Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Published byMagnus Hicks Modified over 9 years ago

Similar presentations

Presentation on theme: "Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA"— Presentation transcript:

1 Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA john.kewley@stfc.ac.uk 30/03/2012EGI CF Munich1

2 Outline Certificates and The UK e-Science CA The Lifecycle of a User Certificate Some problems The CertWizard and other Improvements Future work 30/03/2012EGI CF Munich2

3 Authentication: Identity: who you are c.f. Passport, identity card Authorisation: What you are allowed to do c.f. Visa, or Work/Residence Permit Authentication vs Authorisation 30/03/20123EGI CF Munich

4 What is a CA? A CA (Certification Authority) is a trusted identity that issues and manages digital certificates (security credentials). Trusting a particular CA means that you trust the identity of its certificate holders 30/03/2012EGI CF Munich4

5 The UK e-Science CA The UK e-Science CA issues 13 month certificates for use by users, services and hosts from the UK e-Science Grid community. Since it follows international standards and is accredited by the IGTF, its certificates are accepted by Grids around the world. 30/03/2012EGI CF Munich5

6 Registration Authorities For a CA is to sign their certificate, the user's identity needs asserting This role is federated to about 60 Registration Authorities (RAs) throughout the UK The CA trusts their RA Operators to check the user's photo-id and approve their certificate requests. 30/03/2012EGI CF Munich6

7 Certificate Lifecycle 30/03/2012EGI CF Munich7 VALID Apply

8 The Apply Process 30/03/2012EGI CF Munich8 User Applies for New Certificate CA Signs RA Approves Request User and RA Meet Face to Face

9 The Apply Process 30/03/2012EGI CF Munich9 User Applies for New Certificate CA Signs RA Approves Request User and RA Meet Face to Face Is user entitled to a Certificate? Does PhotoID match Photocopy PhotoID and file Check PIN

10 Certificate Lifecycle 30/03/2012EGI CF Munich10 VALID Apply Renew EXPIRED

11 The Renew Process 30/03/2012EGI CF Munich11 User Applies for Certificate Renewal CA Signs RA Approves Renewal Request

12 Certificate Lifecycle 30/03/2012EGI CF Munich12 VALID REVOKED Apply Renew Revoke EXPIRED

13 Browser/OS Problems We receive many certificate problems on our helpdesk, mostly expiries or browser issues Browsers change, we can't support them all OpenCA s/w was problematic to update. http://www.ngs.ac.uk/supported-internet-browsers 30/03/2012EGI CF Munich13

14 Other Problems If a user's certificate has been revoked or in the following situations: –User's email address changes –User's certificate expires unexpectedly –User wants a new certificate as their old one expired some time ago Then the user must apply for a new one (requesting revocation of their old one if required). This requires visiting the RA Operator in person. 30/03/2012EGI CF Munich14

15 Plan 1.Duplicate existing functionality of old web interface in new CertWizard 30/03/2012EGI CF Munich15

16 Old Web Interface 30/03/2012EGI CF Munich16

17 Old vs New 30/03/2012EGI CF Munich17 CA-Sign CertWizard CA DB Browsers OpenCA https CA-Server REST BulkNew BulkRA Old New

18 CertWizard Platform and browser independent Automatically updating RESTful interface http://www.ngs.ac.uk/tools/certwizard 30/03/2012EGI CF Munich18

19 30/03/2012EGI CF Munich19

20 30/03/2012EGI CF Munich20

21 Renew Certificate 30/03/2012EGI CF Munich21

22 Request Revocation 30/03/2012EGI CF Munich22

23 Plan 1.Duplicate existing functionality of old web interface in new CertWizard 2.Amend policy and extend CertWizard to permit renewing recently-expired certificates 30/03/2012EGI CF Munich23

24 Renew Recently Expired 30/03/2012EGI CF Munich24 VALID REVOKED Apply Renew Revoke EXPIRED Recent? No Yes

25 Plan 1.Duplicate existing functionality of old web interface in new CertWizard 2.Amend policy and extend CertWizard to permit renewing recently expired certificates 3.Permit virtual meetings (VC for example) for Re-Applications 30/03/2012EGI CF Munich25

