Presentation is loading. Please wait.

Presentation is loading. Please wait.

Certificates, Browsers & You: What is all this certificate crud? Frank J. Nagy God of Kerberos And Associates...

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Certificates, Browsers & You: What is all this certificate crud? Frank J. Nagy God of Kerberos And Associates..."— Presentation transcript:

1 Certificates, Browsers & You: What is all this certificate crud? Frank J. Nagy God of Kerberos And Associates...

2 Certificate Talks Introduction and Theory Using get-cert (KCA certificate) under Linux Using get-cert (KCA certificate) under OS X Using Network Identity Manager for Windows More Theory

3 Public key encryption, Public Key Infrastructure (PKI) Digital Signature {Digital} Certificate X.509 Standard (CCITT) and X.500 Naming Conventions Distinguished and Common Names Certificate Authority (CA) CA Certificate Chain of Trust Secure Socket Layer (SSL)

4 Public Key Encryption Bob Pat Doug Susan Bob's Co- workers: Anyone can get Bob's Public Key, but Bob keeps his Private Key to himself Bob's keys: (public) (private) "Hey Bob, how about lunch at Taco Bell. I hear they have free refills!" HNFmsEm6Un BejhhyCGKOK JuxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A HNFmsEm6Un BejhhyCGKOK JuxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A HNFmsEm6Un BejhhyCGKOK JuxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A "Hey Bob, how about lunch at Taco Bell. I hear they have free refills!"

5 Digital Signature

6 Digital Certificate Bob Info: Name Department Cubical Number Certificate Info: Expiration Date Serial Number Bob's Public Key: Certificate Authority CA Private Key:

7 Look Inside the Certificate Subject Information: - Organization - Name - Email (optional) Certificate Information: - Issuer (CA) Name - Validity dates (begin:end) - Serial Number - Usage flags Subject's Public Key Hash Data Signature (by CA Private Key)

8 Some Certificate Uses Signing messages – Identify author – Make message tamper-evident\ Identify host for SSL connection Web site authentication (common KCA usage) Others

9 And now for something... Completely specific: The HowTo talks on getting KCA certificates under Linux, Mac OS X and Windows

10 Certificate Parts Subject (of the certificate) Valid and Expiration Dates Serial Number Public Key of the Subject Issuer of this certificate Hash and signature encoding algorithms Signed by CA Certificate private key Extensions (E-mail address, etc.)

11 Certificate Parts #2 Distinguished Names (DN) and Common Names (CN) – /DC=org/DC=doegrids/OU=People/CN=Frank J. Nagy 442270 – /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 – /DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA HSM – /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Frank J. Nagy/CN=UID:nagy Signature makes certificate tamper-evident

12 Types of Certificates Long-term personal certificates – DOEGrids, Thawte, Verisign, etc. Short-term personal certificates – Fermilab KCA Host/Service certificates – For a particular node – *.fnal.gov

13 Fermilab Kerberos CA (KCA) Get a certificate based on Kerberos credentials Tied to the Fermilab Infrastructure – KCA uid=nagy is user name in CNAS, etc. Short-term certificate, valid for maximum lifetime (7 days) of the Kerberos ticket

14 Certificate Authority Validates identity – KCA relies on your having Kerberos credentials Issues certificates signed with CA private key Identified by Certificate Authority Certificate – CA Certificate needed to valid issued certificate Maintains Certificate Revocation List (CRL)

15 Trust Chain and Root CA Root CA Subordinat e CA End User Subordinat e CA

16 Further Reading What is a Digital Signature? – http://www.youdzone.com/signature.html http://www.youdzone.com/signature.html – The source of some of the images in my talk. OpenSSL Certificate Cookbook – Certificate Management and Installation with OpenSSL http://gagravarr.org/writing/openssl-certs/index.shtml – OpenSSL Certificate Cookbook http://www.amigodocarro.com/html/ssl_cook.html Wikipedia: Public key certificate – http://en.wikipedia.org/wiki/Public_key_certificate http://en.wikipedia.org/wiki/Public_key_certificate

17 KCA Certificates for Linux Firefox How to import KCA Certificates in Scientific Linux Fermi Firefox Connie Sieh csieh@fnal.gov

18 Firefox – Try to access a page

19

20 Firefox – view certificates

21

22 Firefox – View Certificates

23 Firefox – Your certificates before

24 Firefox – STOP FIREFOX

25 Firefox – kinit

26 Firefox – getcert waiting for user

27 Firefox – getcert done

28 Firefox – after getcert

29 Firefox – view certs after

30 Firefox – have cert – page loads

31 Computer Security Awareness DaySeptember 29, 2009 David Schuman/ CD Desktop Support

32 Where is it located How do I renew certificate Identity (user@FERMI.WIN.FNAL.GOV) How do I import the certificate Firefox versus Internet Explorer Computer Security Awareness DaySeptember 29, 2009

33 Computer Security Awareness DaySeptember 29, 2009

34 Computer Security Awareness DaySeptember 29, 2009

35 Computer Security Awareness DaySeptember 29, 2009

36 Computer Security Awareness DaySeptember 29, 2009

37 Computer Security Awareness DaySeptember 29, 2009

38  http://computing.fnal.gov/software/netidmg r/netidmgr-faq.html#PopUpCredentia http://computing.fnal.gov/software/netidmg r/netidmgr-faq.html#PopUpCredentia Computer Security Awareness DaySeptember 29, 2009

39 Computer Security Awareness DaySeptember 29, 2009

40 Computer Security Awareness DaySeptember 29, 2009

41  Questions! Computer Security Awareness DaySeptember 29, 2009

42 Ben Segbawu September 29 2009

43  Location  Where can I get the get-cert script  Where should I put the get-cert script  The Get Cert Script  Options  Username  RunGetCert App

44  Where to get and Where to put ▪ http://security.fnal.gov/tools/index.html http://security.fnal.gov/tools/index.html ▪ Unzip and un-tar to /usr/bin/get-cert/

45  Options ▪ -i (lower case I ) imports into firefox ▪ -k imports into keychain  Username ▪ if your user name is not the same as your account name you will encounter an error ▪ Work around is to modify the KCA script or better yet create an account name on your OSX computer that matches your user name.

46  An apple script “GUI” front end that runs the get-cert script

47  Contact the Service Desk for support at  http://servicedesk.fnal.gov http://servicedesk.fnal.gov

Download ppt "Certificates, Browsers & You: What is all this certificate crud? Frank J. Nagy God of Kerberos And Associates..."

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Introduction of Grid Security

Introduction of Grid Security
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Grid Computing Basics From the perspective of security or An Introduction to Certificates.

Grid Computing Basics From the perspective of security or An Introduction to Certificates.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,

 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Similar presentations

Ads by Google