diff --git a/enrol/lti/db/install.php b/enrol/lti/db/install.php
new file mode 100644
index 00000000000..73db17a3963
--- /dev/null
+++ b/enrol/lti/db/install.php
@@ -0,0 +1,40 @@
+<?php
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+/**
+ * Post installation code for enrol_lti.
+ *
+ * @package    enrol_lti
+ * @copyright  2022 Jake Dallimore <jrhdallimore@gmail.com>
+ * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+
+defined('MOODLE_INTERNAL') || die();
+
+/**
+ * Stub for database installation.
+ */
+function xmldb_enrol_lti_install() {
+    global $CFG, $OUTPUT;
+
+    // LTI 1.3: Set a private key for this site (which is acting as a tool in LTI 1.3).
+    require_once($CFG->dirroot . '/enrol/lti/upgradelib.php');
+
+    $warning = enrol_lti_verify_private_key();
+    if (!empty($warning)) {
+        echo $OUTPUT->notification($warning, 'notifyproblem');
+    }
+}
diff --git a/enrol/lti/db/install.xml b/enrol/lti/db/install.xml
index c724a4be149..8c3383f038e 100644
--- a/enrol/lti/db/install.xml
+++ b/enrol/lti/db/install.xml
@@ -9,6 +9,7 @@
         <FIELD NAME="id" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="true"/>
         <FIELD NAME="enrolid" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
         <FIELD NAME="contextid" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
+        <FIELD NAME="ltiversion" TYPE="char" LENGTH="15" NOTNULL="true" DEFAULT="LTI-1p3" SEQUENCE="false"/>
         <FIELD NAME="institution" TYPE="char" LENGTH="40" NOTNULL="true" SEQUENCE="false"/>
         <FIELD NAME="lang" TYPE="char" LENGTH="30" NOTNULL="true" DEFAULT="en" SEQUENCE="false"/>
         <FIELD NAME="timezone" TYPE="char" LENGTH="100" NOTNULL="true" DEFAULT="99" SEQUENCE="false"/>
@@ -23,6 +24,9 @@
         <FIELD NAME="roleinstructor" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
         <FIELD NAME="rolelearner" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
         <FIELD NAME="secret" TYPE="text" NOTNULL="false" SEQUENCE="false"/>
+        <FIELD NAME="uuid" TYPE="char" LENGTH="36" NOTNULL="false" SEQUENCE="false"/>
+        <FIELD NAME="provisioningmodelearner" TYPE="int" LENGTH="2" NOTNULL="false" SEQUENCE="false"/>
+        <FIELD NAME="provisioningmodeinstructor" TYPE="int" LENGTH="2" NOTNULL="false" SEQUENCE="false"/>
         <FIELD NAME="timecreated" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
         <FIELD NAME="timemodified" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
       </FIELDS>
@@ -30,6 +34,7 @@
         <KEY NAME="primary" TYPE="primary" FIELDS="id"/>
         <KEY NAME="enrolid" TYPE="foreign" FIELDS="enrolid" REFTABLE="enrol" REFFIELDS="id"/>
         <KEY NAME="contextid" TYPE="foreign" FIELDS="contextid" REFTABLE="context" REFFIELDS="id"/>
+        <KEY NAME="uuid" TYPE="unique" FIELDS="uuid"/>
       </KEYS>
     </TABLE>
     <TABLE NAME="enrol_lti_users" COMMENT="User access log and gradeback data">
@@ -39,6 +44,7 @@
         <FIELD NAME="toolid" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
         <FIELD NAME="serviceurl" TYPE="text" NOTNULL="false" SEQUENCE="false"/>
         <FIELD NAME="sourceid" TYPE="text" NOTNULL="false" SEQUENCE="false"/>
+        <FIELD NAME="ltideploymentid" TYPE="int" LENGTH="10" NOTNULL="false" SEQUENCE="false"/>
         <FIELD NAME="consumerkey" TYPE="text" NOTNULL="false" SEQUENCE="false"/>
         <FIELD NAME="consumersecret" TYPE="text" NOTNULL="false" SEQUENCE="false"/>
