SSL Certificates at UIUC

1
SSL Certificates at UIUC
12/14/2004
Bob Foertsch
Campus Information Technologies and Educational
ServicesUniversity of Illinois at
Urbana-Champaign
2
Overview

• What is SSL? How does it work?
• What is a SSL Certificate? Why are they used?
• How is one created? What makes it unique?
• Are certificates good forever? How to keep them
  valid?
• UIUC operational issues
• Ordering
• Cost
• Support

3
What is SSL?
(pronounced as separate letters) Short for
Secure Sockets Layer is a protocol developed in
1996 by Netscape for transmitting private
documents via the Internet. SSL works by using a
private key to encrypt data that's transferred
over the SSL connection. By convention, URLs that
require an SSL connection start with https
instead of http
4
SSL Protocol
Client side
Server side
Hello?
Client initiates a connection
Server responds by sending the client its Digital
ID. The server may also request the clients
Digital ID for client authentication.
Server Digital ID
Client verifies the servers Digital ID. If
requested by the server, the client sends its
Digital ID.
Client Digital ID
When the authentication is complete, the client
sends the server a session key encrypted using
the servers public key.
Sessionkey
Once a session key is established, secure
communications commence between client and server
5
Why use a SSL Certificate?

• Confirms that you are who you say you are in a
  virtual world.
• Encrypts information sent to and from your web
  server.
• Information exchanged with you is private and
  entirely protected from being viewed or
  tampered with.

6
What is in the SSL Certificate?

• The domain for which the certificate was issued.
• The legal owner of the certificate.
• The physical location of the owner.
• The validity dates of the certificate.
• The servers public key.

7
What is all this key business?
When you create a certificate request your web
server generates two unique cryptographic keys
The Public Key, which is also known as a
Certificate Signing Request (CSR) file The
Private Key file Public-Key Cryptography is
typically used to protect the session key used by
asymmetric encryption algorithm. The Public Key
is used to encrypt the session key, which in
turn is used to encrypt some data, and the
Private Key is used for decryption. The most
important thing you can do to protect your
certificate and the security of your web site is
to backup your Private Key!
8
Generating a CSR
A CSR cannot be generated without generating a
Private Key file nor can the Private Key file be
generated without generating a CSR file. In
certain web server software platforms like
Microsoft IIS, both are generated simultaneously
through the Wizard on the web server. Typically,
you will be prompted to enter the following
information about your Organization in order to
generate the Private Key and CSR pair from the
web server Organization Name Organizational
unit Country Code State or Province Locality Commo
n Name
9
CSR MUSTs
Generate your Certificate Signing Request (CSR)
and back up your private key. There are some
fields in your CSR that need to have exact
values. Country code US State or province
Illinois Locality or city Urbana Organizational
name University of Illinois Note Do not
include the "http// or https//" in your common
name.
10
Submit a CSR
-----BEGIN CERTIFICATE REQUEST-----
MIICLjCCAZcCAQAwgb4x
CzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEP
MA0GA1UEBxMGVXJiYW5hMR8wHQYDVQQKExZVbml2
ZXJzaXR5IG9mIElsbGlub2lz
MSAwHgYDVQQLExdDSVRFUyBTZWN1cml0eSBTZXJ2aWNlczEmMC
QGA1UEAxMdd3d3 LXMuY2l0ZXMtc2VjdXJp
dHkudWl1Yy5lZHUxIDAeBgkqhkiG9w0BCQEWEXNlY3Vy
aXR5QHVpdWMuZWR1MIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCvO3O8H/i
aGMRJaU9bB4Zu2Q6ToQeLmgsOdAbMd7wtcL1kNzpsPiwTriNp
LmjXitn9l3SyBP 9ChIZAvwEojW2sRqcTn
vFhvSQbrbRCQlrN/IblbETzeYqLMgCnz1EWtJb686dNt
lUGYuTr4fN0uj3JbqgVOtdFFINlzg/DI5wIDAQAB
oC8wEwYJKoZIhvcNAQkCMQYT
BFVJVUMwGAYJKoZIhvcNAQkHMQsTCTEyM1FXRWFzZDANBgkqhk
iG9w0BAQQFAAOB gQCR3f1xlWFzqJ3eLQTW
/rbNIXotYmjyN1WNayQK9KIWUPrE1Vb76/JxI102nfNU
nDC4ABpx17RzSRnU314ePPJVIyE8wtjfvT/K70K
7jrrTdq72OKq8qKDAVEp4m8
V7SW1xYEQ4DjJptWmKhK3tv6ClinGUD4ql5P6ozLza3Hg
-----END
CERTIFICATE REQUEST-----
11
View a CSR
Certificate Request Data Version 0
(0x0) Subject CUS, STIllinois,
LUrbana, OUniversity of Illinois, OUCITES
Security Services, CNwww-s.cites-security.uiuc.ed
u/emailAddresssecurity_at_uiuc.edu Subject
Public Key Info Public Key
Algorithm rsaEncryption RSA Public
Key (1024 bit) Modulus (1024
bit) 00af3b73bcf87fe26863
1125a53d6c
1e19bb643a4e841e2e682c39d01b31
def0b5c2f590dce9b0f8b04fea
e236 92e68d78ad9fd9774b2
04ff4284864
0bf01288d6dac46a713fa7bc586f49
06eb6d109096b37f21b95b113c
de62 a2cc8029f3d445ad25b
ebce9d36d95
4198b93af87cdd2e8f725baa054eb5
d14520d97383f0c8e7
Exponent 65537 (0x10001) Signature Algorithm
md5WithRSAEncryption
12
All good things come to an end

