80 likes | 155 Views
Renewal Simpler or Harder?. Jens Jensen, STFC RAL GridNet2/UK e-Science CA /NGS/GridPP. What is it?. CA issues a new certificate : With the same DN as before With the same key pair as before As opposed to rekeying : User generates a new key pair Generates a new CSR. Why is it?.
E N D
RenewalSimpler or Harder? Jens Jensen, STFC RAL GridNet2/UK e-Science CA /NGS/GridPP GridNet2
What is it? • CA issues a new certificate : • With the same DN as before • With the same key pair as before • As opposed to rekeying : • User generates a new key pair • Generates a new CSR GridNet2
Why is it? • Conceptually simpler: • User doesn’t have to be reminded to reapply • CA can send cert directly to user • Or of course user can download it • Compare to rekeying: • Same mechanics as initial request • Except new CSR approved via existing cert GridNet2
Context • Grid CAs permit renewals • A number of times • The number of times depends privkey prot’n • Many have it in their CP/CPS • Why? …(``must understand the consequences’’) • … but does it work? • Forget about theory – theory is useless GridNet2
Investigate… • Anything with PEM formatted files: ~/.globus/usercert.pem ~/.globus/userkey.pem • Fine, just replace the cert… • PKCS#12 • More complicated, but doable • Needs access to encrypted private key • Browsers • IE6, IE7, Moz et al, Opera, Safari, ……… GridNet2
Complications • Loss of private key • Different from initial request and normal rekeying procedure • Is it really simpler for users? • “We know how to rekey…” • Long term exposure of public key • Long term exposure of private key GridNet2
Next Steps Suggested • Do we really need it… • In most cases, no, but why is it permitted? • Probably good for exceptional cases (only) • Even so, we need to know how to do it • Test browsers and stuff • Renew for renewable certificates • PEM • E.g. (most) host certs GridNet2
Browsers • Importing • Import and it overwrites the existing cert • Adds to the existing cert • Does not import • Export/convert/import • More complicated than rekey • Removing certificate • Deletes private key GridNet2