150 likes | 289 Views
Matthew G. Marsh 08/20/03. NEbraskaCERT Certificate Authority. Overview. Public Key Infrastructure (PKI) What Why Certificate Authority What is it How does it work OpenSSL Software Keys and configuration files Script Examples Q&A. PKI. What
E N D
Matthew G. Marsh 08/20/03 NEbraskaCERTCertificate Authority
Overview • Public Key Infrastructure (PKI) • What • Why • Certificate Authority • What is it • How does it work • OpenSSL Software • Keys and configuration files • Script Examples • Q&A
PKI • What • PKI (Public Key Infrastructure) refers to the structure that enables binding identity to objects. Actual discussion and implementation details are beyond the scope of this talk. Basically PKI is all defined in the details and takes into account mechanisms and concepts that are far removed from actual technical manipulation. I hope you believe you understand what you think I said, but I'm not sure you realize that what you've heard is not what I meant. President Richard Nixon
Certificate Authority - CA • What is it • The Certification Authority (CA) represents the trusted third party that issues keys and certificates to end users and manages the certificate life cycle including generation, revocation, expiration, and renewal.
CA - x.509 • ITU-T Recommendation X.509 [ITU-T 97] • Several different end-entitycertificates defined in x.509 • Personal certificates represent individuals (ex: secure e-mail) • Server certificates represent services (ex: HTTPS Web server) • Developer certificates sign software or related objects • A certificate binds an identity to a public key. • Certificate includes the name of the person • Their public key • Digital Signature sealing the data Digital Signature is added by the Certificate Authority (CA). Certificate authorities exist to confirm the relationship between an identity and a public key. • x.509 also defines certificate authoritycertificates which identify third party organizations entrusted to validate the identity of a certificate requestor. • CA certificates contain the authority name, a public key, and digital signature (self-signed)
Certificate Authority - CA • Certificate authorities confirm the relationship between requestors and their public keys • Certificate authorities publish public keys used to verify end-entity certificates • The verification process uses the public key of the authority that issued the certificate to validate the digital signature • CA certificates are critical to close the circle of trust • ROOT Certificate • x.509 CA Certificate • ALL CAs by definition have "Self Signed" ROOT Certificates!!
CA in a Nutshell • EndUser generates Certificate Signing Request (CSR) • Sends CSR to CA for Approval • Submit $$ • Get Signed Certificate • Typically a one year duration • Theoretically no time limit for expiration • Uses Certificate • FILM AT 11...
CA in a Nutshell • CA requirements • You must publish your root CA Certificate • You must publish the revocation list • You must display a certificate's detail given a serial number • You must provide a method to submit certificate requests • All this can be done using Apache and some PHP
OpenSSL • Full SSL library with support programs • SSL v2/v3 • TLS v1 • Latest version is 0.9.7b released April 10, 2003 • Core utility is "openssl" binary • Performs all operations needed for x.509 • Many other operations available as well • Supports multiple configuration files • CA Configuration • Standard configuration
OpenSSL - Config File - CA • Traditionally /usr/local/ssl/openssl.conf • For the NEbraskaCERT CA: [ req ] default_bits = 2048 default_keyfile = /data/network/NEbraskaCERT-CA/key/NEbraskaCERT-CA.key default_md = sha1 default_days = 365 prompt = no distinguished_name = NEbraskaCERT_CA_NAME x509_extensions = NEbraskaCERT_CA_extensions [ NEbraskaCERT_CA_NAME ] commonName = NEbraskaCERT Certificate Authority stateOrProvinceName = Nebraska countryName = US emailAddress = certificate.administrator@nebraskacert.org organizationName = NEbraskaCERT organizationalUnitName = Certificate Authority [ NEbraskaCERT_CA_extensions ] basicConstraints = CA:true
OpenSSL - Config File - Sign [ ca ] default_ca = NEbraskaCERT_CA [ NEbraskaCERT_CA ] dir = /data/network/NEbraskaCERT-CA certificate = $dir/NEbraskaCERT-CA.crt database = $dir/index.txt new_certs_dir = $dir/certificates private_key = $dir/key/NEbraskaCERT-CA.key serial = $dir/serial default_crl_days = 7 default_days = 365 default_md = sha1 policy = NEbraskaCERT_CA_Policy x509_extensions = certificate_extensions [ NEbraskaCERT_CA_Policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = optional [ certificate_extensions ] basicConstraints = CA:false
OpenSSL - Scripts • Setup.sh export OPENSSL_CONF=/data/network/NEbraskaCERT-CA/NEbraskaCERT.CA.conf export PATH=/usr/local/ssl/bin:$PATH • . into running shell (or use dedicated signing user) • Note that you could have other config files • SIGN.sh /usr/local/ssl/bin/openssl ca -in $1 -notext -out ${1%.req}.crt • Obviously a bash/ksh shell script ;-}
OpenSSL - Try it... • Generate a Key /usr/local/ssl/bin/openssl genrsa -out www.mysecure.com.key 1024 • Generate a CSR /usr/local/ssl/bin/openssl req -new -key www.mysecure.com.key -out www.mysecure.com.req • Send CSR to CA • CA Inspects CSR /usr/local/ssl/bin/openssl req -noout -text -in www.mysecure.com.req • CA Signs CSR /usr/local/ssl/bin/openssl ca -in www.mysecure.com.req -notext -out www.mysecure.com.crt