• Certificates are no longer valid when
• private key lost/password forgotten
• machine name changes
• server software changes (possibly)
• after expiration date (our certificate life is
  one year)

13
Certificate is dead or dying
The contact person for the certificate is sent a
renewal notice about 1 month prior to certificate
expiration. Renewals can occur up to 4 weeks
prior to expiration without losing any valid time
IF there are no changes in the core certificate
information. Generally, submission of a new CSR
is required to renew a certificate. Under special
circumstances (usually an emergency) a
certificate can be re-issued at no additional
charge.
14
Renew shortcuts
If the private key is unchanged, some software
permit re-signable CSR's AbaSioux  NCSA or
NCSA Derivative Server Alibaba Netscape Code
signing Alibaba2.x and later  OpenSSL-based web
server Apache-ModSSL Raven SSL Apache-SSL
(Ben-SSL, RedHat Linux not Stronghold) AppleDev
Roxen BROKAT Twister  Secure Socket Relay
(SSR - Medcom) C2Net Stronghold
Sioux1 Dart-based Server Spry Web
Server  Hockey Web Server Stalker
CommuniGatePro Innosoft PMDF-TLS Sterling
Commerce CONNECT Mailbox Marimba
TinySSL Marimba (SSL) Web Crossing Microsoft
Authenticode WebSTAR 4.0 and later WebTen
(from Tenon)               
15
OOPS! Private key lost/overwritten

• No longer can have validated SSL connections
• Public key useless without private key
• Remedy - generate a new private/public key pair
  and request a new certificate. In general, if the
  core information in the CSR is unchanged, a new
  certificate can be re-issued at no additional
  charge.
• Remember, keep your private key safe and secure!

16
Get a Certificate
-----BEGIN CERTIFICATE-----
MIIDejCCAuOgAwIBAgID
IInqMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa
QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYD
VQQHEwlDYXBlIFRvd24xHTAb
BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx
9DZXJ0aWZpY2F0 aW9uIFNlcnZpY2VzIERp
dmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB
MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNA
dGhhd3RlLmNvbTAeFw0wNDEw
MTkxODEzMzVaFw0wNTEwMTkxODEzMzVaMIGcMQswCQYDVQQGEw
JVUzERMA8GA1UE CBMISWxsaW5vaXMxDzAN
BgNVBAcTBlVyYmFuYTEfMB0GA1UEChMWVW5pdmVyc2l0
eSBvZiBJbGxpbm9pczEgMB4GA1UECxMXQ0lURVMg
U2VjdXJpdHkgU2VydmljZXMx
JjAkBgNVBAMTHXd3dy1zLmNpdGVzLXNlY3VyaXR5LnVpdWMuZW
R1MIGfMA0GCSqG SIb3DQEBAQUAA4GNADCB
iQKBgQCvO3O8H/iaGMRJaU9bB4Zu2Q6ToQeLmgsOdAb
Md7wtcL1kNzpsPiwTriNpLmjXitn9l3SyBP9ChI
ZAvwEojW2sRqcTnvFhvSQbr
bRCQlrN/IblbETzeYqLMgCnz1EWtJb686dNtlUGYuTr4fN0uj3
JbqgVOtdFFINlz g/DI5wIDAQABo4GfMIGc
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA5
BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnRo
YXd0ZS5jb20vVGhhd3RlU2Vy
dmVyQ0EuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAY
YWaHR0cDovL29j c3AudGhhd3RlLmNvbTAM
BgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBANKG
T9MFIb3PDTguWXt67OXaX3QZqQbYOXSKmCgDNNOA
AyS22S1HC5pX22alleiUarq
HH0ULb1ZNSN/N883LjWseGexhV1mF8ivMCamyGLfdmZuVli9ks
Q9AD3zxdwG80Lr Opsz3jaSci6RhWL9TG
WpwafAaR1DBnG0AuIc7y
-----END CERTIFICATE-----
17
View a Certificate
Certificate Data Version 3 (0x2)
Serial Number 2132458 (0x2089ea)
Signature Algorithm md5WithRSAEncryption
Issuer CZA, STWestern Cape, LCape Town,
OThawte Consulting cc, OUCertification Services
Division, CNThawte Server CA/emailAddressserver-
certs_at_thawte.com Validity Not
Before Oct 19 181335 2004 GMT Not
After Oct 19 181335 2005 GMT Subject
CUS, STIllinois, LUrbana, OUniversity of
Illinois, OUCITES Security Services,
CNwww-s.cites-security.uiuc.edu Subject
Public Key Info Public Key
Algorithm rsaEncryption RSA Public
Key (1024 bit) Modulus (1024
bit) 00af3b73bcf87fe2
68631125a53d6c
1e19bb643a4e841e2e682c39d01b31
def0b5c2f590dce9b0f8b04
feae236
92e68d78ad9fd9774b204ff4284864
0bf01288d6dac46a713fa7b
c586f49
06eb6d109096b37f21b95b113cde62
a2cc8029f3d445ad25bebce
9d36d95
4198b93af87cdd2e8f725baa054eb5
d14520d97383f0c8e7
Exponent 65537 (0x10001)
18
UIUCisms

• Communication (CSR submission, certificate
  issuance, and support) is done through email
  (certmgr_at_uiuc.edu).
• Certificates can be issued to University-owned
  machines in these domains
• uiuc.edu
• illinois.edu
• prairienet.org
• uillinois.edu
• vcrcillinois.org
• Cost is currently set at 130 per certificate

19
Questions?