Slide 1 August CSF NEbraskaCERT Certificate Authority Matthew G. Marsh 08/20/03

Slide 2 August CSF Overview  Public Key Infrastructure (PKI) – What – Why  Certificate Authority – What is it – How does it work  OpenSSL Software – Keys and configuration files – Script Examples  Q&A

Slide 3 August CSF PKI  What – PKI (Public Key Infrastructure) refers to the structure that enables binding identity to objects. Actual discussion and implementation details are beyond the scope of this talk. Basically PKI is all defined in the details and takes into account mechanisms and concepts that are far removed from actual technical manipulation. I hope you believe you understand what you think I said, but I'm not sure you realize that what you've heard is not what I meant. President Richard Nixon

Slide 4 August CSF Certificate Authority - CA  What is it – The Certification Authority (CA) represents the trusted third party that issues keys and certificates to end users and manages the certificate life cycle including generation, revocation, expiration, and renewal.

Slide 5 August CSF CA - x.509  ITU-T Recommendation X.509 [ITU-T 97] Several different end-entity certificates defined in x.509 – Personal certificates represent individuals (ex: secure ) – Server certificates represent services (ex: HTTPS Web server) – Developer certificates sign software or related objects A certificate binds an identity to a public key. – Certificate includes the name of the person – Their public key – Digital Signature sealing the data Digital Signature is added by the Certificate Authority (CA). Certificate authorities exist to confirm the relationship between an identity and a public key. x.509 also defines certificate authority certificates which identify third party organizations entrusted to validate the identity of a certificate requestor. – CA certificates contain the authority name, a public key, and digital signature (self-signed)

Slide 6 August CSF Certificate Authority - CA  Certificate authorities confirm the relationship between requestors and their public keys  Certificate authorities publish public keys used to verify end-entity certificates  The verification process uses the public key of the authority that issued the certificate to validate the digital signature  CA certificates are critical to close the circle of trust  ROOT Certificate – x.509 CA Certificate  ALL CAs by definition have "Self Signed" ROOT Certificates!!

Slide 7 August CSF CA in a Nutshell  EndUser generates Certificate Signing Request (CSR)  Sends CSR to CA for Approval – Submit $$  Get Signed Certificate – Typically a one year duration – Theoretically no time limit for expiration  Uses Certificate  FILM AT 11...

Slide 8 August CSF CA in a Nutshell  CA requirements – You must publish your root CA Certificate – You must publish the revocation list – You must display a certificate's detail given a serial number – You must provide a method to submit certificate requests  All this can be done using Apache and some PHP

Slide 9 August CSF OpenSSL  Full SSL library with support programs – SSL v2/v3 – TLS v1  Latest version is 0.9.7b released April 10, 2003  Core utility is "openssl" binary – Performs all operations needed for x.509 – Many other operations available as well  Supports multiple configuration files – CA Configuration – Standard configuration

Slide 10 August CSF OpenSSL - Config File - CA  Traditionally /usr/local/ssl/openssl.conf  For the NEbraskaCERT CA: [ req ] default_bits= 2048 default_keyfile = /data/network/NEbraskaCERT-CA/key/NEbraskaCERT-CA.key default_md = sha1 default_days= 365 prompt= no distinguished_name= NEbraskaCERT_CA_NAME x509_extensions= NEbraskaCERT_CA_extensions [ NEbraskaCERT_CA_NAME ] commonName = NEbraskaCERT Certificate Authority stateOrProvinceName = Nebraska countryName = US Address = organizationName = NEbraskaCERT organizationalUnitName = Certificate Authority [ NEbraskaCERT_CA_extensions ] basicConstraints = CA:true

Slide 11 August CSF OpenSSL - Config File - Sign [ ca ] default_ca = NEbraskaCERT_CA [ NEbraskaCERT_CA ] dir = /data/network/NEbraskaCERT-CA certificate = $dir/NEbraskaCERT-CA.crt database = $dir/index.txt new_certs_dir = $dir/certificates private_key = $dir/key/NEbraskaCERT-CA.key serial = $dir/serial default_crl_days = 7 default_days = 365 default_md = sha1 policy = NEbraskaCERT_CA_Policy x509_extensions = certificate_extensions [ NEbraskaCERT_CA_Policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied Address = supplied organizationName = supplied organizationalUnitName = optional [ certificate_extensions ] basicConstraints = CA:false

Slide 12 August CSF OpenSSL - Scripts  Setup.sh export OPENSSL_CONF=/data/network/ NEbraskaCERT-CA /NEbraskaCERT.CA.conf export PATH=/usr/local/ssl/bin:$PATH . into running shell (or use dedicated signing user)  Note that you could have other config files  SIGN.sh /usr/local/ssl/bin/openssl ca -in $1 -notext -out ${1%.req}.crt  Obviously a bash/ksh shell script ;-}

Slide 13 August CSF OpenSSL - Try it...  Generate a Key /usr/local/ssl/bin/openssl genrsa -out  Generate a CSR /usr/local/ssl/bin/openssl req -new -key -out  Send CSR to CA  CA Inspects CSR /usr/local/ssl/bin/openssl req -noout -text -in  CA Signs CSR /usr/local/ssl/bin/openssl ca -in -notext -out

Slide 14 August CSF Q & A

Slide 15 August CSF This is The