Presentation is loading. Please wait.

Presentation is loading. Please wait.

FP6−2004−Infrastructures−6-SSA-026024 [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers, 12.09.2006.

Published byDaniela Kelly Modified over 8 years ago

Similar presentations

Presentation on theme: "FP6−2004−Infrastructures−6-SSA-026024 [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers, 12.09.2006."— Presentation transcript:

1 FP6−2004−Infrastructures−6-SSA-026024 [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers, 12.09.2006 www.eumedgrid.org Asli Zengin, TUBITAK-ULAKBIM asli@ulakbim.gov.tr Best Practices to Set Up and Manage a National CA

2 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 OUTLINE  PART I Procedural Issues – Roadmap for Accreditation  PART II Technical Issues – Installation of CA  PART III Operational Issues – Maintenance of CA

3 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 OUTLINE  PART I Procedural Issues – Roadmap for Accreditation  PART II Technical Issues – Installation of CA  PART III Operational Issues – Maintenance of CA

4 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 PART I, Roadmap for Accreditation  Plan your CA initially  Do 4 separate actions simultaneously (Subscription to the EUGridPMA mailing list, OID application, CP/CPS preparation, CA website installation)  Present your CA at EUGridPMA meeting  See the results and proceed!

5 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 PART I, Roadmap for Accreditation  Plan your CA initially  Do 4 separate actions simultaneously  Present your CA at EUGridPMA meeting  See the results and proceed!

6 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Plan your CA initially  At the beginning, refer to documents and links at EUGridPMA website (www.eugridpma.org) to get the idea!www.eugridpma.org  Decide correct and suitable properties of your CA considering both requirements of your NGI and Authentication Profile, which is published at EUGridPMA website. (http://www.eugridpma.org/guidelines/IGTF- AP-classic-20050930-4-0.html)http://www.eugridpma.org/guidelines/IGTF- AP-classic-20050930-4-0.html

7 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Refer to documents and links at www.eugridpma.org  Read “Accreditation Procedure” document as a beginning: http://www.eugridpma.org/guidelines/EUGridPMA- accreditation-20040402-1-0.pdfhttp://www.eugridpma.org/guidelines/EUGridPMA- accreditation-20040402-1-0.pdf Have a general view of how process goes on and what all of the steps are until acceptance.

8 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Refer to documents and links at www.eugridpma.org  Read “Authentication profile for X.509 secured classic certification authorities” document: http://www.eugridpma.org/guidelines/IGTF-AP-classic- 20050930-4-0.htmlhttp://www.eugridpma.org/guidelines/IGTF-AP-classic- 20050930-4-0.html You have to meet all requirements described in this document. It is the main guide to prepare your CP/CPS. Meanings of shall/may/should/must in the document are important and described by RFC 2119.

9 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Refer to documents and links at www.eugridpma.org  Read “Grid Certificate Profile” document, that is published at draft GGF documents repository: http://forge.gridforum.org/sf/go/doc13742 This document is very useful to maintain interoperability of your CA in different grid infrastructures. Different from minimum requirements stated in Authentication Profile, it is not mandatory to follow this document, but it is highly recommended to consider it for new CAs.

10 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Refer to documents and links at www.eugridpma.org  Check CP/CPS documents of other CAs to have a general idea: Links to CP/CPSs of all EUGridPMA members: http://www.eugridpma.org/members/index.php http://www.eugridpma.org/members/index.php You can observe different CP/CPSs to get the general structure of the document. Keep in mind old documents (almost all of them) are in RFC 2527 format while the new, valid format is RFC 3647.

11 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Refer to documents and links at www.eugridpma.org  Have a look at sample CA websites to have an idea about the design of your CA repository: Links to CA websites of all EUGridPMA members: http://www.eugridpma.org/members/index.php http://www.eugridpma.org/members/index.php You can check the common information in all repositories and compare it what's required in Authentication Profile.

12 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Refer to documents and links at www.eugridpma.org  Observe certificate request handling methods for different CAs: To meet the requirements of PMA, there is no other way than a secure web interface (https) for user certificate requests. (Renewals and host certificate requests can also be made by signed e-mails.) You can find a certificate request web interface at each CA website in EUGridPMA repository. You can compare different web forms and decide which model is most suitable for you.

13 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Design your CA with suitable specifications  This part is simply the overview of the Authentication Profile (AP).  You should cover all requirements described in AP while designing your CA.  After meeting minimum requirements in AP, you should specify some optional parts of your design clearly regarding your NGI's own needs.

