Upload
una
View
42
Download
0
Embed Size (px)
DESCRIPTION
ULAGrid Certification Authority. Vanessa Hamar Universidad de Los Andes – Merida,Venezuela 5 th F2F Banff, 17/07/2007. Overview. Introduction Key Sizes Repository Identification and Authentication. Introduction. - PowerPoint PPT Presentation
Citation preview
IST-2006-026409 www.eu-eela.org
E-infrastructure shared between Europe and Latin America
ULAGrid Certification Authority
Vanessa HamarUniversidad de Los Andes – Merida,Venezuela5th F2F Banff, 17/07/2007
2IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Overview
• Introduction• Key Sizes• Repository• Identification and Authentication
3IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Introduction
• The ULAGrid Certification Authority is a traditional X.509 Public Key Certification Authority which issues long-term credentials.
• CP/CPS follows the IETF’s RFC 36471.3.6.1.4.1.19286.2.2.2.0.1.3
4IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Key Sizes
• Keys of length less than 1024 bits are not accepted. • All user keys will have a 1024 bit RSA key size.• All host and service keys will have a 2048 bit RSA key
size.• The ULA CA key length will always have a RSA 2048 bit
key size • The lifetime is 10 years for the CA and 1 year for End
Entities.
5IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Repository
• The online repository of information from the ULAGrid CA is accessible at:
https://ra.cecalc.ula.ve/pub/ Email = [email protected]
• This is a secure online repository that contains: – The ULAGrid CA’ s certificate,– All end entity certificates issued by the CA.– A Certificate Revocation List, – A copy of the most recent approved version of this policy and all
previous approved versions.
6IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Repository
• URL for the CAs main web page with infohttps://ra.cecalc.ula.ve
• URL for the CRL on the CAs web site http://ra.cecalc.ula.ve/pub/crl/cacrl.crl
7IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Repository
8IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Repository
9IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Repository
10
IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Identification and authentication
• The Subject Name is of the X.500 name type, a Distinguished Name.
• The generic format for a service subject is a follows:• C=VE, O=Grid, O=Universidad de Los Andes,
OU=CeCalCULA, CN=service/FQDN
• The “C=VE” and “O=Grid” are the subject’s fix parts and must be present in all the certificates.
• An additional subscriber’s organization “O=”, describing the organization’s name must be provided, as well as an “OU=” describing the organization group.
• All the subject parts are mandatory in all the certificates, including the two “O=”.
• The Distinguished Name must be unique for each subject name certified by the ULAGrid CA service.
11
IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Identification and authentication
• ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -subject -noout
• subject= /C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/[email protected]
• ra:~# openssl x509 -in usercert.pem -subject –noout• subject= /C=VE/O=Grid/O=Universidad de Los
Andes/OU=CeCalCULA/CN=Vanessa Hamar
12
IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Profile ULAGrid CA
• For CA certificates: • Basic Constraints: critical, ca: true • Subject Key Identifier: hash • Authority Key Identifier: keyid • Key Usage: critical, digitalSignature, nonRepudiation,
KeyCertSign, cRLSign• Extended Key Usage timeStamping • Netscape Cert Type: SSL Certificate Authority, Email Certificate
Authority Object Signing • Netscape Comment: Grid Venezuela Certificate. For information
go to https://ra.cecalc.ula.ve/gridvenezuela/• Certificate Policies: 1.3.6.1.4.1.19286.2.2.2.0.1.3
13
IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Profile ULAGrid CA• Certificate:• Data:• Version: 3 (0x2)• Serial Number:• 8e:2a:83:5b:16:0f:a0:e8• Signature Algorithm: sha1WithRSAEncryption• Issuer: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA,
