Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA john.kewley@stfc.ac.uk The UK eScience CA one of the world's leading Grid Certification Authorities (CA) and has issued around 30,000 certificates. The National Grid Service (NGS) helpdesk receives many tickets relating to certificates (and certificate renewal in particular): largely due to browser incompatibilities. This talk gives an introduction to the UK eScience CA and its associated software and interfaces, including CertWizard: our new browser-independent certificate tool. It will show how modernisations are being made at various stages of the certificate lifecycle, making it easier than ever to manage your personal UK eScience Certificate. 30/03/2012 EGI CF Munich
Outline Certificates and The UK e-Science CA The Lifecycle of a User Certificate Some problems The CertWizard and other Improvements Future work ABSTRACT: Users find applying for and renewing of their certificates hard. In fact one third of the tickets on the UK NGI Helpdesk in the last year were related to certificates: a common theme being browser issues. STFC staff have produced a browser-independent tool for managing the certificates of the UK NGI user community. This tool, combined with other service improvements, provides a simpler-to-use interface which is more efficient and fully integrated with our already established certificate tools. The NGS runs the world's 2nd largest Grid Certification Authority: the IGTF-accredited UK e-Science CA. It is trialing several innovations for x509 authentication including alternatives to year-long user certificates, but their use will be needed for some time. The CA certificate itself is due for renewal in 2011 and so the opportunity is being taken to make changes at all levels of the service. Up until now, users have used their browser to apply for and renew their certificates. As browsers have evolved there have been a variety of incompatibilities in the way they handle certificates and our list of unsupported browsers has grown. The solution was to write a stand-alone tool to manage these certificate requests without involving a browser. The tool also adds the facility to renew a recently expired certificate and change details such as the user's email address without having to revoke it and apply for a new one like now. It has also been merged with our existing VOMS-enabled MyProxy Upload Tool so that a single tool can be used to manage all the user's certificate interactions. Further work is already underway to add interfaces to provide analogous support for host certificates and for RA Operators to approve both user and host certificate requests. Although the CA part of our tool is tied in to the UK eScience CA, the interface provided is well-defined and would not take too much effort to generalise for other community CAs so we are keen to demonstrate its functionality at the User Forum in Lyon. 30/03/2012 EGI CF Munich
Authentication vs Authorisation Identity: who you are c.f. Passport, identity card Authorisation: What you are allowed to do c.f. Visa, or Work/Residence Permit 30/03/2012 EGI CF Munich
What is a CA? A CA (Certification Authority) is a trusted identity that issues and manages digital certificates (security credentials). Trusting a particular CA means that you trust the identity of its certificate holders 30/03/2012 EGI CF Munich
The UK e-Science CA The UK e-Science CA issues 13 month certificates for use by users, services and hosts from the UK e-Science Grid community. Since it follows international standards and is accredited by the IGTF, its certificates are accepted by Grids around the world. 30/03/2012 EGI CF Munich
Registration Authorities For a CA is to sign their certificate, the user's identity needs asserting This role is federated to about 60 Registration Authorities (RAs) throughout the UK The CA trusts their RA Operators to check the user's photo-id and approve their certificate requests. 30/03/2012 EGI CF Munich
Certificate Lifecycle Apply VALID 30/03/2012 EGI CF Munich
The Apply Process User Applies for New Certificate User and RA Meet Face to Face RA Approves Request Simplified process User Applies for a new user certificate (CertWizard or Browser) RA Operator confirms User is entitled to one. User and RA Operator meet face-to-face so RA Operator can check PhotoID RA Operator approves (or rejects) certificate request The UK eScience CA signs the request CA Signs 30/03/2012 EGI CF Munich
The Apply Process Is user entitled to a Certificate? User Applies for New Certificate Does PhotoID match User and RA Meet Face to Face Photocopy PhotoID and file RA Approves Request Check PIN Simplified process User Applies for a new user certificate (CertWizard or Browser) RA Operator confirms User is entitled to one. User and RA Operator meet face-to-face so RA Operator can check PhotoID RA Operator approves (or rejects) certificate request The UK eScience CA signs the request CA Signs 30/03/2012 EGI CF Munich