         <FIELD NAME="membershipsurl" TYPE="text" NOTNULL="false" SEQUENCE="false"/>
@@ -183,5 +189,112 @@
         <KEY NAME="consumerid" TYPE="foreign" FIELDS="consumerid" REFTABLE="enrol_lti_lti2_consumer" REFFIELDS="id"/>
       </KEYS>
     </TABLE>
+    <TABLE NAME="enrol_lti_app_registration" COMMENT="Details of each application that has been registered with the tool">
+      <FIELDS>
+        <FIELD NAME="id" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="true"/>
+        <FIELD NAME="name" TYPE="char" LENGTH="255" NOTNULL="true" SEQUENCE="false" COMMENT="Common name to identify this platform to users"/>
+        <FIELD NAME="platformid" TYPE="text" NOTNULL="true" SEQUENCE="false" COMMENT="The issuer URL"/>
+        <FIELD NAME="clientid" TYPE="char" LENGTH="1333" NOTNULL="true" SEQUENCE="false" COMMENT="The clientid string, generated by the platform when setting up the tool."/>
+        <FIELD NAME="platformclienthash" TYPE="char" LENGTH="64" NOTNULL="true" SEQUENCE="false" COMMENT="SHA256 hash of the platformid (issuer) and clientid, application generated"/>
+        <FIELD NAME="authenticationrequesturl" TYPE="text" NOTNULL="true" SEQUENCE="false" COMMENT="The authorisation endpoint of the platform"/>
+        <FIELD NAME="jwksurl" TYPE="text" NOTNULL="true" SEQUENCE="false" COMMENT="The JSON Web Key Set URL for the platform"/>
+        <FIELD NAME="accesstokenurl" TYPE="text" NOTNULL="true" SEQUENCE="false"/>
+        <FIELD NAME="timecreated" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
+        <FIELD NAME="timemodified" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
+      </FIELDS>
+      <KEYS>
+        <KEY NAME="primary" TYPE="primary" FIELDS="id"/>
+      </KEYS>
+      <INDEXES>
+        <INDEX NAME="platformclienthash" UNIQUE="true" FIELDS="platformclienthash"/>
+      </INDEXES>
+    </TABLE>
+    <TABLE NAME="enrol_lti_deployment" COMMENT="Each row represents a deployment of a tool within a platform.">
+      <FIELDS>
+        <FIELD NAME="id" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="true"/>
+        <FIELD NAME="name" TYPE="char" LENGTH="255" NOTNULL="true" SEQUENCE="false" COMMENT="A short name identifying the tool deployment to users"/>
+        <FIELD NAME="deploymentid" TYPE="char" LENGTH="255" NOTNULL="true" SEQUENCE="false" COMMENT="The id of the deployment, as defined in the platform"/>
+        <FIELD NAME="platformid" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false" COMMENT="The platformid to which this deployment belongs"/>
+        <FIELD NAME="legacyconsumerkey" TYPE="char" LENGTH="255" NOTNULL="false" SEQUENCE="false" COMMENT="The legacy consumer key mapped to this deployment, if the deployment represents a migrated tool."/>
+        <FIELD NAME="timecreated" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
+        <FIELD NAME="timemodified" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
+      </FIELDS>
+      <KEYS>
+        <KEY NAME="primary" TYPE="primary" FIELDS="id"/>
+        <KEY NAME="platformid" TYPE="foreign" FIELDS="platformid" REFTABLE="enrol_lti_app_registration" REFFIELDS="id"/>
+      </KEYS>
+      <INDEXES>
+        <INDEX NAME="platformid-deploymentid" UNIQUE="true" FIELDS="platformid, deploymentid"/>
+      </INDEXES>
+    </TABLE>
+    <TABLE NAME="enrol_lti_resource_link" COMMENT="Each row represents a resource link for a platform and deployment">
+      <FIELDS>
