1 / 6

Large-scale issuing of host certs in a member-integrated or institutional CA environment

Large-scale issuing of host certs in a member-integrated or institutional CA environment. Initial use case. Centrally managed Large data centres Example: CERN >> 10 000 systems Institutional properties

shada
Télécharger la présentation

Large-scale issuing of host certs in a member-integrated or institutional CA environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Large-scale issuing of host certs in a member-integrated or institutional CA environment

  2. Initial use case • Centrally managed Large data centres • Example: CERN>> 10 000 systems • Institutional properties • operating (as an EIRO) an institutionally-embedded CAbut could also be an automated RA for an external CA ... • managed hosts in physically controlled environment • fully centralised configuration management Aim: provision host certs in a scalable and secure way

  3. Simplified request flow

  4. Workflow • New servers that are put into production in the CERN Computer Center will communicate with the Configuration Manager Servers and will signal that they require a host certificate. • After the validation of the requester Configuration Manager Servers  will be able to request host certificates of the new template on behalf of the servers from step 1. Only those Configuration Manager Server possessing a valid Robot certificate will be able to do that. Robot certificates will be installed on them manually and following the standard through-the-website procedure. • The requests from step 2 will be securely sent to CERN CA using a special web service (not a website) • The reply from CERN CA will be sent to the Server from step 1.

  5. Obvious pros and cons • With O(1000) requests, humans cannot accurately check them all for correctness: automated process reduces number of errors • Close integration with CA request process reduces number of points between admin  RA CA • Automated processes can make errors as well, and very fast indeed • Identification of ‘new’ computer hardware is non-trivial • Humans are good at identifying oddities, making some attack modes harder to exploit

  6. Proposal • Full discussion in January (Ljubljana) • extended description will be given by Alexey (CERN) • assess risks and opportunities • Needs description in CP/CPS • address attacks on CM servers (referring to the attacks on automated CAs recently, like Comodo, DigiNotar, ...) • heuristics to mitigate risk (correlation with installments, domain checks, time-of-day, etc.) • identification of requesting machines? How can that be done? TPM, MAC, network,... • Case should be supported – scaling really needed!

More Related