Download presentation
Presentation is loading. Please wait.
Published byPhilomena Cunningham Modified over 9 years ago
1
IST-2006-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los Andes – Merida,Venezuela 5 th F2F Banff, 17/07/2007
2
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 2 Overview Introduction Key Sizes Repository Identification and Authentication
3
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 3 Introduction The ULAGrid Certification Authority is a traditional X.509 Public Key Certification Authority which issues long-term credentials. CP/CPS follows the IETF’s RFC 3647 1.3.6.1.4.1.19286.2.2.2.0.1.3
4
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 4 Key Sizes Keys of length less than 1024 bits are not accepted. All user keys will have a 1024 bit RSA key size. All host and service keys will have a 2048 bit RSA key size. The ULA CA key length will always have a RSA 2048 bit key size The lifetime is 10 years for the CA and 1 year for End Entities.
5
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 5 Repository The online repository of information from the ULAGrid CA is accessible at: https://ra.cecalc.ula.ve/pub/ Email = ca@cecalc.ula.ve This is a secure online repository that contains: –The ULAGrid CA’ s certificate, –All end entity certificates issued by the CA. –A Certificate Revocation List, –A copy of the most recent approved version of this policy and all previous approved versions.
6
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 6 Repository URL for the CAs main web page with info https://ra.cecalc.ula.ve URL for the CRL on the CAs web site http://ra.cecalc.ula.ve/pub/crl/cacrl.crl
7
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 7 Repository
8
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 8 Repository
9
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 9 Repository
10
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 10 Identification and authentication The Subject Name is of the X.500 name type, a Distinguished Name. The generic format for a service subject is a follows: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=service/FQDN The “C=VE” and “O=Grid” are the subject’s fix parts and must be present in all the certificates. An additional subscriber’s organization “O=”, describing the organization’s name must be provided, as well as an “OU=” describing the organization group. All the subject parts are mandatory in all the certificates, including the two “O=”. The Distinguished Name must be unique for each subject name certified by the ULAGrid CA service.
11
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 11 Identification and authentication ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -subject -noout subject= /C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve ra:~# openssl x509 -in usercert.pem -subject –noout subject= /C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=Vanessa Hamar
12
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 12 Profile ULAGrid CA For CA certificates: Basic Constraints:critical, ca: true Subject Key Identifier:hash Authority Key Identifier:keyid Key Usage: critical, digitalSignature, nonRepudiation, KeyCertSign, cRLSign Extended Key Usage timeStamping Netscape Cert Type: SSL Certificate Authority, Email Certificate Authority Object Signing Netscape Comment: Grid Venezuela Certificate. For information go to https://ra.cecalc.ula.ve/gridvenezuela/ Certificate Policies:1.3.6.1.4.1.19286.2.2.2.0.1.3
13
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 13 Profile ULAGrid CA Certificate: Data: Version: 3 (0x2) Serial Number: 8e:2a:83:5b:16:0f:a0:e8 Signature Algorithm: sha1WithRSAEncryption Issuer: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve Validity Not Before: Jul 13 14:15:02 2007 GMT Not After : Jul 10 14:15:02 2017 GMT Subject: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha1WithRSAEncryption
14
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 14 Profile ULAGrid CA X509v3 Subject Key Identifier: DC:F3:0B:A6:12:93:E5:A3:CC:34:77:B8:3B:CC:C9:8E:BD:8F:2A:05 X509v3 Authority Key Identifier: keyid:DC:F3:0B:A6:12:93:E5:A3:CC:34:77:B8:3B:CC:C9:8E:BD:8F:2A:05 DirName:/C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve serial:8E:2A:83:5B:16:0F:A0:E8 X509v3 Key Usage: Certificate Sign, CRL Sign X509v3 Subject Alternative Name: email:ca@cecalc.ula.ve X509v3 Issuer Alternative Name: email:ca@cecalc.ula.ve Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA Netscape Comment: CeCalCULA Certification Authority Certificate
15
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 15 Profiles Users For natural person certificates: –Basic Constraints:critical, ca: false –Subject Key Identifier:hash –Authority Key Identifier:keyid –Key Usage: critical, digitalSignature, nonRepudiation, KeyEncipherment, dataEncipherment –Extended Key Usage clientAuth, emailProtection, timeStamping –Netscape Cert Type: SSL Client, S/MIME, Object Signing –Netscape Comment: Grid Venezuela Certificate. For information go to https://ra.cecalc.ula.ve/gridvenezuela/ –CRL Distribution Points: http://ra.cecalc.ula.ve/pub/crl.crl –Certificate Policies: 1.3.6.1.4.1.19286.2.2.2.0.1.3 –Subject Alternative Name: e-mail address
16
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 16 Profile Users ra:~# openssl x509 -in usercert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve Validity Not Before: Jul 13 14:34:47 2007 GMT Not After : Jul 12 14:34:47 2008 GMT Subject: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=Vanessa Hamar Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit):
17
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 17 Profile Users Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.19286.2.2.2.0.1.3 CPS: http://ra.cecalc.ula.ve/pub Netscape Cert Type: SSL Client, S/MIME, Object Signing X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: Registration Authority Operator of CeCalCULA X509v3 Subject Key Identifier: 95:0A:80:F1:4D:19:D2:EE:3F:D8:9B:3D:45:C3:B0:81:62:F8:5F:D3
18
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 18 Others ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem - purpose Certificate purposes: SSL client : No SSL client CA : Yes SSL server : No SSL server CA : Yes Netscape SSL server : No Netscape SSL server CA : Yes S/MIME signing : No S/MIME signing CA : Yes S/MIME encryption : No S/MIME encryption CA : Yes CRL signing : Yes CRL signing CA : Yes Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : Yes
19
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 19 Others ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -fingerprint –SHA1 Fingerprint=B9:48:2F:45:C3:EF:EB:53:7F:97:20:50:17:E6:26:D0:65: D5:66:A5 # Signing policy file for ULAGridCA –access_id_CA X509 '/C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve' –pos_rights globus CA:sign –cond_subjects globus '"/C=VE/O=Grid/*"‘ ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -serial –serial=8E2A835B160FA0E8
20
IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 20 ?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.