Presentation is loading. Please wait.

Presentation is loading. Please wait.

IST-2006-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.

Published byPhilomena Cunningham Modified over 8 years ago

Similar presentations

Presentation on theme: "IST-2006-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los."— Presentation transcript:

1 IST-2006-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los Andes – Merida,Venezuela 5 th F2F Banff, 17/07/2007

2 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 2 Overview Introduction Key Sizes Repository Identification and Authentication

3 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 3 Introduction The ULAGrid Certification Authority is a traditional X.509 Public Key Certification Authority which issues long-term credentials. CP/CPS follows the IETF’s RFC 3647 1.3.6.1.4.1.19286.2.2.2.0.1.3

4 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 4 Key Sizes Keys of length less than 1024 bits are not accepted. All user keys will have a 1024 bit RSA key size. All host and service keys will have a 2048 bit RSA key size. The ULA CA key length will always have a RSA 2048 bit key size The lifetime is 10 years for the CA and 1 year for End Entities.

5 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 5 Repository The online repository of information from the ULAGrid CA is accessible at: https://ra.cecalc.ula.ve/pub/ Email = ca@cecalc.ula.ve This is a secure online repository that contains: –The ULAGrid CA’ s certificate, –All end entity certificates issued by the CA. –A Certificate Revocation List, –A copy of the most recent approved version of this policy and all previous approved versions.

6 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 6 Repository URL for the CAs main web page with info https://ra.cecalc.ula.ve URL for the CRL on the CAs web site http://ra.cecalc.ula.ve/pub/crl/cacrl.crl

7 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 7 Repository

8 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 8 Repository

9 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 9 Repository

10 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 10 Identification and authentication The Subject Name is of the X.500 name type, a Distinguished Name. The generic format for a service subject is a follows: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=service/FQDN The “C=VE” and “O=Grid” are the subject’s fix parts and must be present in all the certificates. An additional subscriber’s organization “O=”, describing the organization’s name must be provided, as well as an “OU=” describing the organization group. All the subject parts are mandatory in all the certificates, including the two “O=”. The Distinguished Name must be unique for each subject name certified by the ULAGrid CA service.

11 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 11 Identification and authentication ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -subject -noout subject= /C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve ra:~# openssl x509 -in usercert.pem -subject –noout subject= /C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=Vanessa Hamar

12 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 12 Profile ULAGrid CA For CA certificates: Basic Constraints:critical, ca: true Subject Key Identifier:hash Authority Key Identifier:keyid Key Usage: critical, digitalSignature, nonRepudiation, KeyCertSign, cRLSign Extended Key Usage timeStamping Netscape Cert Type: SSL Certificate Authority, Email Certificate Authority Object Signing Netscape Comment: Grid Venezuela Certificate. For information go to https://ra.cecalc.ula.ve/gridvenezuela/ Certificate Policies:1.3.6.1.4.1.19286.2.2.2.0.1.3

13 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 13 Profile ULAGrid CA Certificate: Data: Version: 3 (0x2) Serial Number: 8e:2a:83:5b:16:0f:a0:e8 Signature Algorithm: sha1WithRSAEncryption Issuer: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve Validity Not Before: Jul 13 14:15:02 2007 GMT Not After : Jul 10 14:15:02 2017 GMT Subject: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha1WithRSAEncryption

14 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 14 Profile ULAGrid CA X509v3 Subject Key Identifier: DC:F3:0B:A6:12:93:E5:A3:CC:34:77:B8:3B:CC:C9:8E:BD:8F:2A:05 X509v3 Authority Key Identifier: keyid:DC:F3:0B:A6:12:93:E5:A3:CC:34:77:B8:3B:CC:C9:8E:BD:8F:2A:05 DirName:/C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve serial:8E:2A:83:5B:16:0F:A0:E8 X509v3 Key Usage: Certificate Sign, CRL Sign X509v3 Subject Alternative Name: email:ca@cecalc.ula.ve X509v3 Issuer Alternative Name: email:ca@cecalc.ula.ve Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA Netscape Comment: CeCalCULA Certification Authority Certificate

15 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 15 Profiles Users For natural person certificates: –Basic Constraints:critical, ca: false –Subject Key Identifier:hash –Authority Key Identifier:keyid –Key Usage: critical, digitalSignature, nonRepudiation, KeyEncipherment, dataEncipherment –Extended Key Usage clientAuth, emailProtection, timeStamping –Netscape Cert Type: SSL Client, S/MIME, Object Signing –Netscape Comment: Grid Venezuela Certificate. For information go to https://ra.cecalc.ula.ve/gridvenezuela/ –CRL Distribution Points: http://ra.cecalc.ula.ve/pub/crl.crl –Certificate Policies: 1.3.6.1.4.1.19286.2.2.2.0.1.3 –Subject Alternative Name: e-mail address

16 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 16 Profile Users ra:~# openssl x509 -in usercert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve Validity Not Before: Jul 13 14:34:47 2007 GMT Not After : Jul 12 14:34:47 2008 GMT Subject: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=Vanessa Hamar Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit):

17 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 17 Profile Users Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.19286.2.2.2.0.1.3 CPS: http://ra.cecalc.ula.ve/pub Netscape Cert Type: SSL Client, S/MIME, Object Signing X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: Registration Authority Operator of CeCalCULA X509v3 Subject Key Identifier: 95:0A:80:F1:4D:19:D2:EE:3F:D8:9B:3D:45:C3:B0:81:62:F8:5F:D3

18 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 18 Others ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem - purpose Certificate purposes: SSL client : No SSL client CA : Yes SSL server : No SSL server CA : Yes Netscape SSL server : No Netscape SSL server CA : Yes S/MIME signing : No S/MIME signing CA : Yes S/MIME encryption : No S/MIME encryption CA : Yes CRL signing : Yes CRL signing CA : Yes Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : Yes

19 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 19 Others ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -fingerprint –SHA1 Fingerprint=B9:48:2F:45:C3:EF:EB:53:7F:97:20:50:17:E6:26:D0:65: D5:66:A5 # Signing policy file for ULAGridCA –access_id_CA X509 '/C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve' –pos_rights globus CA:sign –cond_subjects globus '"/C=VE/O=Grid/*"‘ ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -serial –serial=8E2A835B160FA0E8

20 IST-2006-026409 E-infrastructure shared between Europe and Latin America www.eu-eela.org 20 ?

Download ppt "IST-2006-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los."

Similar presentations

DIGITAL CERTIFICATES Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC-KEY CERTIFICATES reliable distribution of public-keys public-key encryption sender needs.

DIGITAL CERTIFICATES Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC-KEY CERTIFICATES reliable distribution of public-keys public-key encryption sender needs.
Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.

1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.

1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
WebID4VIVO Erich Bremer and Tammy DiPrima Stony Brook University July 18, 2013 PREVIEW! BETA! BETA! BETA! BETA! BETA! BETA!

WebID4VIVO Erich Bremer and Tammy DiPrima Stony Brook University July 18, 2013 PREVIEW! BETA! BETA! BETA! BETA! BETA! BETA!
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
S/MIME Email and PKI Dartmouth College PKI Lab. What Is S/MIME? RFC 2633 (S/MIME Version 3)RFC 2633 Extensions to MIME Uses PKI certificates, keys, and.

S/MIME and PKI Dartmouth College PKI Lab. What Is S/MIME? RFC 2633 (S/MIME Version 3)RFC 2633 Extensions to MIME Uses PKI certificates, keys, and.
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

Similar presentations

Ads by Google