1. 1 KISTI Grid CA Status Report Sangwan Kim (sangwan@kisti.re.kr) Korea Institute of Science and Technology Information Technology Development Team 2014. 8. 14 APGridPMA Meeting (with APAN38)

2. Overview  KISTI Grid CA  Homepage : http://ca.gridcenter.or.kr/  Root Certificate  Subject: C=KR, O=KISTI, O=GRID, CN=KISTI Grid Certificate Authority  Valid : From Jul 12 2007 ~ To Aug 1, 2017  Key size: 2048 bits  Issued certs list: http://ca.gridcenter.or.kr/issued/  CRL : http://ca.gridcenter.or.kr/CRL/722e5071.crl  Contacts :  ca@gridcenter.or.kr  Sangwan Kim (sangwan@kisti.re.kr) 2

3. Operation Statistics  # of certificates 3 (as-is at 13 Aug, 2014)

4. Subscribers by Organization  # of subscribers 4 (as-is at 13 Aug, 2014)

5. Updated Issues  KISTI Grid CA support Windows 7 to request user certificates from Jan. 2013.  Before then only windows XP is supported 5 for WinXP for Win7

6. Updated Issues  From July 2014, only SHA-256 hash algorithm is used for sining certificates.  Change in the openssl config file for signing certificates  # default_md = sha1 # previously SHA-1  default_md = sha256 # SHA-2 6

7. User Certificate Request 7 'Generate CSR' button execute CSR generation function in IE using CertEnroll.dll

8. 8 Certificate Request test function CreateRequest() { document.write(" Create Request..."); try { var objCSP = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformation"); var objCSPs = objCertEnrollClassFactory.CreateObject("X509Enrollment.CCspInformations"); var objPrivateKey = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509PrivateKey"); var objRequest = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10") var objObjectIds = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectIds"); var objObjectId = objCertEnrollClassFactory.CreateObject("X509Enrollment.CObjectId"); var objX509ExtensionEnhancedKeyUsage = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509ExtensionEnhancedKeyUsage"); var objExtensionTemplate = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509ExtensionTemplateName") var objDn = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX500DistinguishedName") var objEnroll = objCertEnrollClassFactory.CreateObject("X509Enrollment.CX509Enrollment") // Initialize the csp object using the desired Cryptograhic Service Provider (CSP) objCSP.InitializeFromName("Microsoft Enhanced Cryptographic Provider v1.0"); // Add this CSP object to the CSP collection object objCSPs.Add(objCSP); // Provide key container name, key length and key spec to the private key object objPrivateKey.Length = 1024; objPrivateKey.KeySpec = 1; // AT_KEYEXCHANGE = 1 // Provide the CSP collection object (in this case containing only 1 CSP object) // to the private key object objPrivateKey.CspInformations = objCSPs; // Initialize P10 based on private key objRequest.InitializeFromPrivateKey(1, objPrivateKey, ""); // context user = 1 // 1.3.6.1.5.5.7.3.2 Oid - Extension objObjectId.InitializeFromValue("1.3.6.1.5.5.7.3.2"); objObjectIds.Add(objObjectId); objX509ExtensionEnhancedKeyUsage.InitializeEncode(objObjectIds); objRequest.X509Extensions.Add(objX509ExtensionEnhancedKeyUsage); // DN related stuff objDn.Encode("CN=alejacma", 0); // XCN_CERT_NAME_STR_NONE = 0 objRequest.Subject = objDn; // Enroll objEnroll.InitializeFromRequest(objRequest); var pkcs10 = objEnroll.CreateRequest(3); // XCN_CRYPT_STRING_BASE64REQUESTHEADER = 3 document.write(" " + pkcs10); document.write(" The end!"); } catch (ex) { document.write(" " + ex.description);return false; } return true; } CreateRequest(); javascript source using CertEnroll.dll

9. References  How to create a certificate request with CertEnroll  http://blogs.msdn.com/b/alejacma/archive/2009/01/28/how-to- create-a-certificate-request-with-certenroll- javascript.aspx?PageIndex=2#comments  Certificate Enrollment API  http://msdn.microsoft.com/en- us/library/windows/desktop/aa374863(v=vs.85).aspx 9

10. 10 <OBJECT id='Enroll' codeBase="/xenroll.dll#Version=5,131,3659,0" classid="clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1"> Sub vbGenerateCSR Dim Form Set Form = document.form... sz10 = Enroll.CreatePKCS10(szName,"1.3.6.1.4.1.14305.1.1.1.1.2") if (sz10 = Empty OR theError <> 0) Then sz = "The error '" & Hex(theError) & "' occurred." & _ chr(13) & chr(10) & _ "Your credentials could not be generated." result = MsgBox(sz, 0, "Credentials Enrollment") Exit Sub else Form.csr.value = sz10 Form.ubtn.disabled = False MsgBox ("CSR has been generated") end if <input type='button' value='Generate CSR' name='btn_gencsr' style='width:250; height:30; background-color:#cccccc;' onclick="vbGenerateCSR" language="VBScript"> With Windows XP (using xenroll.dll and VBScript)

11. 11 function GenerateCSR() { try { // Variables // Enroll objEnroll.InitializeFromRequest(objRequest); var pkcs10 = objEnroll.CreateRequest(3); // XCN_CRYPT_STRING_BASE64REQUESTHEADER = 3 document.form.csr.value = pkcs10; document.form.ubtn.disabled = false; alert('CSR has been generated');... }... } <input type='button' value='Generate CSR' name='btn_gencsr' style='width:250; height:30; background-color:#cccccc;' onclick="GenerateCSR" language="VBScript"> With Windows7 (using CertEnroll.dll and javascript)