1 / 47

Certificates, Browsers & You: What is all this certificate crud? Frank J. Nagy God of Kerberos And Associates...

Certificates, Browsers & You: What is all this certificate crud? Frank J. Nagy God of Kerberos And Associates. Certificate Talks. Introduction and Theory Using get-cert (KCA certificate) under Linux Using get-cert (KCA certificate) under OS X Using Network Identity Manager for Windows

abiola
Télécharger la présentation

Certificates, Browsers & You: What is all this certificate crud? Frank J. Nagy God of Kerberos And Associates...

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Certificates, Browsers & You: What is all this certificate crud? Frank J. Nagy God of Kerberos And Associates...

  2. Certificate Talks Introduction and Theory Using get-cert (KCA certificate) under Linux Using get-cert (KCA certificate) under OS X Using Network Identity Manager for Windows More Theory

  3. Public key encryption, Public Key Infrastructure (PKI) Digital Signature {Digital} Certificate X.509 Standard (CCITT) and X.500 Naming Conventions Distinguished and Common Names Certificate Authority (CA) CA Certificate Chain of Trust Secure Socket Layer (SSL)

  4. Public Key Encryption Bob's keys: Bob's Co-workers: (public) (private) Anyone can get Bob's Public Key, but Bob keeps his Private Key to himself Bob Pat Doug Susan HNFmsEm6Un BejhhyCGKOK JuxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A HNFmsEm6Un BejhhyCGKOK JuxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A "Hey Bob, how about lunch at Taco Bell. I hear they have free refills!" HNFmsEm6Un BejhhyCGKOK JuxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A "Hey Bob, how about lunch at Taco Bell. I hear they have free refills!"

  5. Digital Signature

  6. Digital Certificate Bob Info: Name Department Cubical Number Certificate Info: Expiration Date Serial Number Bob's Public Key: Certificate Authority CA Private Key:

  7. Look Inside the Certificate Subject Information: - Organization - Name - Email (optional) Certificate Information: - Issuer (CA) Name - Validity dates (begin:end) - Serial Number - Usage flags Hash Data Subject's Public Key Signature (by CA Private Key)

  8. Some Certificate Uses Signing messages Identify author Make message tamper-evident\ Identify host for SSL connection Web site authentication (common KCA usage) Others

  9. And now for something... Completely specific: The HowTo talks on getting KCA certificates under Linux, Mac OS X and Windows

  10. Certificate Parts Subject (of the certificate) Valid and Expiration Dates Serial Number Public Key of the Subject Issuer of this certificate Hash and signature encoding algorithms Signed by CA Certificate private key Extensions (E-mail address, etc.)

  11. Certificate Parts #2 Distinguished Names (DN) and Common Names (CN) /DC=org/DC=doegrids/OU=People/CN=Frank J. Nagy 442270 /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 /DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA HSM /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Frank J. Nagy/CN=UID:nagy Signature makes certificate tamper-evident

  12. Types of Certificates Long-term personal certificates DOEGrids, Thawte, Verisign, etc. Short-term personal certificates Fermilab KCA Host/Service certificates For a particular node *.fnal.gov

  13. Fermilab Kerberos CA (KCA) Get a certificate based on Kerberos credentials Tied to the Fermilab Infrastructure KCA uid=nagy is user name in CNAS, etc. Short-term certificate, valid for maximum lifetime (7 days) of the Kerberos ticket

  14. Certificate Authority Validates identity KCA relies on your having Kerberos credentials Issues certificates signed with CA private key Identified by Certificate Authority Certificate CA Certificate needed to valid issued certificate Maintains Certificate Revocation List (CRL)

  15. Trust Chain and Root CA Root CA Subordinate CA Subordinate CA End User

  16. Further Reading What is a Digital Signature? http://www.youdzone.com/signature.html The source of some of the images in my talk. OpenSSL Certificate Cookbook Certificate Management and Installation with OpenSSL http://gagravarr.org/writing/openssl-certs/index.shtml OpenSSL Certificate Cookbook http://www.amigodocarro.com/html/ssl_cook.html Wikipedia: Public key certificate http://en.wikipedia.org/wiki/Public_key_certificate

  17. How to import KCA Certificates in Scientific Linux Fermi Firefox Connie Sieh csieh@fnal.gov KCA Certificates for Linux Firefox

  18. Firefox – Try to access a page

  19. Firefox – Try to access a page

  20. Firefox – view certificates

  21. Firefox – view certificates

  22. Firefox – View Certificates

  23. Firefox – Your certificates before

  24. Firefox – STOP FIREFOX

  25. Firefox – kinit <username>

  26. Firefox – getcert waiting for user

  27. Firefox – getcert done

  28. Firefox – after getcert

  29. Firefox – view certs after

  30. Firefox – have cert – page loads

  31. Network Identity Managerfor Windows David Schuman/ CD Desktop Support Computer Security Awareness Day September 29, 2009

  32. Agenda Where is it located How do I renew certificate Identity (user@FERMI.WIN.FNAL.GOV) How do I import the certificate Firefox versus Internet Explorer Computer Security Awareness Day September 29, 2009

  33. Location Computer Security Awareness Day September 29, 2009

  34. Advance Tab (F7) Computer Security Awareness Day September 29, 2009

  35. Identity - User@FERMI.WIN.FNAL.GOV Computer Security Awareness Day September 29, 2009

  36. Obtain new credentials Computer Security Awareness Day September 29, 2009

  37. Fermi Domain Password Computer Security Awareness Day September 29, 2009

  38. Website to import certificate for FireFox Computer Security Awareness Day September 29, 2009 http://computing.fnal.gov/software/netidmgr/netidmgr-faq.html#PopUpCredentia

  39. Instructions to import certificate Computer Security Awareness Day September 29, 2009

  40. Computer Security Awareness Day September 29, 2009

  41. Computer Security Awareness Day September 29, 2009 Questions!

  42. Get Cert on OSX Ben Segbawu September 29 2009

  43. Agenda Location • Where can I get the get-cert script • Where should I put the get-cert script The Get Cert Script • Options • Username RunGetCert App

  44. Location • Where to get and Where to put • http://security.fnal.gov/tools/index.html • Unzip and un-tar to /usr/bin/get-cert/

  45. Get Cert Script • Options • -i (lower case I ) imports into firefox • -k imports into keychain • Username • if your user name is not the same as your account name you will encounter an error • Work around is to modify the KCA script or better yet create an account name on your OSX computer that matches your user name.

  46. RunGetCert App An apple script “GUI” front end that runs the get-cert script

  47. Q & A Contact the Service Desk for support at • http://servicedesk.fnal.gov

More Related