26 Re-Applications 30/03/2012EGI CF Munich26 VALID REVOKED Apply Renew Revoke EXPIRED No Re-Apply Recent? Yes

27 The Re-Apply Process 30/03/2012EGI CF Munich27 User Applies for New Certificate CA Signs RA Approves Request User and RA Meet Virtually

28 Plan 1.Duplicate existing functionality of old web interface in new CertWizard 2.Amend policy and extend CertWizard to permit renewing recently expired certificates 3.Permit virtual meetings (VC for example) for Re-Applications 4.Extend CertWizard to allow changing of email addresses 30/03/2012EGI CF Munich28

29 Change requests 30/03/2012EGI CF Munich29 VALID REVOKED Apply Renew Revoke EXPIRED Recent? No Yes Re-Apply Change

30 Change Requests Design Options 1.Permit changing email address at Renewal or as a separate Change process. 2.Should the RA Operator be involved? 3.Should the keys and expiry remain the same? 30/03/2012EGI CF Munich30

31 Plan 1.Duplicate existing functionality of old web interface in new CertWizard 2.Amend policy and extend CertWizard to permit renewing recently expired certificates 3.Permit virtual meetings (VC for example) for Re-Applications 4.Extend CertWizard to allow changing of email addresses 5.Integrate CertWizard functionality with our existing MyProxy and VOMS tools 30/03/2012EGI CF Munich31

32 Seamless Interworking Integrated with MyProxyUploader, our previous proxy generation tool Uploading to MyProxy servers Local Proxies Add VOMS attributes 30/03/2012EGI CF Munich32

33 Export/Backup 30/03/2012EGI CF Munich33

34 Install 30/03/2012EGI CF Munich34

35 Configuration CA Certificates MyProxy servers VOMS servers Your Certificate 30/03/2012EGI CF Munich35

36 MyProxyUploader 30/03/2012EGI CF Munich36

37 Local Proxy 30/03/2012EGI CF Munich37

38 VOMS attributes 30/03/2012EGI CF Munich38

39 Additional work Provide an RA Operator interface Bulk Host Certificate Request interface Support for Host Certificates in CertWizard Online CA 30/03/2012EGI CF Munich39

40 Summary Implemented a Certificate request tool Integrated it with our existing MyProxy tool Will allow renewal of recently-expired certificates Introduced the idea of a Re-Application Permit virtual meetings for Re-Applications Designing a Change mechanism for email addresses Less hassle for Users Less work for RA Operators Looking ahead to an online CA 30/03/2012EGI CF Munich40

41 Acknowledgements Jens Jensen and David Meredith NGS STFC 30/03/2012EGI CF Munich41 The next NGS Seminar will be by Josh Howlett of JANET and will be entitled: "Moonshot - next generation federated identity" http://www.ngs.ac.uk/news/ngs-seminar-series-february-2012

42 Certificate Lifecycle 30/03/2012EGI CF Munich42 VALID Approved New ArchivedDeleted Renew

43 CSR Lifecycle 30/03/2012EGI CF Munich43 VALID Approved New Archived Deleted Renew Signing RA Approval CSRCertificate

44 CSR Lifecycle 30/03/2012EGI CF Munich44 Renewal Approved Archived New Deleted

45 Revocation Lifecycle 30/03/2012EGI CF Munich45 SUSPENDED Approved SUSPENDED RA User CA Deleted CSR Other RA Signing RA

46 The Revoke Process 30/03/2012EGI CF Munich46 User Makes Revocation Request CA Signs RA Makes Revocation Request Another RA makes Revocation Request RA Approves Request

Download ppt "Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA"

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Contrail and Federated Identity Management

Contrail and Federated Identity Management
PKI Implementation in the Real World

PKI Implementation in the Real World
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept. 2013.

CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept
UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.

1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.

GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Similar presentations

Ads by Google