120 likes | 128 Views
Learn about John Douglass, a systems support specialist, and his expertise in developing and managing custom Public Key Infrastructure (PKI) systems. Understand the advantages and disadvantages of building your own PKI and the key factors to consider. Explore browser and operating system compatibility and the use of software certificates vs smartcards.
E N D
John DouglassSystems Support SpecialistOffice of Information Technology Rolling Your Own PKI
Who the heck is this guy? • Primary developer for the Georgia Tech PKI • Assisted in the development of the CREN CA Services • Author of “Papyrus” (now called “Kalamos”) a PHP based CA application. • Co-Author of the GT LAWN wireless authentication system and our residential network registration system START.
Custom vs. Established • Advantages • You are in control of your own destiny • Definitely cheaper • Can often use tools and methods that your technical groups currently understand • Disadvantages • Technical expertise is required • User education is PIVOTAL to success • Client issues abound (if you don’t prepare for it)
So You Have a Custom Root • Hierarchical vs. Flat Architecture • Are you your own root? • Is anyone besides you a relying party? • What features of PKI are you attempting to use? • Client Authentication? • Encryption? • Object Sign? • Web Server Certificates? • What client software can you support?
Browser and OS Interaction • Mozilla • Multiplatform • Utilizes its own internal certdatabase • Can use smartcards via PKCS11 • Internet Explorer • Utilizes operating system cert management • Can use smartcards via PKCS11 • NO cert functions are supported on MacOS • Safari • Utilizes OS cert management via keychain • Can use smartcards via PKCS11 • Opera • Works like Mozilla
OpenSSL is the Core • OpenSSL was not necessarily designed to BE a CA…but we can force it to be • It relies heavily upon a very mysterious configuration file (TBD) • It utilizes a text file as a “cert database” though there are simple ways around this (TBD) • It is usable from a system() or exec() call in any scripting language. • Freely available for many OS
Software Certs vs. Smartcards Phase 1: Software Certs Mozilla <FORM name="ReqForm" method="POST" action="user-sign-cert.php"> <KEYGEN NAME="csr" CHALLENGE="challengePassword”> <INPUT tabindex="3" name="submit" type=submit value="Generate Private Key"> </FORM> commonName = CN emailAddress = EMAIL … stateOrProvinceName = Georgia countryName = US SPKAC = $_POST[‘csr’]; $OPENSSL ca -config $OPENSSL_CONF -name $ca -extensions $extensions -startdate $certStartDate -days $days -spkac -in $requestFile -out $certFile –key $passphrase -batch
Software Certs vs. Smartcards Phase 1: Software Certs Internet Explorer <SCRIPT language="VBScript"> <!-- Dim Enroll On Error Resume Next Set Enroll = CreateObject("CEnroll.CEnroll.2") if ( (Err.Number = 438) OR (Err.Number = 429) ) Then Err.Clear Set Enroll = CreateObject("CEnroll.CEnroll.1") End If if Err.Number <> 0 then document.write("<h2 align=center>Can't instantiate the CEnroll control: " & Hex(err) ) End If Function GetProviderList() Dim CspList, cspIndex, ProviderName On Error Resume Next ' initialize all our values base = 0 count = 0 enhanced = 0 CspList = "" ProviderName = "" For ProvType = 0 to 13 cspIndex = 0 Enroll.ProviderType = ProvType ProviderName = Enroll.enumProviders(cspIndex, 0) while ProviderName <> "" Set oOption = document.createElement("OPTION") oOption.text = ProviderName oOption.value = ProvType ' This is a personal "hack" to limit the crypto providers. if ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" Then Document.ReqForm.CspProvider.add(oOption) end if if ProviderName = "Microsoft Base Cryptographic Provider v1.0" Then base = count end if if ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" Then enhanced = count end if cspIndex = cspIndex + 1 ProviderName = "" ProviderName = Enroll.enumProviders(cspIndex, 0) count = count + 1 wend Next Document.ReqForm.CspProvider.selectedIndex = base if enhanced then ' Document.ReqForm.CspProvider.selectedIndex = enhanced DOcument.ReqForm.CspProvider.selectedIndex = 0 end if End Function Function CSR(keyflags) CSR = "" szName = "<? print($DN); ?>" Enroll.HashAlgorithm = "MD5" err.clear On Error Resume Next set options = document.all.CspProvider.options index = options.selectedIndex Enroll.providerName = options(index).text tmpProviderType = options(index).value Enroll.providerType = tmpProviderType Enroll.KeySpec = 2 if tmpProviderType < 2 Then Enroll.KeySpec = 1 end if Enroll.GenKeyFlags = &h04000001 OR keyflags CSR = Enroll.createPKCS10(szname, "1.3.6.1.5.5.7.3.2") if len(CSR) <> 0 then Exit Function Enroll.GenKeyFlags = &h04000000 OR keyflags CSR = Enroll.createPKCS10(szname, "1.3.6.1.5.5.7.3.2") if len(CSR) <> 0 then Exit Function if Enroll.providerName = "Microsoft Enhanced Cryptographic Provider v1.0" Then MsgBox("The 1024-bit key generation failed. Please upgrade your browser to the latest version.") Exit Function end if Enroll.GenKeyFlags = 2 OR keyflags CSR = Enroll.createPKCS10(szName, "1.3.6.1.5.5.7.3.2") if len(CSR) <> 0 then Exit Function Enroll.GenKeyFlags = keyflags CSR = Enroll.createPKCS10(szName, "1.3.6.1.5.5.7.3.2") if len(CSR) <> 0 then Exit Function Enroll.GenKeyFlags = 0 CSR = Enroll.createPKCS10(szName, "1.3.6.1.5.5.7.3.2") End Function Sub REQUEST_OnClick Dim Form Set Form = Document.ReqForm err.clear result = CSR(2) if len(result) = 0 Then result = MsgBox("Unable to generate PKCS10.", 0, "Alert") Exit Sub end if Form.csr.value = result Form.Submit End Sub --> </SCRIPT> <INPUT TYPE="hidden" NAME="csr" VALUE=""> <input type="hidden" name="cert" value="<? print($certtype); ?>"> <SELECT NAME="CspProvider"> </SELECT> <input type="button" name="btnRequest" value="Generate Private Key" onClick="REQUEST_OnClick" language="VBSCRIPT" border=1> </FORM> • Well… • ActiveX + VBScript • You need to designate the DN components$OPENSSL ca -config $OPENSSL_CONFIG -name $myca -extensions $extensions -startdate $certStartDate -enddate $certEndDate -out $certfile -key $passphrase -in $requestfile -batch
Software Certs vs. Smartcards Phase 2: Smartcard Certs • Smartcards • If you want to use an open source CA…your vendor almost definitely will need to agree and modify their product. • Enter “Kalamos” an XML-RPC based certificate request signing code base.
Right down to it… • Pick your battles • Attempt one thing at a time • Plan as best you can, but expect changes • Expect limitations