1 / 20

ULAGrid Certification Authority

ULAGrid Certification Authority. Vanessa Hamar Universidad de Los Andes – Merida,Venezuela 5 th F2F Banff, 17/07/2007. Overview. Introduction Key Sizes Repository Identification and Authentication. Introduction.

una
Télécharger la présentation

ULAGrid Certification Authority

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ULAGrid Certification Authority Vanessa Hamar Universidad de Los Andes – Merida,Venezuela 5th F2F Banff, 17/07/2007

  2. Overview • Introduction • Key Sizes • Repository • Identification and Authentication

  3. Introduction • The ULAGrid Certification Authority is a traditional X.509 Public Key Certification Authority which issues long-term credentials. • CP/CPS follows the IETF’s RFC 3647 1.3.6.1.4.1.19286.2.2.2.0.1.3

  4. Key Sizes • Keys of length less than 1024 bits are not accepted. • All user keys will have a 1024 bit RSA key size. • All host and service keys will have a 2048 bit RSA key size. • The ULA CA key length will always have a RSA 2048 bit key size • The lifetime is 10 years for the CA and 1 year for End Entities.

  5. Repository • The online repository of information from the ULAGrid CA is accessible at: https://ra.cecalc.ula.ve/pub/ Email = ca@cecalc.ula.ve • This is a secure online repository that contains: • The ULAGrid CA’ s certificate, • All end entity certificates issued by the CA. • A Certificate Revocation List, • A copy of the most recent approved version of this policy and all previous approved versions.

  6. Repository • URL for the CAs main web page with info https://ra.cecalc.ula.ve • URL for the CRL on the CAs web site http://ra.cecalc.ula.ve/pub/crl/cacrl.crl

  7. Repository

  8. Repository

  9. Repository

  10. Identification and authentication • The Subject Name is of the X.500 name type, a Distinguished Name. • The generic format for a service subject is a follows: • C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=service/FQDN • The “C=VE” and “O=Grid” are the subject’s fix parts and must be present in all the certificates. • An additional subscriber’s organization “O=”, describing the organization’s name must be provided, as well as an “OU=” describing the organization group. • All the subject parts are mandatory in all the certificates, including the two “O=”. • The Distinguished Name must be unique for each subject name certified by the ULAGrid CA service.

  11. Identification and authentication • ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -subject -noout • subject= /C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve • ra:~# openssl x509 -in usercert.pem -subject –noout • subject= /C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=Vanessa Hamar

  12. Profile ULAGrid CA • For CA certificates: • Basic Constraints: critical, ca: true • Subject Key Identifier: hash • Authority Key Identifier: keyid • Key Usage: critical, digitalSignature, nonRepudiation, KeyCertSign, cRLSign • Extended Key Usage timeStamping • Netscape Cert Type: SSL Certificate Authority, Email Certificate Authority Object Signing • Netscape Comment: Grid Venezuela Certificate. For information go to https://ra.cecalc.ula.ve/gridvenezuela/ • Certificate Policies: 1.3.6.1.4.1.19286.2.2.2.0.1.3

  13. Profile ULAGrid CA • Certificate: • Data: • Version: 3 (0x2) • Serial Number: • 8e:2a:83:5b:16:0f:a0:e8 • Signature Algorithm: sha1WithRSAEncryption • Issuer: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve • Validity • Not Before: Jul 13 14:15:02 2007 GMT • Not After : Jul 10 14:15:02 2017 GMT • Subject: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve • Subject Public Key Info: • Public Key Algorithm: rsaEncryption • RSA Public Key: (2048 bit) • Modulus (2048 bit): • Exponent: 65537 (0x10001) • X509v3 extensions: • X509v3 Basic Constraints: critical • CA:TRUE • Signature Algorithm: sha1WithRSAEncryption

  14. Profile ULAGrid CA • X509v3 Subject Key Identifier: • DC:F3:0B:A6:12:93:E5:A3:CC:34:77:B8:3B:CC:C9:8E:BD:8F:2A:05 • X509v3 Authority Key Identifier: • keyid:DC:F3:0B:A6:12:93:E5:A3:CC:34:77:B8:3B:CC:C9:8E:BD:8F:2A:05 • DirName:/C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve • serial:8E:2A:83:5B:16:0F:A0:E8 • X509v3 Key Usage: • Certificate Sign, CRL Sign • X509v3 Subject Alternative Name: • email:ca@cecalc.ula.ve • X509v3 Issuer Alternative Name: • email:ca@cecalc.ula.ve • Netscape Cert Type: • SSL CA, S/MIME CA, Object Signing CA • Netscape Comment: • CeCalCULA Certification Authority Certificate

  15. Profiles Users For natural person certificates: • Basic Constraints:critical, ca: false • Subject Key Identifier: hash • Authority Key Identifier:keyid • Key Usage: critical, digitalSignature, nonRepudiation, KeyEncipherment, dataEncipherment • Extended Key Usage clientAuth, emailProtection, timeStamping • Netscape Cert Type: SSL Client, S/MIME, Object Signing • Netscape Comment: Grid Venezuela Certificate. For information go to https://ra.cecalc.ula.ve/gridvenezuela/ • CRL Distribution Points: http://ra.cecalc.ula.ve/pub/crl.crl • Certificate Policies: 1.3.6.1.4.1.19286.2.2.2.0.1.3 • Subject Alternative Name: e-mail address

  16. Profile Users ra:~# openssl x509 -in usercert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve Validity Not Before: Jul 13 14:34:47 2007 GMT Not After : Jul 12 14:34:47 2008 GMT Subject: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=Vanessa Hamar Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit):

  17. Profile Users Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.19286.2.2.2.0.1.3 CPS: http://ra.cecalc.ula.ve/pub Netscape Cert Type: SSL Client, S/MIME, Object Signing X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: Registration Authority Operator of CeCalCULA X509v3 Subject Key Identifier: 95:0A:80:F1:4D:19:D2:EE:3F:D8:9B:3D:45:C3:B0:81:62:F8:5F:D3

  18. Others • ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -purpose Certificate purposes: SSL client : No SSL client CA : Yes SSL server : No SSL server CA : Yes Netscape SSL server : No Netscape SSL server CA : Yes S/MIME signing : No S/MIME signing CA : Yes S/MIME encryption : No S/MIME encryption CA : Yes CRL signing : Yes CRL signing CA : Yes Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : Yes

  19. Others • ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -fingerprint • SHA1 Fingerprint=B9:48:2F:45:C3:EF:EB:53:7F:97:20:50:17:E6:26:D0:65:D5:66:A5 • # Signing policy file for ULAGridCA • access_id_CA X509 '/C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve' • pos_rights globus CA:sign • cond_subjects globus '"/C=VE/O=Grid/*"‘ • ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -serial • serial=8E2A835B160FA0E8

  20. ?

More Related