1 / 15

PKI and Certificate Authority (CA) Overview - What, Why, and How it Works

Learn about Public Key Infrastructure (PKI) and Certificate Authority (CA), including the definition, working, and importance of CA certificates. Explore OpenSSL software and script examples in this informative overview.

wendyhall
Télécharger la présentation

PKI and Certificate Authority (CA) Overview - What, Why, and How it Works

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Matthew G. Marsh 08/20/03 NEbraskaCERTCertificate Authority

  2. Overview • Public Key Infrastructure (PKI) • What • Why • Certificate Authority • What is it • How does it work • OpenSSL Software • Keys and configuration files • Script Examples • Q&A

  3. PKI • What • PKI (Public Key Infrastructure) refers to the structure that enables binding identity to objects. Actual discussion and implementation details are beyond the scope of this talk. Basically PKI is all defined in the details and takes into account mechanisms and concepts that are far removed from actual technical manipulation. I hope you believe you understand what you think I said, but I'm not sure you realize that what you've heard is not what I meant. President Richard Nixon

  4. Certificate Authority - CA • What is it • The Certification Authority (CA) represents the trusted third party that issues keys and certificates to end users and manages the certificate life cycle including generation, revocation, expiration, and renewal.

  5. CA - x.509 • ITU-T Recommendation X.509 [ITU-T 97] • Several different end-entitycertificates defined in x.509 • Personal certificates represent individuals (ex: secure e-mail) • Server certificates represent services (ex: HTTPS Web server) • Developer certificates sign software or related objects • A certificate binds an identity to a public key. • Certificate includes the name of the person • Their public key • Digital Signature sealing the data Digital Signature is added by the Certificate Authority (CA). Certificate authorities exist to confirm the relationship between an identity and a public key. • x.509 also defines certificate authoritycertificates which identify third party organizations entrusted to validate the identity of a certificate requestor. • CA certificates contain the authority name, a public key, and digital signature (self-signed)

  6. Certificate Authority - CA • Certificate authorities confirm the relationship between requestors and their public keys • Certificate authorities publish public keys used to verify end-entity certificates • The verification process uses the public key of the authority that issued the certificate to validate the digital signature • CA certificates are critical to close the circle of trust • ROOT Certificate • x.509 CA Certificate • ALL CAs by definition have "Self Signed" ROOT Certificates!!

  7. CA in a Nutshell • EndUser generates Certificate Signing Request (CSR) • Sends CSR to CA for Approval • Submit $$ • Get Signed Certificate • Typically a one year duration • Theoretically no time limit for expiration • Uses Certificate • FILM AT 11...

  8. CA in a Nutshell • CA requirements • You must publish your root CA Certificate • You must publish the revocation list • You must display a certificate's detail given a serial number • You must provide a method to submit certificate requests • All this can be done using Apache and some PHP

  9. OpenSSL • Full SSL library with support programs • SSL v2/v3 • TLS v1 • Latest version is 0.9.7b released April 10, 2003 • Core utility is "openssl" binary • Performs all operations needed for x.509 • Many other operations available as well • Supports multiple configuration files • CA Configuration • Standard configuration

  10. OpenSSL - Config File - CA • Traditionally /usr/local/ssl/openssl.conf • For the NEbraskaCERT CA: [ req ] default_bits = 2048 default_keyfile = /data/network/NEbraskaCERT-CA/key/NEbraskaCERT-CA.key default_md = sha1 default_days = 365 prompt = no distinguished_name = NEbraskaCERT_CA_NAME x509_extensions = NEbraskaCERT_CA_extensions [ NEbraskaCERT_CA_NAME ] commonName = NEbraskaCERT Certificate Authority stateOrProvinceName = Nebraska countryName = US emailAddress = certificate.administrator@nebraskacert.org organizationName = NEbraskaCERT organizationalUnitName = Certificate Authority [ NEbraskaCERT_CA_extensions ] basicConstraints = CA:true

  11. OpenSSL - Config File - Sign [ ca ] default_ca = NEbraskaCERT_CA [ NEbraskaCERT_CA ] dir = /data/network/NEbraskaCERT-CA certificate = $dir/NEbraskaCERT-CA.crt database = $dir/index.txt new_certs_dir = $dir/certificates private_key = $dir/key/NEbraskaCERT-CA.key serial = $dir/serial default_crl_days = 7 default_days = 365 default_md = sha1 policy = NEbraskaCERT_CA_Policy x509_extensions = certificate_extensions [ NEbraskaCERT_CA_Policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = optional [ certificate_extensions ] basicConstraints = CA:false

  12. OpenSSL - Scripts • Setup.sh export OPENSSL_CONF=/data/network/NEbraskaCERT-CA/NEbraskaCERT.CA.conf export PATH=/usr/local/ssl/bin:$PATH • . into running shell (or use dedicated signing user) • Note that you could have other config files • SIGN.sh /usr/local/ssl/bin/openssl ca -in $1 -notext -out ${1%.req}.crt • Obviously a bash/ksh shell script ;-}

  13. OpenSSL - Try it... • Generate a Key /usr/local/ssl/bin/openssl genrsa -out www.mysecure.com.key 1024 • Generate a CSR /usr/local/ssl/bin/openssl req -new -key www.mysecure.com.key -out www.mysecure.com.req • Send CSR to CA • CA Inspects CSR /usr/local/ssl/bin/openssl req -noout -text -in www.mysecure.com.req • CA Signs CSR /usr/local/ssl/bin/openssl ca -in www.mysecure.com.req -notext -out www.mysecure.com.crt

  14. Q & A

  15. This is The

More Related