+        <FIELD NAME="id" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="true"/>
+        <FIELD NAME="resourcelinkid" TYPE="char" LENGTH="255" NOTNULL="true" SEQUENCE="false" COMMENT="The platform-and-deployment-unique id of the resource link"/>
+        <FIELD NAME="ltideploymentid" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false" COMMENT="The id of the enrol_lti_deployment record containing the deployment information."/>
+        <FIELD NAME="resourceid" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false" COMMENT="The id of the local enrol_lti_tools record containing information about the published resource to which this resource link relates."/>
+        <FIELD NAME="lticontextid" TYPE="int" LENGTH="10" NOTNULL="false" SEQUENCE="false" COMMENT="The id of the enrol_lti_context record containing information about the context from which this resource link originates."/>
+        <FIELD NAME="lineitemsservice" TYPE="char" LENGTH="1333" NOTNULL="false" SEQUENCE="false" COMMENT="The URL for the line items service for this resource link"/>
+        <FIELD NAME="lineitemservice" TYPE="char" LENGTH="1333" NOTNULL="false" SEQUENCE="false" COMMENT="The URL for the line item service (if only one line item present)."/>
+        <FIELD NAME="lineitemscope" TYPE="char" LENGTH="255" NOTNULL="false" SEQUENCE="false" COMMENT="The ags line items authorization scope"/>
+        <FIELD NAME="resultscope" TYPE="char" LENGTH="255" NOTNULL="false" SEQUENCE="false" COMMENT="The ags result authorization scope"/>
+        <FIELD NAME="scorescope" TYPE="char" LENGTH="255" NOTNULL="false" SEQUENCE="false" COMMENT="The ags score items authorization scope"/>
+        <FIELD NAME="contextmembershipsurl" TYPE="char" LENGTH="1333" NOTNULL="false" SEQUENCE="false" COMMENT="The NRPS membership URL"/>
+        <FIELD NAME="nrpsserviceversions" TYPE="char" LENGTH="255" NOTNULL="false" SEQUENCE="false" COMMENT="The NRPS supported service versions"/>
+        <FIELD NAME="timecreated" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
+        <FIELD NAME="timemodified" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
+      </FIELDS>
+      <KEYS>
+        <KEY NAME="primary" TYPE="primary" FIELDS="id"/>
+        <KEY NAME="ltideploymentid" TYPE="foreign" FIELDS="ltideploymentid" REFTABLE="enrol_lti_deployment" REFFIELDS="id"/>
+        <KEY NAME="lticontextid" TYPE="foreign" FIELDS="lticontextid" REFTABLE="enrol_lti_context" REFFIELDS="id"/>
+      </KEYS>
+      <INDEXES>
+        <INDEX NAME="resourcelinkid-ltideploymentid" UNIQUE="true" FIELDS="resourcelinkid, ltideploymentid"/>
+      </INDEXES>
+    </TABLE>
+    <TABLE NAME="enrol_lti_context" COMMENT="Each row represents a context in the platform, where resource links are added within a deployment.">
+      <FIELDS>
+        <FIELD NAME="id" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="true"/>
+        <FIELD NAME="contextid" TYPE="char" LENGTH="255" NOTNULL="true" SEQUENCE="false" COMMENT="The id of the context on the platform"/>
+        <FIELD NAME="ltideploymentid" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false" COMMENT="The id of the enrol_lti_deployment record containing the deployment information."/>
+        <FIELD NAME="type" TYPE="text" NOTNULL="false" SEQUENCE="false" COMMENT="The type of the context on the platform"/>
+        <FIELD NAME="timecreated" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
