The Queensland Government PKI Policy Authority (QGPKIPA) has commenced an exit strategy for the QGPKI and all associated products and services.
Following a review of the PKI policy and position for Queensland Government, the QGPKIPA has formed the view that the increased maturity, capability and capacity to provide PKI solution within the market place and the development of a range of alternative approaches to authentication and authorisation within ICT ecosystems has increased the viability of federated architectures for security and reduced the benefits of an holistic whole-of-government PKI approach.
As such the QGPKIPA has authorised CITEC to cease all new QGPKI certificate issuing and only maintain the minimum capability to support existing clients until such time as they can cease reliance on existing QGPKI infrastructure.
The current PKI policy and position are being reviewed for repeal and agency Chief Information Officers will be informed once the Queensland Government Chief Information Officer approval has been sought.
Once the documents have been repealed they will be placed in the QGEA Knowledge Base, located on the QGCIO portal.
Accordingly, as per communication to all agency CIOs, effective 1 August 2013, CITEC will no longer offer QGPKI services to Queensland Government Agencies.
Documentation for CA Repositories hosted on the Whole of Government PKI Repository Service can be located by navigating the relevant hierarchy from the Root CA down. The QGPKI provides for Root CAs in the following environments. Use the links below to begin navigating through the QGPKI hierarchy.
- QGPKI Production Environment Root CA
- QGPKI Test Environment Root CA
- QGPKI Development Environment Root CA
- QGPKI Production Environment Rudimentary Root CA
- QGPKI Test Environment Rudimentary Root CA
- QGPKI Development Environment Rudimentary Root CA
No new SSL certificates will be issued from 1st August 2013. From this date, clients can source SSL certificates from a commercial provider.
Where applicable, for existing Queensland Government Agency users, CITEC will continue to support current SSL certificates until 30 November 2014.
CITEC will continue to offer the DNS Service with QGPKI names resolvable until such time as:
- the existing Queensland Government Agencies have migrated from the QGPKI and resolution to items including CRL’s are agreed to no longer be required; or
- CITEC has arranged for delegation of the PKI and PKI-alt subdomains to enable the Queensland Government Agencies continued resolution of CA Repository information (e.g. CRLs).
- CITEC will cease offering the CA Repository Service effective 1 August 2013.
- Where applicable, for existing Queensland Government Agency users, CITEC will continue to support the CA Repository Service until 30 November 2014.
OCSP Reverse Proxy
- CITEC will cease offering the OCSP Reverse Proxy Service effective 1 August 2013.
- Where applicable, for existing Queensland Government Agency users, CITEC will continue to support the OCSP Reverse Proxy Service until 30 November 2014.
- CITEC will cease offering CA Signing Service effective 1 August 2013.
- CITEC will commence revoking CA’s under the PKI hierarchy effective 1 January 2014. Where applicable, should existing Queensland Government Agency users require a CA to remain operational post 1 January 2014, a written request will need to be made to CITEC prior to 30 November 2013.
- It is to be noted that charges will apply for CA’s which remain in operation post 31 December 2013.
The aforementioned timeframes are in line with the QGPKI Migration Plans issued to the QGPKI PA by Queensland Government Agencies with current CA’s under the QGPKI hierarchy.
Agencies seeking information or assistance from the QGPKIPA should approach the secretariat in the first instance at QGPKIPA@qld.gov.au
Agencies seeking assistance with QGPKI services should contact PKI-Services@citec.com.au.