated Certification Authority (eduPKI CA) for operations of GÉANT Services: Operated by DFN for test purposes and to support those GÉANT Services that cannot rely on a CA managed by an NREN (or equivalent service like e.g. TCS).

  • TACAR (Trusted Academic Certificate Authority Repository): Stores and distributes the eduPKI-participating Certificate Authority's root certificates (including the eduPKI CA root) in a secure manner.​