+        <FIELD NAME="timemodified" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
+      </FIELDS>
+      <KEYS>
+        <KEY NAME="primary" TYPE="primary" FIELDS="id"/>
+        <KEY NAME="ltideploymentid" TYPE="foreign" FIELDS="ltideploymentid" REFTABLE="enrol_lti_deployment" REFFIELDS="id"/>
+      </KEYS>
+      <INDEXES>
+        <INDEX NAME="ltideploymentid-contextid" UNIQUE="true" FIELDS="ltideploymentid, contextid"/>
+      </INDEXES>
+    </TABLE>
+    <TABLE NAME="enrol_lti_user_resource_link" COMMENT="Join table mapping users to resource links as this is a many:many relationship">
+      <FIELDS>
+        <FIELD NAME="id" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="true"/>
+        <FIELD NAME="ltiuserid" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false" COMMENT="The id of the enrol_lti_users record"/>
+        <FIELD NAME="resourcelinkid" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false" COMMENT="The id of the enrol_lti_resource_link record."/>
+      </FIELDS>
+      <KEYS>
+        <KEY NAME="primary" TYPE="primary" FIELDS="id"/>
+        <KEY NAME="ltiuserid" TYPE="foreign" FIELDS="ltiuserid" REFTABLE="enrol_lti_users" REFFIELDS="id"/>
+        <KEY NAME="resourcelinkid" TYPE="foreign" FIELDS="resourcelinkid" REFTABLE="enrol_lti_resource_link" REFFIELDS="id"/>
+      </KEYS>
+      <INDEXES>
+        <INDEX NAME="ltiuserid-resourcelinkid" UNIQUE="true" FIELDS="ltiuserid, resourcelinkid"/>
+      </INDEXES>
+    </TABLE>
+    <TABLE NAME="enrol_lti_reg_token" COMMENT="Holds the value and lifespan of the token used to secure the dynamic registration initiation endpoint.">
+      <FIELDS>
+        <FIELD NAME="id" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="true"/>
+        <FIELD NAME="token" TYPE="char" LENGTH="60" NOTNULL="true" SEQUENCE="false" COMMENT="The value of the token."/>
+        <FIELD NAME="expirytime" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false" COMMENT="The time after which this token is deemed invalid and another must be generated."/>
+        <FIELD NAME="timecreated" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
+      </FIELDS>
+      <KEYS>
+        <KEY NAME="primary" TYPE="primary" FIELDS="id"/>
+      </KEYS>
+    </TABLE>
   </TABLES>
 </XMLDB>
diff --git a/enrol/lti/db/upgrade.php b/enrol/lti/db/upgrade.php
index 70288977bf7..b054928320f 100644
--- a/enrol/lti/db/upgrade.php
+++ b/enrol/lti/db/upgrade.php
@@ -37,7 +37,8 @@
  * @return boolean
  */
 function xmldb_enrol_lti_upgrade($oldversion) {
-    global $CFG;
+    global $CFG, $OUTPUT, $DB;
+    $dbman = $DB->get_manager();
 
     // Automatically generated Moodle v3.6.0 release upgrade line.
     // Put any upgrade step following this.
@@ -51,5 +52,271 @@ function xmldb_enrol_lti_upgrade($oldversion) {
     // Automatically generated Moodle v3.9.0 release upgrade line.
     // Put any upgrade step following this.
 
+    if ($oldversion < 2021052501) {
+        // LTI 1.3: Set a private key for this site (which is acting as a tool in LTI 1.3).
+        require_once($CFG->dirroot . '/enrol/lti/upgradelib.php');
+
+        $warning = enrol_lti_verify_private_key();
+        if (!empty($warning)) {
+            echo $OUTPUT->notification($warning, 'notifyproblem');
+        }
+
+        // Lti savepoint reached.
+        upgrade_plugin_savepoint(true, 2021052501, 'enrol', 'lti');
+    }
+
+    if ($oldversion < 2021052502) {
+        // Define table enrol_lti_app_registration to be created.
