FP6−2004−Infrastructures−6-SSA-026024 [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers, 12.09.2006.

Slides:

Advertisements

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Advertisements

Digital Certificate Installation & User Guide For Class-2 Certificates.

Installation & User Guide

Digital Certificate Installation & User Guide For Class-2 Certificates.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Distribution Repository Structure David Groep,

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Creating and Managing Digital Certificates Chapter Eleven.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.

NIIF CA Status Update and Self-Audit Results 15 th EUGridPMA meeting Nicosia Tamás Máray NIIF Institute.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.

A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

GRID-FR French CA Alice de Bignicourt.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;

News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.

29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.

TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI

Setting up and Managing National CA for GRID Computing Ghassan SABA, HIAST H I A S T Regional Seminar on Identity Management and E-signatures Damascus,

PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.

IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.

AEGIS Certification Authority

Classic X.509 AP updates (v4.1)

UGRID CA Sergii Stirenko, Oleg Alienin

HellasGrid CA & euGridPMA

Tweaking the Certificate Lifecycle for the UK eScience CA

MaGrid CA Self audit and update

Emir Imamagić University Computing Centre (Srce)

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

BG.ACAD CA Self-audit report 2018

Presentation transcript:

FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers, Asli Zengin, TUBITAK-ULAKBIM Best Practices to Set Up and Manage a National CA

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, OUTLINE  PART I Procedural Issues – Roadmap for Accreditation  PART II Technical Issues – Installation of CA  PART III Operational Issues – Maintenance of CA

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, OUTLINE  PART I Procedural Issues – Roadmap for Accreditation  PART II Technical Issues – Installation of CA  PART III Operational Issues – Maintenance of CA

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, PART I, Roadmap for Accreditation  Plan your CA initially  Do 4 separate actions simultaneously (Subscription to the EUGridPMA mailing list, OID application, CP/CPS preparation, CA website installation)  Present your CA at EUGridPMA meeting  See the results and proceed!

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, PART I, Roadmap for Accreditation  Plan your CA initially  Do 4 separate actions simultaneously  Present your CA at EUGridPMA meeting  See the results and proceed!

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Plan your CA initially  At the beginning, refer to documents and links at EUGridPMA website ( to get the idea!  Decide correct and suitable properties of your CA considering both requirements of your NGI and Authentication Profile, which is published at EUGridPMA website. ( AP-classic html) AP-classic html

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Refer to documents and links at  Read “Accreditation Procedure” document as a beginning: accreditation pdfhttp:// accreditation pdf Have a general view of how process goes on and what all of the steps are until acceptance.

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Refer to documents and links at  Read “Authentication profile for X.509 secured classic certification authorities” document: htmlhttp:// html You have to meet all requirements described in this document. It is the main guide to prepare your CP/CPS. Meanings of shall/may/should/must in the document are important and described by RFC 2119.

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Refer to documents and links at  Read “Grid Certificate Profile” document, that is published at draft GGF documents repository: This document is very useful to maintain interoperability of your CA in different grid infrastructures. Different from minimum requirements stated in Authentication Profile, it is not mandatory to follow this document, but it is highly recommended to consider it for new CAs.

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Refer to documents and links at  Check CP/CPS documents of other CAs to have a general idea: Links to CP/CPSs of all EUGridPMA members: You can observe different CP/CPSs to get the general structure of the document. Keep in mind old documents (almost all of them) are in RFC 2527 format while the new, valid format is RFC 3647.

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Refer to documents and links at  Have a look at sample CA websites to have an idea about the design of your CA repository: Links to CA websites of all EUGridPMA members: You can check the common information in all repositories and compare it what's required in Authentication Profile.

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Refer to documents and links at  Observe certificate request handling methods for different CAs: To meet the requirements of PMA, there is no other way than a secure web interface (https) for user certificate requests. (Renewals and host certificate requests can also be made by signed s.) You can find a certificate request web interface at each CA website in EUGridPMA repository. You can compare different web forms and decide which model is most suitable for you.

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Design your CA with suitable specifications  This part is simply the overview of the Authentication Profile (AP).  You should cover all requirements described in AP while designing your CA.  After meeting minimum requirements in AP, you should specify some optional parts of your design clearly regarding your NGI's own needs.

