120 likes | 231 Vues
John Douglass Systems Support Specialist Office of Information Technology. Rolling Your Own PKI. Who the heck is this guy?. Primary developer for the Georgia Tech PKI . Assisted in the development of the CREN CA Services Author of “Papyrus” (now called “Kalamos”) a PHP based CA application.
John DouglassSystems Support SpecialistOffice of Information Technology Rolling Your Own PKI
Who the heck is this guy? • Primary developer for the Georgia Tech PKI • Assisted in the development of the CREN CA Services • Author of “Papyrus” (now called “Kalamos”) a PHP based CA application. • Co-Author of the GT LAWN wireless authentication system and our residential network registration system START.
Custom vs. Established • Advantages • You are in control of your own destiny • Definitely cheaper • Can often use tools and methods that your technical groups currently understand • Disadvantages • Technical expertise is required • User education is PIVOTAL to success • Client issues abound (if you don’t prepare for it)
So You Have a Custom Root • Hierarchical vs. Flat Architecture • Are you your own root? • Is anyone besides you a relying party? • What features of PKI are you attempting to use? • Client Authentication? • Encryption? • Object Sign? • Web Server Certificates? • What client software can you support?
Browser and OS Interaction • Mozilla • Multiplatform • Utilizes its own internal certdatabase • Can use smartcards via PKCS11 • Internet Explorer • Utilizes operating system cert management • Can use smartcards via PKCS11 • NO cert functions are supported on MacOS • Safari • Utilizes OS cert management via keychain • Can use smartcards via PKCS11 • Opera • Works like Mozilla
OpenSSL is the Core • OpenSSL was not necessarily designed to BE a CA…but we can force it to be • It relies heavily upon a very mysterious configuration file (TBD) • It utilizes a text file as a “cert database” though there are simple ways around this (TBD) • It is usable from a system() or exec() call in any scripting language. • Freely available for many OS
Software Certs vs. Smartcards Phase 1: Software Certs Mozilla <FORM name="ReqForm" method="POST" action="user-sign-cert.php"> <KEYGEN NAME="csr" CHALLENGE="challengePassword”> <INPUT tabindex="3" name="submit" type=submit value="Generate Private Key"> </FORM> commonName = CN emailAddress = EMAIL … stateOrProvinceName = Georgia countryName = US SPKAC = $_POST[‘csr’]; $OPENSSL ca -config $OPENSSL_CONF -name $ca -extensions $extensions -startdate $certStartDate -days $days -spkac -in $requestFile -out $certFile –key $passphrase -batch
Software Certs vs. Smartcards Phase 1: Software Certs Internet Explorer <SCRIPT language="VBScript"> <!-- Dim Enroll On Error Resume Next Set Enroll = CreateObject("CEnroll.CEnroll.2") if ( (Err.Number = 438) OR (Err.Number = 429) ) Then Err.Clear Set Enroll = CreateObject("CEnroll.CEnroll.1") End If if Err.Number <> 0 then document.write("<h2 align=center>Can't instantiate the CEnroll control: " & Hex(err) ) End If Function GetProviderList() Dim CspList, cspIndex, ProviderName On Error Resume Next ' initialize all our values base = 0 count = 0 enhanced = 0 CspList = "" ProviderName = "" For ProvType = 0 to 13 cspIndex = 0 Enroll.ProviderType = ProvType ProviderName = Enroll.enumProviders(cspIndex, 0) while ProviderName <> "" Set oOption = document.createElement("OPTION") oOption.text = ProviderName oOption.value = ProvType ' This is a personal "hack" to limit the crypto providers. if ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" Then Document.ReqForm.CspProvider.add(oOption) end if if ProviderName = "Microsoft Base Cryptographic Provider v1.0" Then base = count end if if ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" Then enhanced = count end if cspIndex = cspIndex + 1 ProviderName = "" ProviderName = Enroll.enumProviders(cspIndex, 0) count = count + 1 wend Next Document.ReqForm.CspProvider.selectedIndex = base if enhanced then ' Document.ReqForm.CspProvider.selectedIndex = enhanced DOcument.ReqForm.CspProvider.selectedIndex = 0 end if End Function Function CSR(keyflags) CSR = "" szName = "<? print($DN); ?>" Enroll.HashAlgorithm = "MD5" err.clear On Error Resume Next set options = document.all.CspProvider.options index = options.selectedIndex Enroll.providerName = options(index).text tmpProviderType = options(index).value Enroll.providerType = tmpProviderType Enroll.KeySpec = 2 if tmpProviderType < 2 Then Enroll.KeySpec = 1 end if Enroll.GenKeyFlags = &h04000001 OR keyflags CSR = Enroll.createPKCS10(szname, "") if len(CSR) <> 0 then Exit Function Enroll.GenKeyFlags = &h04000000 OR keyflags CSR = Enroll.createPKCS10(szname, "") if len(CSR) <> 0 then Exit Function if Enroll.providerName = "Microsoft Enhanced Cryptographic Provider v1.0" Then MsgBox("The 1024-bit key generation failed. Please upgrade your browser to the latest version.") Exit Function end if Enroll.GenKeyFlags = 2 OR keyflags CSR = Enroll.createPKCS10(szName, "") if len(CSR) <> 0 then Exit Function Enroll.GenKeyFlags = keyflags CSR = Enroll.createPKCS10(szName, "") if len(CSR) <> 0 then Exit Function Enroll.GenKeyFlags = 0 CSR = Enroll.createPKCS10(szName, "") End Function Sub REQUEST_OnClick Dim Form Set Form = Document.ReqForm err.clear result = CSR(2) if len(result) = 0 Then result = MsgBox("Unable to generate PKCS10.", 0, "Alert") Exit Sub end if Form.csr.value = result Form.Submit End Sub --> </SCRIPT> <INPUT TYPE="hidden" NAME="csr" VALUE=""> <input type="hidden" name="cert" value="<? print($certtype); ?>"> <SELECT NAME="CspProvider"> </SELECT> <input type="button" name="btnRequest" value="Generate Private Key" onClick="REQUEST_OnClick" language="VBSCRIPT" border=1> </FORM> • Well… • ActiveX + VBScript • You need to designate the DN components$OPENSSL ca -config $OPENSSL_CONFIG -name $myca -extensions $extensions -startdate $certStartDate -enddate $certEndDate -out $certfile -key $passphrase -in $requestfile -batch
Software Certs vs. Smartcards Phase 2: Smartcard Certs • Smartcards • If you want to use an open source CA…your vendor almost definitely will need to agree and modify their product. • Enter “Kalamos” an XML-RPC based certificate request signing code base.
Right down to it… • Pick your battles • Attempt one thing at a time • Plan as best you can, but expect changes • Expect limitations