CN=ULAGrid Certification Authority/[email protected]• Validity• Not Before: Jul 13 14:15:02 2007 GMT• Not After : Jul 10 14:15:02 2017 GMT• Subject: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA,
CN=ULAGrid Certification Authority/[email protected]• Subject Public Key Info:• Public Key Algorithm: rsaEncryption• RSA Public Key: (2048 bit)• Modulus (2048 bit):• Exponent: 65537 (0x10001)• X509v3 extensions:• X509v3 Basic Constraints: critical• CA:TRUE• Signature Algorithm: sha1WithRSAEncryption
14
IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Profile ULAGrid CA• X509v3 Subject Key Identifier: • DC:F3:0B:A6:12:93:E5:A3:CC:34:77:B8:3B:CC:C9:8E:BD:8F:2A:05• X509v3 Authority Key Identifier: • keyid:DC:F3:0B:A6:12:93:E5:A3:CC:34:77:B8:3B:CC:C9:8E:BD:8F:2A:05• DirName:/C=VE/O=Grid/O=Universidad de Los
Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/[email protected]
• serial:8E:2A:83:5B:16:0F:A0:E8
• X509v3 Key Usage: • Certificate Sign, CRL Sign• X509v3 Subject Alternative Name: • email:[email protected]• X509v3 Issuer Alternative Name: • email:[email protected]• Netscape Cert Type: • SSL CA, S/MIME CA, Object Signing CA• Netscape Comment: • CeCalCULA Certification Authority Certificate
15
IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Profiles Users
For natural person certificates: – Basic Constraints:critical, ca: false – Subject Key Identifier: hash – Authority Key Identifier:keyid – Key Usage: critical, digitalSignature, nonRepudiation,
KeyEncipherment, dataEncipherment– Extended Key Usage clientAuth, emailProtection,
timeStamping– Netscape Cert Type: SSL Client, S/MIME, Object Signing – Netscape Comment: Grid Venezuela Certificate. For
information go to https://ra.cecalc.ula.ve/gridvenezuela/– CRL Distribution Points: http://ra.cecalc.ula.ve/pub/crl.crl– Certificate Policies: 1.3.6.1.4.1.19286.2.2.2.0.1.3– Subject Alternative Name: e-mail address
16
IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Profile Users
ra:~# openssl x509 -in usercert.pem -text -nooutCertificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=VE, O=Grid, O=Universidad de Los Andes,
OU=CeCalCULA, CN=ULAGrid Certification Authority/[email protected]
Validity Not Before: Jul 13 14:34:47 2007 GMT Not After : Jul 12 14:34:47 2008 GMT Subject: C=VE, O=Grid, O=Universidad de Los Andes,
OU=CeCalCULA, CN=Vanessa Hamar Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit):
17
IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Profile Users
Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.19286.2.2.2.0.1.3 CPS: http://ra.cecalc.ula.ve/pub
Netscape Cert Type: SSL Client, S/MIME, Object Signing X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: Registration Authority Operator of CeCalCULA X509v3 Subject Key Identifier: 95:0A:80:F1:4D:19:D2:EE:3F:D8:9B:3D:45:C3:B0:81:62:F8:5F:D3
18
IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Others
• ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -purpose
Certificate purposes:SSL client : NoSSL client CA : YesSSL server : NoSSL server CA : YesNetscape SSL server : NoNetscape SSL server CA : YesS/MIME signing : NoS/MIME signing CA : YesS/MIME encryption : NoS/MIME encryption CA : YesCRL signing : YesCRL signing CA : YesAny Purpose : YesAny Purpose CA : YesOCSP helper : YesOCSP helper CA : Yes
19
IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
Others
• ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -fingerprint– SHA1
Fingerprint=B9:48:2F:45:C3:EF:EB:53:7F:97:20:50:17:E6:26:D0:65:D5:66:A5
• # Signing policy file for ULAGridCA– access_id_CA X509 '/C=VE/O=Grid/O=Universidad de Los
Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/[email protected]'
– pos_rights globus CA:sign– cond_subjects globus '"/C=VE/O=Grid/*"‘
• ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -serial– serial=8E2A835B160FA0E8
20
IST-2006-026409
E-infrastructure shared between Europe and Latin America
www.eu-eela.org
?