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Design your CA with suitable specifications  Main points to cover in design: Structure of CA: online or offline? Structure of RAs network CA/RA responsibilities Identity validation process for new certificate requests Secure communication of RAs and CA Properties of CA, user, host and service certificates and private keys (Refer to RFC 3280 for certificate profile): – Certificate Distinguished Names (DNs)  Example user certificate DN: /C=TR/O=TRGrid/OU=TUBITAK-ULAKBIM/CN=Asli Zengin /C=TR/O=TRGrid/OU=TUBITAK-ULAKBIM/CN=Asli Zengin – Certificate extensions – Passphrase for private keys

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Design your CA with suitable specifications  Main points to cover in design (cont'd): Structure your CP/CPS as defined in RFC 3647 Define revocation situations and CRL (Certificate Revocation List) life time (Refer to RFC 3280 for CRL profile) Describe clearly certificate request handling Security of dedicated CA (physical security, how to keep private key and passphrase for root CA cert) Web repository, what to publish on CA website Specify necessary records and archives Define a CA disaster recovery plan

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, PART I, Roadmap for Accreditation  Plan your CA initially  Do 4 separate actions simultaneously  Present your CA at EUGridPMA meeting  See the results and proceed!

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Do 4 separate actions simultaneously  Introduce your prospective national CA and get involved in EUGridPMA discussion list  Make a request for an OID (Object Identifier) arc  Prepare and submit your CP/CPS (Certification Policy and Certificate Practice Statement) document to the mailing list.  Arrange a dedicated web site and establish your online CA (CA web repository)

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Action I: Get involved in EUGridPMA discussion list ( )  Procedure: 1. Send an introductory about your national CA to the chair of EUGridPMA, currently David Groep – Introduce yourself and your organization. – Describe your national grid and the grid projects you are involved. – Tell for what purpose you are willing to set up the CA. – Describe your prospective CA briefly (in a few sentences).

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Action I: Get involved in EUGridPMA discussion list ( )  Procedure (cont'd): 2. The chair will add and introduce you to the CA mailing list. 3. Let the chair appoint two members from PMA for your CP/CPS review. 4. Do not hesitate to use the EUGridPMA mailing list for any technical or procedural issues/problems about your CA. Of course, you can use as well. :)

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Action II: Make a request for an OID arc  Every CP/CPS version of every CA must have a unique object identifier. Your organization, that is responsible to operate the CA must have a valid OID arc. There are two alternatives to have it: 1.You can apply to IANA for an OID arc. ( You should do this immediately, it takes almost two months! 2. You can apply to IGTF for an OID arc. ( This alternative should be much faster.

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Action III: Prepare and submit your CP/CPS  Prepare: Follow AP document while writing the CP/CPS. ( html) html Keep in mind that it is important where you use should/may/must/shall. Their meanings are accepted according to RFC Follow RFC 3647 standards to write your policy. Make use of CP/CPSs of accredited CAs and state that parts of your document are inspired by them. (

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Action III: Prepare and submit your CP/CPS  Submit: Submit your completed CP/CPS to the mailing list and wait for the comments of reviewers. Keep in mind that you may have comments from all PMA members while reviewers are responsible for this. You should consider all of the comments while updating your policy document. Update your CP/CPS until all comments are covered and no more objection is stated.

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Action IV: Establish your CA website  Your CA web repository must include: General info about your CA (homepage) CA root certificate (in.pem and.crt format) CRL URL (in.pem or.der format) CP/CPS – policy document official contact address, responsible for CA physical postal contact address ssl protected web form for certificate requests (either via OpenCA or your own scripts)  Have a look at websites of other CAs (  Keep in mind that your web repository will also be checked during CP/CPS review.

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, PART I, Roadmap for Accreditation  Plan your CA initially  Do 4 separate actions simultaneously  Present your CA at EUGridPMA meeting  See the results and proceed!

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Present your CA at closest EUGridPMA meeting  After your CP/CPS review is successfully completed, it is time to present your CA at a face-to-face meeting!  Investigate the next meeting of EUGridPMA from and declare to the list that you will make your CA presentation at this meeting.  Keep in mind that EUGridPMA has 3 meetings in a year, usually at the end of September, January and May.

