Slide 1August CSF

NEbraskaCERTCertificate Authority

Matthew G. Marsh08/20/03

Slide 2August CSF

Overview Public Key Infrastructure (PKI)

– What– Why

Certificate Authority– What is it– How does it work

OpenSSL Software– Keys and configuration files– Script Examples

Q&A

Slide 3August CSF

PKI What

– PKI (Public Key Infrastructure) refers to the structure that enables binding identity to objects. Actual discussion and implementation details are beyond the scope of this talk. Basically PKI is all defined in the details and takes into account mechanisms and concepts that are far removed from actual technical manipulation.

I hope you believe you understand what you think I said, but I'm not sure you realize that what you've

heard is not what I meant. President Richard Nixon

Slide 4August CSF

Certificate Authority - CA

What is it– The Certification Authority (CA) represents the trusted third

party that issues keys and certificates to end users and manages the certificate life cycle including generation, revocation, expiration, and renewal.

Slide 5August CSF

CA - x.509

ITU-T Recommendation X.509 [ITU-T 97]• Several different end-entity certificates defined in x.509

– Personal certificates represent individuals (ex: secure e-mail)– Server certificates represent services (ex: HTTPS Web server)– Developer certificates sign software or related objects

• A certificate binds an identity to a public key. – Certificate includes the name of the person– Their public key– Digital Signature sealing the data

Digital Signature is added by the Certificate Authority (CA). Certificate authorities exist to confirm the relationship between an identity and a public key.

• x.509 also defines certificate authority certificates which identify third party organizations entrusted to validate the identity of a certificate requestor.

– CA certificates contain the authority name, a public key, and digital signature (self-signed)

Slide 6August CSF

Certificate Authority - CA

Certificate authorities confirm the relationship between requestors and their public keys

Certificate authorities publish public keys used to verify end-entity certificates

The verification process uses the public key of the authority that issued the certificate to validate the digital signature

CA certificates are critical to close the circle of trust

ROOT Certificate– x.509 CA Certificate

ALL CAs by definition have "Self Signed" ROOT Certificates!!

Slide 7August CSF

CA in a Nutshell

EndUser generates Certificate Signing Request (CSR) Sends CSR to CA for Approval

– Submit $$ Get Signed Certificate

– Typically a one year duration– Theoretically no time limit for expiration

Uses Certificate

FILM AT 11...

Slide 8August CSF

CA in a Nutshell

CA requirements– You must publish your root CA Certificate

– You must publish the revocation list

– You must display a certificate's detail given a serial number

– You must provide a method to submit certificate requests

All this can be done using Apache and some PHP

Slide 9August CSF

OpenSSL

Full SSL library with support programs– SSL v2/v3– TLS v1

Latest version is 0.9.7b released April 10, 2003 Core utility is "openssl" binary

– Performs all operations needed for x.509– Many other operations available as well

Supports multiple configuration files– CA Configuration– Standard configuration

Slide 10August CSF

OpenSSL - Config File - CA

Traditionally /usr/local/ssl/openssl.conf For the NEbraskaCERT CA:[ req ]default_bits = 2048default_keyfile = /data/network/NEbraskaCERT-CA/key/NEbraskaCERT-CA.keydefault_md = sha1default_days = 365

prompt = no

distinguished_name = NEbraskaCERT_CA_NAME

x509_extensions = NEbraskaCERT_CA_extensions

[ NEbraskaCERT_CA_NAME ]commonName = NEbraskaCERT Certificate AuthoritystateOrProvinceName = NebraskacountryName = USemailAddress = certificate.administrator@nebraskacert.orgorganizationName = NEbraskaCERTorganizationalUnitName = Certificate Authority

[ NEbraskaCERT_CA_extensions ]

basicConstraints = CA:true

Slide 11August CSF

OpenSSL - Config File - Sign[ ca ]default_ca = NEbraskaCERT_CA

[ NEbraskaCERT_CA ]dir = /data/network/NEbraskaCERT-CAcertificate = $dir/NEbraskaCERT-CA.crtdatabase = $dir/index.txtnew_certs_dir = $dir/certificatesprivate_key = $dir/key/NEbraskaCERT-CA.keyserial = $dir/serialdefault_crl_days = 7default_days = 365default_md = sha1policy = NEbraskaCERT_CA_Policyx509_extensions = certificate_extensions

[ NEbraskaCERT_CA_Policy ]commonName = suppliedstateOrProvinceName = suppliedcountryName = suppliedemailAddress = suppliedorganizationName = suppliedorganizationalUnitName = optional

[ certificate_extensions ]basicConstraints = CA:false

Slide 12August CSF

OpenSSL - Scripts

Setup.sh

export OPENSSL_CONF=/data/network/NEbraskaCERT-CA/NEbraskaCERT.CA.conf

export PATH=/usr/local/ssl/bin:$PATH

. into running shell (or use dedicated signing user) Note that you could have other config files

SIGN.sh

/usr/local/ssl/bin/openssl ca -in $1 -notext -out ${1%.req}.crt

Obviously a bash/ksh shell script ;-}

Slide 13August CSF

OpenSSL - Try it...

Generate a Key/usr/local/ssl/bin/openssl genrsa -out www.mysecure.com.key 1024

Generate a CSR/usr/local/ssl/bin/openssl req -new -key www.mysecure.com.key -out www.mysecure.com.req

Send CSR to CA

CA Inspects CSR/usr/local/ssl/bin/openssl req -noout -text -in www.mysecure.com.req

CA Signs CSR/usr/local/ssl/bin/openssl ca -in www.mysecure.com.req -notext -out www.mysecure.com.crt

Slide 14August CSF

Q & A

Slide 15August CSF

This is The