14 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Design your CA with suitable specifications  Main points to cover in design: Structure of CA: online or offline? Structure of RAs network CA/RA responsibilities Identity validation process for new certificate requests Secure communication of RAs and CA Properties of CA, user, host and service certificates and private keys (Refer to RFC 3280 for certificate profile): – Certificate Distinguished Names (DNs)  Example user certificate DN: /C=TR/O=TRGrid/OU=TUBITAK-ULAKBIM/CN=Asli Zengin /C=TR/O=TRGrid/OU=TUBITAK-ULAKBIM/CN=Asli Zengin – Certificate extensions – Passphrase for private keys

15 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Design your CA with suitable specifications  Main points to cover in design (cont'd): Structure your CP/CPS as defined in RFC 3647 Define revocation situations and CRL (Certificate Revocation List) life time (Refer to RFC 3280 for CRL profile) Describe clearly certificate request handling Security of dedicated CA (physical security, how to keep private key and passphrase for root CA cert) Web repository, what to publish on CA website Specify necessary records and archives Define a CA disaster recovery plan

16 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 PART I, Roadmap for Accreditation  Plan your CA initially  Do 4 separate actions simultaneously  Present your CA at EUGridPMA meeting  See the results and proceed!

17 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Do 4 separate actions simultaneously  Introduce your prospective national CA and get involved in EUGridPMA discussion list  Make a request for an OID (Object Identifier) arc  Prepare and submit your CP/CPS (Certification Policy and Certificate Practice Statement) document to the mailing list.  Arrange a dedicated web site and establish your online CA (CA web repository)

18 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Action I: Get involved in EUGridPMA discussion list ( dg-eur-ca@services.cnrs.fr )  Procedure: 1. Send an introductory e-mail about your national CA to the chair of EUGridPMA, currently David Groep (davidg@nikhef.nl)davidg@nikhef.nl – Introduce yourself and your organization. – Describe your national grid and the grid projects you are involved. – Tell for what purpose you are willing to set up the CA. – Describe your prospective CA briefly (in a few sentences).

19 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Action I: Get involved in EUGridPMA discussion list ( dg-eur-ca@services.cnrs.fr )  Procedure (cont'd): 2. The chair will add and introduce you to the CA mailing list. 3. Let the chair appoint two members from PMA for your CP/CPS review. 4. Do not hesitate to use the EUGridPMA mailing list for any technical or procedural issues/problems about your CA. Of course, you can use cam@eumedgrid.org as well. :) cam@eumedgrid.org

20 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Action II: Make a request for an OID arc  Every CP/CPS version of every CA must have a unique object identifier. Your organization, that is responsible to operate the CA must have a valid OID arc. There are two alternatives to have it: 1.You can apply to IANA for an OID arc. (http://www.iana.org/cgi-bin/enterprise.pl) You should do this immediately, it takes almost two months!http://www.iana.org/cgi-bin/enterprise.pl 2. You can apply to IGTF for an OID arc. (http://www.eugridpma.org/objectid/) This alternative should be much faster.http://www.eugridpma.org/objectid/

21 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Action III: Prepare and submit your CP/CPS  Prepare: Follow AP document while writing the CP/CPS. (http://www.eugridpma.org/guidelines/IGTF-AP-classic- 20050930-4-0.html)http://www.eugridpma.org/guidelines/IGTF-AP-classic- 20050930-4-0.html Keep in mind that it is important where you use should/may/must/shall. Their meanings are accepted according to RFC 2119. Follow RFC 3647 standards to write your policy. Make use of CP/CPSs of accredited CAs and state that parts of your document are inspired by them. (http://www.eugridpma.org/members/index.php)http://www.eugridpma.org/members/index.php

22 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Action III: Prepare and submit your CP/CPS  Submit: Submit your completed CP/CPS to the mailing list and wait for the comments of reviewers. Keep in mind that you may have comments from all PMA members while reviewers are responsible for this. You should consider all of the comments while updating your policy document. Update your CP/CPS until all comments are covered and no more objection is stated.

23 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Action IV: Establish your CA website  Your CA web repository must include: General info about your CA (homepage) CA root certificate (in.pem and.crt format) CRL URL (in.pem or.der format) CP/CPS – policy document official contact email address, responsible for CA physical postal contact address ssl protected web form for certificate requests (either via OpenCA or your own scripts)  Have a look at websites of other CAs (http://www.eugridpma.org/members/index.php)http://www.eugridpma.org/members/index.php  Keep in mind that your web repository will also be checked during CP/CPS review.

24 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 PART I, Roadmap for Accreditation  Plan your CA initially  Do 4 separate actions simultaneously  Present your CA at EUGridPMA meeting  See the results and proceed!

25 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Present your CA at closest EUGridPMA meeting  After your CP/CPS review is successfully completed, it is time to present your CA at a face-to-face meeting!  Investigate the next meeting of EUGridPMA from http://www.eugridpma.org/meetings/ and declare to the list that you will make your CA presentation at this meeting. http://www.eugridpma.org/meetings/  Keep in mind that EUGridPMA has 3 meetings in a year, usually at the end of September, January and May.

