1 / 21

TERENA Server Certificate Service SCS

TERENA Server Certificate Service SCS. Towards the large-scale use of affordable popup-free server certificates for the European NRENs. Licia Florio, John Dyer TERENA & members of the community. AGENDA. Motivation for the TERENA SCS Project description Service Characteristics Why join ?.

lhead
Download Presentation

TERENA Server Certificate Service SCS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TERENA Server Certificate ServiceSCS Towards the large-scale use of affordable popup-free server certificates for the European NRENs Licia Florio, John Dyer TERENA & members of the community TNC 2006, Catania

  2. AGENDA • Motivation for the TERENA SCS • Project description • Service Characteristics • Why join ? TNC 2006, Catania

  3. The background • European NREN PKIs around for many years - But still not widely deployed • Anticipated growth in need: • AAI middleware services • Grids - Web-based ‘stuff’ (mail, e-learning, webservices etc.) - VPN, email • eduroam • Only major use outside Grids is for Servers TNC 2006, Catania

  4. Why have Server Certificates • Pop-ups • Self Issued Certificate not-recognized by browsers • User sees a pop-up • Doesn’t check the certificate • Clicks YES • Could be connected to anything • In reality subverting the Certificate concept TNC 2006, Catania

  5. Problem #2 • Authorized CAs are known to the browsers • Accreditation of a CA is very expensive • Certificates are relatively expensive • when bought in large numbers on a per certificate cost • Our Community needs a cost effective way to obtain large numbers of server certificates TNC 2006, Catania

  6. Finding a community solution • TF-EMC2 discussions started in 2004 • First (draft) proposal in October 2004: • Interest expressed by a number of NRENs • Call for Proposals issued by TERENA in August 2005; • Offers from commercial CAs received in September 2005, • preferred supplier (GlobalSign) announced on 19 December 2005, • contract signed on 9 January 2006 TNC 2006, Catania

  7. Participating NRENs • ACOnet (Austria), • CARNet (Croatia), • CESNET (Czech Republic), • CRU (France), • RedIRIS (Spain), • SURFnet (Netherlands), • SWITCH (Switzerland), • UNI•C (Denmark) • TERENA is the contracting party TNC 2006, Catania

  8. What did we get ? TNC 2006, Catania

  9. The Basics • Each participating NREN has nominated RA Administrators • These people have been trained at GlobalSign on how to administer the process • They are the contact point between the Server SysAdmins and GlobalSign • They are responsible for maintaining the integrity of the identification process • They can requested unlimited number of certificates during the 1 year pilot TNC 2006, Catania

  10. The Process • Sysadmin generates key pair and creates CSR • Sysadmin submits CSR through GlobalSign’s enrollment pages • Admin contact of organization receives a challenge e-mail to be replied to (with postal mail, fax, e-mail with scan of signed document, later possibly with a digitally signed e-mail) • RA administrator verifies request (identity of the applicant, organization, DNS domain in subject) • RA administrator approves (or rejects) the request • If approved: sysadmin receives certificate by mail TNC 2006, Catania

  11. The SCS pre-installed root. • SCS server certificates chain up to the ubiquitous GTE CyberTrust Global Root, which comes preinstalled with • all major operating systems (Windows, Mac OS 9 ff., …) • most Web browsers/applications (Mozilla, Opera, …) • many software suites (Sun JRE/JDK, IBM Websphere, Lotus Notes, Oracle Wallet Manager, KDE, OpenSSL, …) • many mobile devices (Palm, Blackberry; phones from Nokia, Sony Ericsson, Motorola, …) • For issuing SCS certificates, the Cybertrust Educational CA intermediate cert is used (2006–2013) TNC 2006, Catania

  12. Certificates Available • No User Certificates • Server Certificates only • Available with 1, 2, 3 years validity • Three specific Types TNC 2006, Catania

  13. SureServerEDU TLS • recommended default type for general-purpose servers • (Web, e-mail, directory service, …) • mandatory attributes: • countryName (C), organizationName (O), commonName (CN) • optional attributes: • stateOrProvinceName (S), localityName (L), organizationalUnitName (OU), domainComponent (DC) TNC 2006, Catania

  14. SureServerEDU TLS emailserver • special-purpose type for servers creating e-mail messages on their own (alerting service or similar) – not needed for standard SMTP/IMAP/POP servers • mandatory attributes: • countryName (C), organizationName (O), commonName (CN), emailAddress (E) • optional attributes: • stateOrProvinceName (S), localityName (L), organizationalUnitName (OU), domainComponent (DC) TNC 2006, Catania

  15. SureServerEDU • standard type used by GlobalSign (includes legacy netscape-cert-type extension) TNC 2006, Catania

  16. Not yet available • Expected June 2006 • subjectAltName extension with one or more dNSNames (support for DNS aliases) TNC 2006, Catania

  17. Service Operational • First Certificate Issued: 16 March 2006 TNC 2006, Catania

  18. Acknowledgements • So many people in the community • Some around the table, others not • Licia, Karel • These slides were based on material from Licia Florio of TERENA and Kasper Brand of SWITCH – Sorry for any liberties I have taken with their material TNC 2006, Catania

  19. In Licia’s words: TNC 2006, Catania

  20. “We got a cool service” TNC 2006, Catania

  21. Joining the TERENA SCS • Initial Pilot runs for one year • After June 06 we can open to service to new NRENs • Some NRENs are already waiting • There is fee to pay to join • If the pilot is successful, we will expand again TNC 2006, Catania

More Related