NEbraskaCERT Certificate Authority

1
NEbraskaCERTCertificate Authority

• Matthew G. Marsh
• 08/20/03

2
Overview

• Public Key Infrastructure (PKI)
• What
• Why
• Certificate Authority
• What is it
• How does it work
• OpenSSL Software
• Keys and configuration files
• Script Examples
• QA

3
PKI

• What
• PKI (Public Key Infrastructure) refers to the
  structure that enables binding identity to
  objects. Actual discussion and implementation
  details are beyond the scope of this talk.
  Basically PKI is all defined in the details and
  takes into account mechanisms and concepts that
  are far removed from actual technical
  manipulation.

I hope you believe you understand what you think
I said, but I'm not sure you realize that what
you've heard is not what I meant. President
Richard Nixon
4
Certificate Authority - CA

• What is it
• The Certification Authority (CA) represents the
  trusted third party that issues keys and
  certificates to end users and manages the
  certificate life cycle including generation,
  revocation, expiration, and renewal.

5
CA - x.509

• ITU-T Recommendation X.509 ITU-T 97
• Several different end-entity certificates defined
  in x.509
• Personal certificates represent individuals (ex
  secure e-mail)
• Server certificates represent services (ex HTTPS
  Web server)
• Developer certificates sign software or related
  objects
• A certificate binds an identity to a public key.
• Certificate includes the name of the person
• Their public key
• Digital Signature sealing the data
• Digital Signature is added by the Certificate
  Authority (CA). Certificate authorities exist to
  confirm the relationship between an identity and
  a public key.
• x.509 also defines certificate authority
  certificates which identify third party
  organizations entrusted to validate the identity
  of a certificate requestor.
• CA certificates contain the authority name, a
  public key, and digital signature (self-signed)

6
Certificate Authority - CA

• Certificate authorities confirm the relationship
  between requestors and their public keys
• Certificate authorities publish public keys used
  to verify end-entity certificates
• The verification process uses the public key of
  the authority that issued the certificate to
  validate the digital signature
• CA certificates are critical to close the circle
  of trust
• ROOT Certificate
• x.509 CA Certificate
• ALL CAs by definition have "Self Signed" ROOT
  Certificates!!

7
CA in a Nutshell

• EndUser generates Certificate Signing Request
  (CSR)
• Sends CSR to CA for Approval
• Submit
• Get Signed Certificate
• Typically a one year duration
• Theoretically no time limit for expiration
• Uses Certificate
• FILM AT 11...

8
CA in a Nutshell

• CA requirements
• You must publish your root CA Certificate
• You must publish the revocation list
• You must display a certificate's detail given a
  serial number
• You must provide a method to submit certificate
  requests
• All this can be done using Apache and some PHP

9
OpenSSL

• Full SSL library with support programs
• SSL v2/v3
• TLS v1
• Latest version is 0.9.7b released April 10, 2003
• Core utility is "openssl" binary
• Performs all operations needed for x.509
• Many other operations available as well
• Supports multiple configuration files
• CA Configuration
• Standard configuration

10
OpenSSL - Config File - CA

• Traditionally /usr/local/ssl/openssl.conf
• For the NEbraskaCERT CA
• req
• default_bits 2048
• default_keyfile /data/network/NEbraskaCERT-CA/k
  ey/NEbraskaCERT-CA.key
• default_md sha1
• default_days 365
• prompt no
• distinguished_name NEbraskaCERT_CA_NAME
• x509_extensions NEbraskaCERT_CA_extensions
• NEbraskaCERT_CA_NAME
• commonName NEbraskaCERT Certificate
  Authority
• stateOrProvinceName Nebraska
• countryName US
• emailAddress certificate.administrator_at_nebra
  skacert.org
• organizationName NEbraskaCERT

11
OpenSSL - Config File - Sign

• ca
• default_ca NEbraskaCERT_CA
• NEbraskaCERT_CA
• dir /data/network/NEbraskaCERT-CA
• certificate dir/NEbraskaCERT-CA.crt
• database dir/index.txt
• new_certs_dir dir/certificates
• private_key dir/key/NEbraskaCERT-CA.key
• serial dir/serial
• default_crl_days 7
• default_days 365
• default_md sha1
• policy NEbraskaCERT_CA_Policy
• x509_extensions certificate_extensions
• NEbraskaCERT_CA_Policy
• commonName supplied
• stateOrProvinceName supplied

12
OpenSSL - Scripts

• Setup.sh
• export OPENSSL_CONF/data/network/NEbraskaCERT-CA/
  NEbraskaCERT.CA.conf
• export PATH/usr/local/ssl/binPATH
• . into running shell (or use dedicated signing
  user)
• Note that you could have other config files
• SIGN.sh
• /usr/local/ssl/bin/openssl ca -in 1 -notext
  -out 1.req.crt
• Obviously a bash/ksh shell script -

13
OpenSSL - Try it...

• Generate a Key
• /usr/local/ssl/bin/openssl genrsa -out
  www.mysecure.com.key 1024
• Generate a CSR
• /usr/local/ssl/bin/openssl req -new -key
  www.mysecure.com.key -out www.mysecure.com.req
• Send CSR to CA
• CA Inspects CSR
• /usr/local/ssl/bin/openssl req -noout -text -in
  www.mysecure.com.req
• CA Signs CSR
• /usr/local/ssl/bin/openssl ca -in
  www.mysecure.com.req -notext -out
  www.mysecure.com.crt

14
Q A
15
This is The