NEbraskaCERT Certificate Authority - PowerPoint PPT Presentation

About This Presentation
Title:

NEbraskaCERT Certificate Authority

Description:

into running shell (or use dedicated signing user) Note that ... Obviously a bash/ksh shell script ;-} Slide 13. August CSF. OpenSSL - Try it... Generate a Key ... – PowerPoint PPT presentation

Number of Views:110
Avg rating:3.0/5.0
Slides: 16
Provided by: nebras
Category:

less

Transcript and Presenter's Notes

Title: NEbraskaCERT Certificate Authority


1
NEbraskaCERTCertificate Authority
  • Matthew G. Marsh
  • 08/20/03

2
Overview
  • Public Key Infrastructure (PKI)
  • What
  • Why
  • Certificate Authority
  • What is it
  • How does it work
  • OpenSSL Software
  • Keys and configuration files
  • Script Examples
  • QA

3
PKI
  • What
  • PKI (Public Key Infrastructure) refers to the
    structure that enables binding identity to
    objects. Actual discussion and implementation
    details are beyond the scope of this talk.
    Basically PKI is all defined in the details and
    takes into account mechanisms and concepts that
    are far removed from actual technical
    manipulation.

I hope you believe you understand what you think
I said, but I'm not sure you realize that what
you've heard is not what I meant. President
Richard Nixon
4
Certificate Authority - CA
  • What is it
  • The Certification Authority (CA) represents the
    trusted third party that issues keys and
    certificates to end users and manages the
    certificate life cycle including generation,
    revocation, expiration, and renewal.

5
CA - x.509
  • ITU-T Recommendation X.509 ITU-T 97
  • Several different end-entity certificates defined
    in x.509
  • Personal certificates represent individuals (ex
    secure e-mail)
  • Server certificates represent services (ex HTTPS
    Web server)
  • Developer certificates sign software or related
    objects
  • A certificate binds an identity to a public key.
  • Certificate includes the name of the person
  • Their public key
  • Digital Signature sealing the data
  • Digital Signature is added by the Certificate
    Authority (CA). Certificate authorities exist to
    confirm the relationship between an identity and
    a public key.
  • x.509 also defines certificate authority
    certificates which identify third party
    organizations entrusted to validate the identity
    of a certificate requestor.
  • CA certificates contain the authority name, a
    public key, and digital signature (self-signed)

6
Certificate Authority - CA
  • Certificate authorities confirm the relationship
    between requestors and their public keys
  • Certificate authorities publish public keys used
    to verify end-entity certificates
  • The verification process uses the public key of
    the authority that issued the certificate to
    validate the digital signature
  • CA certificates are critical to close the circle
    of trust
  • ROOT Certificate
  • x.509 CA Certificate
  • ALL CAs by definition have "Self Signed" ROOT
    Certificates!!

7
CA in a Nutshell
  • EndUser generates Certificate Signing Request
    (CSR)
  • Sends CSR to CA for Approval
  • Submit
  • Get Signed Certificate
  • Typically a one year duration
  • Theoretically no time limit for expiration
  • Uses Certificate
  • FILM AT 11...

8
CA in a Nutshell
  • CA requirements
  • You must publish your root CA Certificate
  • You must publish the revocation list
  • You must display a certificate's detail given a
    serial number
  • You must provide a method to submit certificate
    requests
  • All this can be done using Apache and some PHP

9
OpenSSL
  • Full SSL library with support programs
  • SSL v2/v3
  • TLS v1
  • Latest version is 0.9.7b released April 10, 2003
  • Core utility is "openssl" binary
  • Performs all operations needed for x.509
  • Many other operations available as well
  • Supports multiple configuration files
  • CA Configuration
  • Standard configuration

10
OpenSSL - Config File - CA
  • Traditionally /usr/local/ssl/openssl.conf
  • For the NEbraskaCERT CA
  • req
  • default_bits 2048
  • default_keyfile /data/network/NEbraskaCERT-CA/k
    ey/NEbraskaCERT-CA.key
  • default_md sha1
  • default_days 365
  • prompt no
  • distinguished_name NEbraskaCERT_CA_NAME
  • x509_extensions NEbraskaCERT_CA_extensions
  • NEbraskaCERT_CA_NAME
  • commonName NEbraskaCERT Certificate
    Authority
  • stateOrProvinceName Nebraska
  • countryName US
  • emailAddress certificate.administrator_at_nebra
    skacert.org
  • organizationName NEbraskaCERT

11
OpenSSL - Config File - Sign
  • ca
  • default_ca NEbraskaCERT_CA
  • NEbraskaCERT_CA
  • dir /data/network/NEbraskaCERT-CA
  • certificate dir/NEbraskaCERT-CA.crt
  • database dir/index.txt
  • new_certs_dir dir/certificates
  • private_key dir/key/NEbraskaCERT-CA.key
  • serial dir/serial
  • default_crl_days 7
  • default_days 365
  • default_md sha1
  • policy NEbraskaCERT_CA_Policy
  • x509_extensions certificate_extensions
  • NEbraskaCERT_CA_Policy
  • commonName supplied
  • stateOrProvinceName supplied

12
OpenSSL - Scripts
  • Setup.sh
  • export OPENSSL_CONF/data/network/NEbraskaCERT-CA/
    NEbraskaCERT.CA.conf
  • export PATH/usr/local/ssl/binPATH
  • . into running shell (or use dedicated signing
    user)
  • Note that you could have other config files
  • SIGN.sh
  • /usr/local/ssl/bin/openssl ca -in 1 -notext
    -out 1.req.crt
  • Obviously a bash/ksh shell script -

13
OpenSSL - Try it...
  • Generate a Key
  • /usr/local/ssl/bin/openssl genrsa -out
    www.mysecure.com.key 1024
  • Generate a CSR
  • /usr/local/ssl/bin/openssl req -new -key
    www.mysecure.com.key -out www.mysecure.com.req
  • Send CSR to CA
  • CA Inspects CSR
  • /usr/local/ssl/bin/openssl req -noout -text -in
    www.mysecure.com.req
  • CA Signs CSR
  • /usr/local/ssl/bin/openssl ca -in
    www.mysecure.com.req -notext -out
    www.mysecure.com.crt

14
Q A
15
This is The
Write a Comment
User Comments (0)
About PowerShow.com