26 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Present your CA at closest EUGridPMA meeting  Briefly cover all points in the Authentication Profile: general view of your CA (CA/RA responsibilities) properties of CA root certificate properties of CA private key properties of end entity certificates properties of end-entity private key computer security controls entire certificate request process revocation circumstances/revocation request records/archives CA public repository (web site)

27 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Present your CA at closest EUGridPMA meeting  You can find CA presentations from the agendas of meetings. (http://www.eugridpma.org/agenda/) Some of them:http://www.eugridpma.org/agenda/ TR-Grid CA, http://www.eugridpma.org/agenda/askArchive.php?base= agenda&categ=a053&id=a053s2t10/transparencies http://www.eugridpma.org/agenda/askArchive.php?base= agenda&categ=a053&id=a053s2t10/transparencies Signet CA, http://www.eugridpma.org/agenda/askArchive.php?base= agenda&categ=a042&id=a042s1t4/transparencies http://www.eugridpma.org/agenda/askArchive.php?base= agenda&categ=a042&id=a042s1t4/transparencies pkIRISGrid CA, http://www.eugridpma.org/agenda/askArchive.php?base= agenda&categ=a054&id=a054s2t6/transparencies http://www.eugridpma.org/agenda/askArchive.php?base= agenda&categ=a054&id=a054s2t6/transparencies

28 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Important Points/Popular Questions  Give importance to the security issues! BUILD THE TRUST! How do you maintain CA security? (offline machine, private key protection...) How do you design secure certificate request handling? How do you maintain secure communication of CA-RA personnel? (signed e-mails, telephone conversations...) How do you validate the identities of certificate requests?

29 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 PART I, Roadmap for Accreditation  Plan your CA initially  Do 4 separate actions simultaneously  Present your CA at EUGridPMA meeting  See the results and proceed!

30 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 See the results and proceed  After your presentation and subsequent comments/questions, you may have one of the following scenarios: You may immediately get accredited, if your CP/CPS review is complete and your overall presentation is successful. You may have to correct some slight points in your CA design and then be accepted through mailing list needless to wait for the next meeting. You may be far from accreditation and need to correct many important points and probably have to make another presentation at next meeting.

31 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 OUTLINE  PART I Procedural Issues – Roadmap for Accreditation  PART II Technical Issues – Installation of CA  PART III Operational Issues – Maintenance of CA

32 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 PART II, Installation of CA  X.509 standard, public key infrastructure (PKI) used in Grid Certification Authorities  OpenSSL is the preferred tool for X.509 operations including creating and signing certificate requests, CRLs, revoking certificates, renewing certificates.  See main openssl commands on page http://www.openssl.org/docs/apps/openssl.html http://www.openssl.org/docs/apps/openssl.html  You have two main alternatives to set up your CA: Write your own scripts Install and run OpenCA

33 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Alternative I: Write your own scripts  You can write your own scripts to handle certificate requests through web interface: You need to write PHP scripts for online certificate request forms and keep them in a database like MySQL. You need to use OpenSSL commands directly for CA operations. It is suitable for a small size CA, not so professional.

34 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Alternative II: Install and run OpenCA  You can download and install free software OpenCA for your CA/RA operations including online certificate requests: http://www.openca.org/ It uses OpenLDAP, OpenSSL, Apache facilities. It is suitable for a large scale CA.

35 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Advantages/Disadvantages Scripts - requires php, mysql knowledge to prepare scripts. + easier to install, once scripts are ready, you will simply run them. + simple to manage CA operations. - less robust, maybe some problems during operation. OpenCA + ready to install, you can download the tar ball. - long process, maybe some problems during setup. - more complicated operations. + more robust, smooth operations after installation.

36 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 OUTLINE  PART I Procedural Issues – Roadmap for Accreditation  PART II Technical Issues – Installation of CA  PART III Operational Issues – Maintenance of CA

37 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Part III, Maintenance of CA  Below are the most important issues to follow for a successful operation: Prepare the environment for dedicated offline CA machine. Maintain CA protection at best efforts. (Smart card, security personnel, safes...) Train your RA personnel. Always keep secure communication between RAs and CA. Keep your RA staff as distributed as possible. (local RAs for identity validation)

38 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Part III, Maintenance of CA  Most important issues for CA maintenance(cont'd): Give importance to identity validation. (face-to-face meeting, checking from an ID card) Show immediate reaction to revocation circumstances. Be on time for periodical CRL issuing and publishing. Know OpenSSL commands well. Make sure you have the accurate records as you have stated in your CP/CPS.

39 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Part III, Maintenance of CA  Most important issues for CA maintenance(cont'd): Follow and contribute to the discussions in CA mailing list for news, new procedures. Follow and contribute to the periodical EUGridPMA meetings. Design a new CA structure according to the changing requirements and always inform EUGridPMA and get approval about changes. Have alternate CA personnel in case of absence. Inform EUGridPMA when your CA web site is temporarily down or when you change the URL...........................

40 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 Summary  Plan your CA initially  Do 4 separate actions simultaneously (Subscription to the EUGridPMA mailing list, OID application, CP/CPS preparation, CA website installation)  Set up your CA, make it operational  Present it at EUGridPMA meeting  Get accredited and proceed!

41 FP6−2004−Infrastructures−6-SSA-026024 Rome, Tutorial for Certification Authority Managers, 12.09.2006 HAPPY CERTIFICATE SIGNING! THANKS FOR YOUR ATTENTION! ANY COMMENTS/QUESTIONS?

Download ppt "FP6−2004−Infrastructures−6-SSA-026024 [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers, 12.09.2006."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Similar presentations

Ads by Google