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Present your CA at closest EUGridPMA meeting  Briefly cover all points in the Authentication Profile: general view of your CA (CA/RA responsibilities) properties of CA root certificate properties of CA private key properties of end entity certificates properties of end-entity private key computer security controls entire certificate request process revocation circumstances/revocation request records/archives CA public repository (web site)

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Present your CA at closest EUGridPMA meeting  You can find CA presentations from the agendas of meetings. ( Some of them: TR-Grid CA, agenda&categ=a053&id=a053s2t10/transparencies agenda&categ=a053&id=a053s2t10/transparencies Signet CA, agenda&categ=a042&id=a042s1t4/transparencies agenda&categ=a042&id=a042s1t4/transparencies pkIRISGrid CA, agenda&categ=a054&id=a054s2t6/transparencies agenda&categ=a054&id=a054s2t6/transparencies

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Important Points/Popular Questions  Give importance to the security issues! BUILD THE TRUST! How do you maintain CA security? (offline machine, private key protection...) How do you design secure certificate request handling? How do you maintain secure communication of CA-RA personnel? (signed s, telephone conversations...) How do you validate the identities of certificate requests?

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, PART I, Roadmap for Accreditation  Plan your CA initially  Do 4 separate actions simultaneously  Present your CA at EUGridPMA meeting  See the results and proceed!

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, See the results and proceed  After your presentation and subsequent comments/questions, you may have one of the following scenarios: You may immediately get accredited, if your CP/CPS review is complete and your overall presentation is successful. You may have to correct some slight points in your CA design and then be accepted through mailing list needless to wait for the next meeting. You may be far from accreditation and need to correct many important points and probably have to make another presentation at next meeting.

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, OUTLINE  PART I Procedural Issues – Roadmap for Accreditation  PART II Technical Issues – Installation of CA  PART III Operational Issues – Maintenance of CA

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, PART II, Installation of CA  X.509 standard, public key infrastructure (PKI) used in Grid Certification Authorities  OpenSSL is the preferred tool for X.509 operations including creating and signing certificate requests, CRLs, revoking certificates, renewing certificates.  See main openssl commands on page  You have two main alternatives to set up your CA: Write your own scripts Install and run OpenCA

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Alternative I: Write your own scripts  You can write your own scripts to handle certificate requests through web interface: You need to write PHP scripts for online certificate request forms and keep them in a database like MySQL. You need to use OpenSSL commands directly for CA operations. It is suitable for a small size CA, not so professional.

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Alternative II: Install and run OpenCA  You can download and install free software OpenCA for your CA/RA operations including online certificate requests: It uses OpenLDAP, OpenSSL, Apache facilities. It is suitable for a large scale CA.

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Advantages/Disadvantages Scripts - requires php, mysql knowledge to prepare scripts. + easier to install, once scripts are ready, you will simply run them. + simple to manage CA operations. - less robust, maybe some problems during operation. OpenCA + ready to install, you can download the tar ball. - long process, maybe some problems during setup. - more complicated operations. + more robust, smooth operations after installation.

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, OUTLINE  PART I Procedural Issues – Roadmap for Accreditation  PART II Technical Issues – Installation of CA  PART III Operational Issues – Maintenance of CA

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Part III, Maintenance of CA  Below are the most important issues to follow for a successful operation: Prepare the environment for dedicated offline CA machine. Maintain CA protection at best efforts. (Smart card, security personnel, safes...) Train your RA personnel. Always keep secure communication between RAs and CA. Keep your RA staff as distributed as possible. (local RAs for identity validation)

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Part III, Maintenance of CA  Most important issues for CA maintenance(cont'd): Give importance to identity validation. (face-to-face meeting, checking from an ID card) Show immediate reaction to revocation circumstances. Be on time for periodical CRL issuing and publishing. Know OpenSSL commands well. Make sure you have the accurate records as you have stated in your CP/CPS.

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Part III, Maintenance of CA  Most important issues for CA maintenance(cont'd): Follow and contribute to the discussions in CA mailing list for news, new procedures. Follow and contribute to the periodical EUGridPMA meetings. Design a new CA structure according to the changing requirements and always inform EUGridPMA and get approval about changes. Have alternate CA personnel in case of absence. Inform EUGridPMA when your CA web site is temporarily down or when you change the URL

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, Summary  Plan your CA initially  Do 4 separate actions simultaneously (Subscription to the EUGridPMA mailing list, OID application, CP/CPS preparation, CA website installation)  Set up your CA, make it operational  Present it at EUGridPMA meeting  Get accredited and proceed!

FP6−2004−Infrastructures−6-SSA Rome, Tutorial for Certification Authority Managers, HAPPY CERTIFICATE SIGNING! THANKS FOR YOUR ATTENTION! ANY COMMENTS/QUESTIONS?