+        $table = new xmldb_table('enrol_lti_app_registration');
+
+        // Adding fields to table enrol_lti_app_registration.
+        $table->add_field('id', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, XMLDB_SEQUENCE, null);
+        $table->add_field('name', XMLDB_TYPE_CHAR, '255', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('platformid', XMLDB_TYPE_TEXT, null, null, XMLDB_NOTNULL, null, null);
+        $table->add_field('clientid', XMLDB_TYPE_CHAR, '1333', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('platformclienthash', XMLDB_TYPE_CHAR, '64', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('authenticationrequesturl', XMLDB_TYPE_TEXT, null, null, XMLDB_NOTNULL, null, null);
+        $table->add_field('jwksurl', XMLDB_TYPE_TEXT, null, null, XMLDB_NOTNULL, null, null);
+        $table->add_field('accesstokenurl', XMLDB_TYPE_TEXT, null, null, XMLDB_NOTNULL, null, null);
+        $table->add_field('timecreated', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('timemodified', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+
+        // Adding keys to table enrol_lti_app_registration.
+        $table->add_key('primary', XMLDB_KEY_PRIMARY, ['id']);
+
+        // Add unique index on platformclienthash.
+        $table->add_index('platformclienthash', XMLDB_INDEX_UNIQUE, ['platformclienthash']);
+
+        // Conditionally launch create table for enrol_lti_app_registration.
+        if (!$dbman->table_exists($table)) {
+            $dbman->create_table($table);
+        }
+
+        // Lti savepoint reached.
+        upgrade_plugin_savepoint(true, 2021052502, 'enrol', 'lti');
+    }
+
+    if ($oldversion < 2021052503) {
+        // Add a new column 'ltiversion' to the enrol_lti_tools table.
+        $table = new xmldb_table('enrol_lti_tools');
+
+        // Define field ltiversion to be added to enrol_lti_tools.
+        $field = new xmldb_field('ltiversion', XMLDB_TYPE_CHAR, 15, null, XMLDB_NOTNULL, null, "LTI-1p3", 'contextid');
+
+        // Conditionally launch add field ltiversion, setting it to the legacy value for all published content.
+        if (!$dbman->field_exists($table, $field)) {
+            $dbman->add_field($table, $field);
+            $DB->set_field('enrol_lti_tools', 'ltiversion', 'LTI-1p0/LTI-2p0');
+        }
+
+        // Define field uuid to be added to enrol_lti_tools.
+        $field = new xmldb_field('uuid', XMLDB_TYPE_CHAR, 36, null, null, null, null, 'ltiversion');
+
+        // Conditionally launch add field uuid, setting it to null for existing rows.
+        if (!$dbman->field_exists($table, $field)) {
+            $dbman->add_field($table, $field);
+            $key = new xmldb_key('uuid', XMLDB_KEY_UNIQUE, ['uuid']);
+            $dbman->add_key($table, $key);
+        }
+
+        // Lti savepoint reached.
+        upgrade_plugin_savepoint(true, 2021052503, 'enrol', 'lti');
+    }
+
+    if ($oldversion < 2021052504) {
+        // Define table enrol_lti_deployment to be created.
+        $table = new xmldb_table('enrol_lti_deployment');
+
+        // Adding fields to table enrol_lti_deployment.
+        $table->add_field('id', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, XMLDB_SEQUENCE, null);
+        $table->add_field('name', XMLDB_TYPE_CHAR, '255', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('deploymentid', XMLDB_TYPE_CHAR, '255', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('platformid', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('timecreated', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('timemodified', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+
+        // Adding keys to table enrol_lti_deployment.
+        $table->add_key('primary', XMLDB_KEY_PRIMARY, ['id']);
+        $table->add_key('platformid', XMLDB_KEY_FOREIGN, ['platformid'], 'enrol_lti_app_registration', ['id']);
+
+        // Add unique index on platformid (issuer), deploymentid.