Certificate Lifecycle Apply Renew VALID EXPIRED 30/03/2012 EGI CF Munich
The Renew Process User Applies for Certificate Renewal RA Approves Renewal Request Simplified process User Request that his certificate is renewed (CertWizard or Web Browser) RA Operator checks User is still entitled to one and if so approves renewal request The UK eScience CA signs the new certificate CA Signs 30/03/2012 EGI CF Munich
Certificate Lifecycle Apply Renew VALID Revoke REVOKED EXPIRED 30/03/2012 EGI CF Munich
Browser/OS Problems We receive many certificate problems on our helpdesk, mostly expiries or browser issues Browsers change, we can't support them all OpenCA s/w was problematic to update. http://www.ngs.ac.uk/supported-internet-browsers 30/03/2012 EGI CF Munich
Other Problems If a user's certificate has been revoked or in the following situations: User's email address changes User's certificate expires unexpectedly User wants a new certificate as their old one expired some time ago Then the user must apply for a new one (requesting revocation of their old one if required). This requires visiting the RA Operator in person. 30/03/2012 EGI CF Munich
Plan Duplicate existing functionality of old web interface in new CertWizard 30/03/2012 EGI CF Munich
Old Web Interface 30/03/2012 EGI CF Munich
Old vs New New Old CA-Sign CA DB OpenCA https CA-Server REST Browsers Bulk New Bulk RA CertWizard 30/03/2012 EGI CF Munich
CertWizard Platform and browser independent Automatically updating RESTful interface http://www.ngs.ac.uk/tools/certwizard 30/03/2012 EGI CF Munich
30/03/2012 EGI CF Munich
30/03/2012 EGI CF Munich
Renew Certificate 30/03/2012 EGI CF Munich
Request Revocation 30/03/2012 EGI CF Munich
Plan Duplicate existing functionality of old web interface in new CertWizard Amend policy and extend CertWizard to permit renewing recently-expired certificates 30/03/2012 EGI CF Munich
Renew Recently Expired Apply Renew VALID Yes Recent? Revoke No REVOKED EXPIRED 30/03/2012 EGI CF Munich
Plan Duplicate existing functionality of old web interface in new CertWizard Amend policy and extend CertWizard to permit renewing recently expired certificates Permit virtual meetings (VC for example) for Re-Applications 30/03/2012 EGI CF Munich
Re-Applications VALID REVOKED EXPIRED Apply Renew Yes Recent? Revoke No REVOKED EXPIRED Re-Apply 30/03/2012 EGI CF Munich
The Re-Apply Process User Applies for New Certificate User and RA Meet Virtually RA Approves Request Simplified process User Applies for a new user certificate (CertWizard or Browser) RA Operator confirms User is entitled to one. User and RA Operator meet face-to-face so RA Operator can check PhotoID RA Operator approves (or rejects) certificate request The UK eScience CA signs the request CA Signs 30/03/2012 EGI CF Munich
Plan Duplicate existing functionality of old web interface in new CertWizard Amend policy and extend CertWizard to permit renewing recently expired certificates Permit virtual meetings (VC for example) for Re-Applications Extend CertWizard to allow changing of email addresses 30/03/2012 EGI CF Munich
Change requests VALID REVOKED EXPIRED Apply Renew Change Yes No Recent? Revoke REVOKED EXPIRED Re-Apply 30/03/2012 EGI CF Munich
Change Requests Design Options Permit changing email address at Renewal or as a separate Change process. Should the RA Operator be involved? Should the keys and expiry remain the same? 30/03/2012 EGI CF Munich
Plan Duplicate existing functionality of old web interface in new CertWizard Amend policy and extend CertWizard to permit renewing recently expired certificates Permit virtual meetings (VC for example) for Re-Applications Extend CertWizard to allow changing of email addresses Integrate CertWizard functionality with our existing MyProxy and VOMS tools 30/03/2012 EGI CF Munich
Seamless Interworking Integrated with MyProxyUploader, our previous proxy generation tool Uploading to MyProxy servers Local Proxies Add VOMS attributes 30/03/2012 EGI CF Munich
Export/Backup 30/03/2012 EGI CF Munich
Install 30/03/2012 EGI CF Munich
Configuration CA Certificates MyProxy servers VOMS servers Your Certificate 30/03/2012 EGI CF Munich
MyProxyUploader 30/03/2012 EGI CF Munich
Local Proxy 30/03/2012 EGI CF Munich
VOMS attributes 30/03/2012 EGI CF Munich
Additional work Provide an RA Operator interface Bulk Host Certificate Request interface Support for Host Certificates in CertWizard Online CA 30/03/2012 EGI CF Munich
Summary Implemented a Certificate request tool Integrated it with our existing MyProxy tool Will allow renewal of recently-expired certificates Introduced the idea of a Re-Application Permit virtual meetings for Re-Applications Designing a Change mechanism for email addresses Less hassle for Users Less work for RA Operators Looking ahead to an online CA 30/03/2012 EGI CF Munich
Acknowledgements Jens Jensen and David Meredith NGS STFC 30/03/2012 EGI CF Munich