NEbraskaCERT Certificate Authority
description
Transcript of NEbraskaCERT Certificate Authority
Slide 1August CSF
NEbraskaCERTCertificate Authority
Matthew G. Marsh08/20/03
Slide 2August CSF
Overview Public Key Infrastructure (PKI)
– What– Why
Certificate Authority– What is it– How does it work
OpenSSL Software– Keys and configuration files– Script Examples
Q&A
Slide 3August CSF
PKI What
– PKI (Public Key Infrastructure) refers to the structure that enables binding identity to objects. Actual discussion and implementation details are beyond the scope of this talk. Basically PKI is all defined in the details and takes into account mechanisms and concepts that are far removed from actual technical manipulation.
I hope you believe you understand what you think I said, but I'm not sure you realize that what you've
heard is not what I meant. President Richard Nixon
Slide 4August CSF
Certificate Authority - CA
What is it– The Certification Authority (CA) represents the trusted third
party that issues keys and certificates to end users and manages the certificate life cycle including generation, revocation, expiration, and renewal.
Slide 5August CSF
CA - x.509
ITU-T Recommendation X.509 [ITU-T 97]• Several different end-entity certificates defined in x.509
– Personal certificates represent individuals (ex: secure e-mail)– Server certificates represent services (ex: HTTPS Web server)– Developer certificates sign software or related objects
• A certificate binds an identity to a public key. – Certificate includes the name of the person– Their public key– Digital Signature sealing the data
Digital Signature is added by the Certificate Authority (CA). Certificate authorities exist to confirm the relationship between an identity and a public key.
• x.509 also defines certificate authority certificates which identify third party organizations entrusted to validate the identity of a certificate requestor.
– CA certificates contain the authority name, a public key, and digital signature (self-signed)
Slide 6August CSF
Certificate Authority - CA
Certificate authorities confirm the relationship between requestors and their public keys
Certificate authorities publish public keys used to verify end-entity certificates
The verification process uses the public key of the authority that issued the certificate to validate the digital signature
CA certificates are critical to close the circle of trust
ROOT Certificate– x.509 CA Certificate
ALL CAs by definition have "Self Signed" ROOT Certificates!!
Slide 7August CSF
CA in a Nutshell
EndUser generates Certificate Signing Request (CSR) Sends CSR to CA for Approval
– Submit $$ Get Signed Certificate
– Typically a one year duration– Theoretically no time limit for expiration
Uses Certificate
FILM AT 11...
Slide 8August CSF
CA in a Nutshell
CA requirements– You must publish your root CA Certificate
– You must publish the revocation list
– You must display a certificate's detail given a serial number
– You must provide a method to submit certificate requests
All this can be done using Apache and some PHP
Slide 9August CSF
OpenSSL
Full SSL library with support programs– SSL v2/v3– TLS v1
Latest version is 0.9.7b released April 10, 2003 Core utility is "openssl" binary
– Performs all operations needed for x.509– Many other operations available as well
Supports multiple configuration files– CA Configuration– Standard configuration
Slide 10August CSF
OpenSSL - Config File - CA
Traditionally /usr/local/ssl/openssl.conf For the NEbraskaCERT CA:[ req ]default_bits = 2048default_keyfile = /data/network/NEbraskaCERT-CA/key/NEbraskaCERT-CA.keydefault_md = sha1default_days = 365
prompt = no
distinguished_name = NEbraskaCERT_CA_NAME
x509_extensions = NEbraskaCERT_CA_extensions
[ NEbraskaCERT_CA_NAME ]commonName = NEbraskaCERT Certificate AuthoritystateOrProvinceName = NebraskacountryName = USemailAddress = [email protected] = NEbraskaCERTorganizationalUnitName = Certificate Authority
[ NEbraskaCERT_CA_extensions ]
basicConstraints = CA:true
Slide 11August CSF
OpenSSL - Config File - Sign[ ca ]default_ca = NEbraskaCERT_CA
[ NEbraskaCERT_CA ]dir = /data/network/NEbraskaCERT-CAcertificate = $dir/NEbraskaCERT-CA.crtdatabase = $dir/index.txtnew_certs_dir = $dir/certificatesprivate_key = $dir/key/NEbraskaCERT-CA.keyserial = $dir/serialdefault_crl_days = 7default_days = 365default_md = sha1policy = NEbraskaCERT_CA_Policyx509_extensions = certificate_extensions
[ NEbraskaCERT_CA_Policy ]commonName = suppliedstateOrProvinceName = suppliedcountryName = suppliedemailAddress = suppliedorganizationName = suppliedorganizationalUnitName = optional
[ certificate_extensions ]basicConstraints = CA:false
Slide 12August CSF
OpenSSL - Scripts
Setup.sh
export OPENSSL_CONF=/data/network/NEbraskaCERT-CA/NEbraskaCERT.CA.conf
export PATH=/usr/local/ssl/bin:$PATH
. into running shell (or use dedicated signing user) Note that you could have other config files
SIGN.sh
/usr/local/ssl/bin/openssl ca -in $1 -notext -out ${1%.req}.crt
Obviously a bash/ksh shell script ;-}
Slide 13August CSF
OpenSSL - Try it...
Generate a Key/usr/local/ssl/bin/openssl genrsa -out www.mysecure.com.key 1024
Generate a CSR/usr/local/ssl/bin/openssl req -new -key www.mysecure.com.key -out www.mysecure.com.req
Send CSR to CA
CA Inspects CSR/usr/local/ssl/bin/openssl req -noout -text -in www.mysecure.com.req
CA Signs CSR/usr/local/ssl/bin/openssl ca -in www.mysecure.com.req -notext -out www.mysecure.com.crt
Slide 14August CSF
Q & A
Slide 15August CSF
This is The