+        $table->add_index('platformid-deploymentid', XMLDB_INDEX_UNIQUE, ['platformid', 'deploymentid']);
+
+        // Conditionally launch create table for enrol_lti_deployment.
+        if (!$dbman->table_exists($table)) {
+            $dbman->create_table($table);
+        }
+
+        // Lti savepoint reached.
+        upgrade_plugin_savepoint(true, 2021052504, 'enrol', 'lti');
+    }
+
+    if ($oldversion < 2021052505) {
+        // Add a new column 'ltideploymentid' to the enrol_lti_users table.
+        $table = new xmldb_table('enrol_lti_users');
+
+        // Define field ltideploymentid to be added to enrol_lti_users.
+        $field = new xmldb_field('ltideploymentid', XMLDB_TYPE_INTEGER, '10', null, null, null, null, 'sourceid');
+
+        // Conditionally launch add field deploymentid.
+        if (!$dbman->field_exists($table, $field)) {
+            $dbman->add_field($table, $field);
+        }
+
+        // Launch add key ltideploymentid.
+        $key = new xmldb_key('ltideploymentid', XMLDB_KEY_FOREIGN, ['ltideploymentid'], 'enrol_lti_deployment', ['id']);
+        $dbman->add_key($table, $key);
+
+        // Lti savepoint reached.
+        upgrade_plugin_savepoint(true, 2021052505, 'enrol', 'lti');
+    }
+
+    if ($oldversion < 2021052506) {
+        // Define table enrol_lti_resource_link to be created.
+        $table = new xmldb_table('enrol_lti_resource_link');
+
+        // Adding fields to table enrol_lti_resource_link.
+        $table->add_field('id', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, XMLDB_SEQUENCE, null);
+        $table->add_field('resourcelinkid', XMLDB_TYPE_CHAR, '255', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('resourceid', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('ltideploymentid', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('lticontextid', XMLDB_TYPE_INTEGER, '10', null, null, null, null);
+        $table->add_field('lineitemsservice', XMLDB_TYPE_CHAR, '1333', null, null, null, null);
+        $table->add_field('lineitemservice', XMLDB_TYPE_CHAR, '1333', null, null, null, null);
+        $table->add_field('lineitemscope', XMLDB_TYPE_CHAR, '255', null, null, null, null);
+        $table->add_field('resultscope', XMLDB_TYPE_CHAR, '255', null, null, null, null);
+        $table->add_field('scorescope', XMLDB_TYPE_CHAR, '255', null, null, null, null);
+        $table->add_field('contextmembershipsurl', XMLDB_TYPE_CHAR, '1333', null, null, null, null);
+        $table->add_field('nrpsserviceversions', XMLDB_TYPE_CHAR, '255', null, null, null, null);
+        $table->add_field('timecreated', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('timemodified', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+
+        // Adding keys to table enrol_lti_resource_link.
+        $table->add_key('primary', XMLDB_KEY_PRIMARY, ['id']);
+        $table->add_key('ltideploymentid', XMLDB_KEY_FOREIGN, ['ltideploymentid'], 'enrol_lti_deployment', ['id']);
+        $table->add_key('lticontextid', XMLDB_KEY_FOREIGN, ['lticontextid'], 'enrol_lti_context', ['id']);
+
+        // Add unique index on resourcelinkid, ltideploymentid.
+        $table->add_index('resourcelinkdid-ltideploymentid', XMLDB_INDEX_UNIQUE, ['resourcelinkid', 'ltideploymentid']);
+
+        // Conditionally launch create table for enrol_lti_resource_link.
+        if (!$dbman->table_exists($table)) {
+            $dbman->create_table($table);
+        }
+
+        // Lti savepoint reached.
+        upgrade_plugin_savepoint(true, 2021052506, 'enrol', 'lti');
+    }
+
+    if ($oldversion < 2021052507) {
+        // Define table enrol_lti_context to be created.
