PKI Administration Using EJBCA and OpenCA
-
Upload
shana-logan -
Category
Documents
-
view
177 -
download
28
description
Transcript of PKI Administration Using EJBCA and OpenCA
![Page 1: PKI Administration Using EJBCA and OpenCA](https://reader030.fdocuments.net/reader030/viewer/2022012309/56812d88550346895d929cb6/html5/thumbnails/1.jpg)
PKI Administration Using EJBCA and OpenCA
Presented By:
Ayesha Ghori and Asra Parveen
![Page 2: PKI Administration Using EJBCA and OpenCA](https://reader030.fdocuments.net/reader030/viewer/2022012309/56812d88550346895d929cb6/html5/thumbnails/2.jpg)
PKI: Public Key Infrastructure
A trusted third Party.
Secured communication.
Provides digital certificates that can identify an individual or an organization.
Stores and revokes Certificates.
Provides services like Encryption, digital Signatures, data integrity, key establishment, zero knowledge/minimum knowledge protocols.
![Page 3: PKI Administration Using EJBCA and OpenCA](https://reader030.fdocuments.net/reader030/viewer/2022012309/56812d88550346895d929cb6/html5/thumbnails/3.jpg)
PKI Components
Certificate Authority: A CA issues certificates to, and vouches for the authenticity of entities.
Registration Authority: An RA is an administrative function that registers entities in the PKI.
End entity: An end-entity is a user, such as an e-mail client, a web server, a web browser or a VPN-gateway.
![Page 4: PKI Administration Using EJBCA and OpenCA](https://reader030.fdocuments.net/reader030/viewer/2022012309/56812d88550346895d929cb6/html5/thumbnails/4.jpg)
PKI HIERARCHY
GMU CATOP CA
GMU FAIRFAXCASUBCA
GMU MANASSAS CASUBCA
GMU PW CAMPUS CASUBCA
RA INSTANCEGMU FAIRFAX
RA INSTANCEGMU MANASSAS
RA INSTANCEGMU PW CAMPUS
GMU Fairfax CA Administrator
GMU Manassas CA Administrator
Super Administrator
GMU Fairfax RA Administrator
GMU Manassas RA Administrator
GMU PW RA Administrator
GMU PW CA Administrator
![Page 5: PKI Administration Using EJBCA and OpenCA](https://reader030.fdocuments.net/reader030/viewer/2022012309/56812d88550346895d929cb6/html5/thumbnails/5.jpg)
EJBCA and OpenCASoftware Requirements
Software Requirements of EJBCAJava JDK 1.5 – Java 2 Platform Standard Development Kit.
Apache Ant – Java Build Utility, used to compile and build Java programs.
JBoss 4.0.5 – J2EE Application ServerEJBCA download
Software Requirements of OpenCAOpenLDAP.
OpenSSL.
Apache Project.
Apache mod_ssl.
![Page 6: PKI Administration Using EJBCA and OpenCA](https://reader030.fdocuments.net/reader030/viewer/2022012309/56812d88550346895d929cb6/html5/thumbnails/6.jpg)
EJBCA
EJBCA is a fully functional Certificate Authority built in Java.
Based on J2EE technology.
Robust
High performance, component based CA. Flexible and platform independent.
EJBCA can be used as standalone or integrated in any J2EE application.
![Page 7: PKI Administration Using EJBCA and OpenCA](https://reader030.fdocuments.net/reader030/viewer/2022012309/56812d88550346895d929cb6/html5/thumbnails/7.jpg)
EJBCA: Architecture
![Page 8: PKI Administration Using EJBCA and OpenCA](https://reader030.fdocuments.net/reader030/viewer/2022012309/56812d88550346895d929cb6/html5/thumbnails/8.jpg)
EJBCA AdministrationCreate and Initialize the Super AdministratorCreating and Configuring data sourcesCreating PublishersCreating Certificate AuthoritiesCreating Registration AuthoritiesCreating End EntitiesCreating CRL’sGenerating Certificates
![Page 9: PKI Administration Using EJBCA and OpenCA](https://reader030.fdocuments.net/reader030/viewer/2022012309/56812d88550346895d929cb6/html5/thumbnails/9.jpg)
The EJBCA Super Admin Certificate
![Page 10: PKI Administration Using EJBCA and OpenCA](https://reader030.fdocuments.net/reader030/viewer/2022012309/56812d88550346895d929cb6/html5/thumbnails/10.jpg)
OpenCA
Linux based.
Provides the choice of algorithms- des, des3, idea.
Extensions Provided: SKI and AKI.
In Addition to the PKI components of EJBCA, OpenCA also has a Registration Authority Operator.
![Page 11: PKI Administration Using EJBCA and OpenCA](https://reader030.fdocuments.net/reader030/viewer/2022012309/56812d88550346895d929cb6/html5/thumbnails/11.jpg)
OpenCA: Architecture
![Page 12: PKI Administration Using EJBCA and OpenCA](https://reader030.fdocuments.net/reader030/viewer/2022012309/56812d88550346895d929cb6/html5/thumbnails/12.jpg)
OpenCA Administration
Initializing the Certification Authority
Create the initial administrator
Create the initial RA Certificate
Submit a Certificate Request
Approve the Certificate
Issue the Certificate
Importing the Root Certificate
![Page 13: PKI Administration Using EJBCA and OpenCA](https://reader030.fdocuments.net/reader030/viewer/2022012309/56812d88550346895d929cb6/html5/thumbnails/13.jpg)
User CertificateUser Certificate
![Page 14: PKI Administration Using EJBCA and OpenCA](https://reader030.fdocuments.net/reader030/viewer/2022012309/56812d88550346895d929cb6/html5/thumbnails/14.jpg)
Comparison
Parameters EJBCA OpenCA
Ease of Configuration
Very Complex Complex
Confidentiality Offers Confidentiality using encryption
Offers Confidentiality using encryption
Integrity Offers Integrity by encryption
Offers Integrity by encryption
Authentication Offers Authentication by Digital Signature
Offers Authentication by Digital Signature
NonRepudiation YES YES
![Page 15: PKI Administration Using EJBCA and OpenCA](https://reader030.fdocuments.net/reader030/viewer/2022012309/56812d88550346895d929cb6/html5/thumbnails/15.jpg)
Ability to choose the algorithm to use
Yes Yes
OCSP Yes Yes
Ability to choose CSP
Yes No
CRL updates Automatic Manual
Cost Free Free
Extensions Yes Yes
LDAP Support Yes Yes
Support for smart cards
Yes No
![Page 16: PKI Administration Using EJBCA and OpenCA](https://reader030.fdocuments.net/reader030/viewer/2022012309/56812d88550346895d929cb6/html5/thumbnails/16.jpg)
Platform Java J2EE Perl CGI on Unix
Certificate Repositories
HSQL MySQL
Modules EJB Perl Modules
Components based
Yes Yes
Standalone Component
Present Not Present
Supported Browsers
Multiple Multiple
Scalability Good Bad
![Page 17: PKI Administration Using EJBCA and OpenCA](https://reader030.fdocuments.net/reader030/viewer/2022012309/56812d88550346895d929cb6/html5/thumbnails/17.jpg)
Conclusion
EJBCA is the simplest to use
Complexity during installation
Provides for automatic CRL updates
OpenCA is the best for Linux users
Manual revocations
Both can be used by various clients