+        $table = new xmldb_table('enrol_lti_context');
+
+        // Adding fields to table enrol_lti_context.
+        $table->add_field('id', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, XMLDB_SEQUENCE, null);
+        $table->add_field('contextid', XMLDB_TYPE_CHAR, '255', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('ltideploymentid', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('type', XMLDB_TYPE_TEXT, null, null, null, null, null);
+        $table->add_field('timecreated', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('timemodified', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+
+        // Adding keys to table enrol_lti_context.
+        $table->add_key('primary', XMLDB_KEY_PRIMARY, ['id']);
+        $table->add_key('ltideploymentid', XMLDB_KEY_FOREIGN, ['ltideploymentid'], 'enrol_lti_deployment', ['id']);
+
+        // Add unique index on ltideploymentid, contextid.
+        $table->add_index('ltideploymentid-contextid', XMLDB_INDEX_UNIQUE, ['ltideploymentid', 'contextid']);
+
+        // Conditionally launch create table for enrol_lti_context.
+        if (!$dbman->table_exists($table)) {
+            $dbman->create_table($table);
+        }
+
+        upgrade_plugin_savepoint(true, 2021052507, 'enrol', 'lti');
+    }
+
+    if ($oldversion < 2021052508) {
+        // Define table enrol_lti_user_resource_link to be created.
+        $table = new xmldb_table('enrol_lti_user_resource_link');
+
+        // Adding fields to table enrol_lti_user_resource_link.
+        $table->add_field('id', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, XMLDB_SEQUENCE, null);
+        $table->add_field('ltiuserid', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('resourcelinkid', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+
+        // Adding keys to table enrol_lti_user_resource_link.
+        $table->add_key('primary', XMLDB_KEY_PRIMARY, ['id']);
+        $table->add_key('ltiuserid', XMLDB_KEY_FOREIGN, ['ltiuserid'], 'enrol_lti_users', ['id']);
+        $table->add_key('resourcelinkid', XMLDB_KEY_FOREIGN, ['resourcelinkid'], 'enrol_lti_resource_link', ['id']);
+
+        // Add unique index on userid, resourcelinkid.
+        $table->add_index('ltiuserid-resourcelinkid', XMLDB_INDEX_UNIQUE, ['ltiuserid', 'resourcelinkid']);
+
+        // Conditionally launch create table for enrol_lti_user_resource_link.
+        if (!$dbman->table_exists($table)) {
+            $dbman->create_table($table);
+        }
+        upgrade_plugin_savepoint(true, 2021052508, 'enrol', 'lti');
+    }
+
+    if ($oldversion < 2021052512) {
+        // Define field legacyconsumerkey to be added to enrol_lti_deployment.
+        $table = new xmldb_table('enrol_lti_deployment');
+        $field = new xmldb_field('legacyconsumerkey', XMLDB_TYPE_CHAR, '255', null, null, null, null, 'platformid');
+
+        // Conditionally launch add field legacyconsumerkey.
+        if (!$dbman->field_exists($table, $field)) {
+            $dbman->add_field($table, $field);
+        }
+
+        upgrade_plugin_savepoint(true, 2021052512, 'enrol', 'lti');
+    }
+
+    if ($oldversion < 2021052513) {
+        // Define table enrol_lti_reg_token to be created.
+        $table = new xmldb_table('enrol_lti_reg_token');
+
+        // Adding fields to table enrol_lti_reg_token.
+        $table->add_field('id', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, XMLDB_SEQUENCE, null);
+        $table->add_field('token', XMLDB_TYPE_CHAR, '60', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('expirytime', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('timecreated', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+
+        // Adding keys to table enrol_lti_reg_token.
+        $table->add_key('primary', XMLDB_KEY_PRIMARY, ['id']);
+
+        // Conditionally launch create table for enrol_lti_reg_token.
+        if (!$dbman->table_exists($table)) {
+            $dbman->create_table($table);
+        }
+
+        upgrade_plugin_savepoint(true, 2021052513, 'enrol', 'lti');
+    }
+
+    if ($oldversion < 2021052514) {
+        // Add a new column 'provisioningmodelearner' to the enrol_lti_tools table.
+        $table = new xmldb_table('enrol_lti_tools');
+
+        // Define field provisioningmodelearner to be added to enrol_lti_tools.
+        $field = new xmldb_field('provisioningmodelearner', XMLDB_TYPE_INTEGER, 2, null, null, null, null, 'uuid');
+
+        // Conditionally launch add field provisioningmodelearner.
+        if (!$dbman->field_exists($table, $field)) {
+            $dbman->add_field($table, $field);
+        }
+
+        // Define field provisioningmodeinstructor to be added to enrol_lti_tools.
+        $field = new xmldb_field('provisioningmodeinstructor', XMLDB_TYPE_INTEGER, 2, null, null, null, null,
+            'provisioningmodelearner');
+
+        // Conditionally launch add field provisioningmodeinstructor.
+        if (!$dbman->field_exists($table, $field)) {
+            $dbman->add_field($table, $field);
+        }
+
+        // Lti savepoint reached.
+        upgrade_plugin_savepoint(true, 2021052514, 'enrol', 'lti');
+    }
+
     return true;
 }
diff --git a/enrol/lti/upgradelib.php b/enrol/lti/upgradelib.php
new file mode 100644
index 00000000000..db0e419989c
--- /dev/null
+++ b/enrol/lti/upgradelib.php
@@ -0,0 +1,62 @@
+<?php
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+/**
+ * This file contains functions used by upgrade and install.
+ *
+ * Because this is used during install it should not include additional files.
+ *
+ * @package   enrol_lti
+ * @copyright 2021 Jake Dallimore <jrhdallimore@gmail.com>
+ * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+
+defined('MOODLE_INTERNAL') || die();
+
+/**
+ * This function checks if a private key has been generated for this enrolment instance.
+ *
+ * If the key does not exist it generates a new one. If the openssl
+ * extension is not installed or configured properly it returns a warning message.
+ *
+ * @return string A warning message if a private key does not exist and cannot be generated.
+ */
+function enrol_lti_verify_private_key() {
+
+    $name = 'lti_13_kid';
+    $key = get_config('enrol_lti', $name);
+
+    // If we already generated a valid key, no need to check.
+    if (empty($key)) {
+        // Create the private key.
+        $kid = bin2hex(openssl_random_pseudo_bytes(10));
+        set_config($name, $kid, 'enrol_lti');
+        $config = array(
+            "digest_alg" => "sha256",
+            "private_key_bits" => 2048,
+            "private_key_type" => OPENSSL_KEYTYPE_RSA,
+        );
+        $res = openssl_pkey_new($config);
+        openssl_pkey_export($res, $privatekey);
+
+        if (!empty($privatekey)) {
+            set_config('lti_13_privatekey', $privatekey, 'enrol_lti');
+        } else {
+            return get_string('opensslconfiginvalid', 'enrol_lti');
+        }
+    }
+
+    return '';
+}
diff --git a/enrol/lti/version.php b/enrol/lti/version.php
index 70dfc34e91b..3b633f35ef8 100644
--- a/enrol/lti/version.php
+++ b/enrol/lti/version.php
@@ -24,6 +24,9 @@
 
 defined('MOODLE_INTERNAL') || die();
 
-$plugin->version = 2021052500; // The current plugin version (Date: YYYYMMDDXX).
+$plugin->version = 2021052514; // The current plugin version (Date: YYYYMMDDXX).
 $plugin->requires = 2021052500; // Requires this Moodle version.
 $plugin->component = 'enrol_lti'; // Full name of the plugin (used for diagnostics).
+$plugin->dependencies = [
+    'auth_lti' => 2021100500, // The auth_lti authentication plugin version 2021100500 or higher must be present.
+];