Presentation is loading. Please wait.

Presentation is loading. Please wait.

UGRID CA Sergii Stirenko, Oleg Alienin

Published byJoel Richards Modified over 6 years ago

Similar presentations

Presentation on theme: "UGRID CA Sergii Stirenko, Oleg Alienin"— Presentation transcript:

1 UGRID CA Sergii Stirenko, Oleg Alienin stirenko@ugrid.org

2 CA Overview Member of EUGridPMA since 2008
Located in National Technical University of Ukraine "Igor Sikorsky Kyiv Polytechnic Institute“ , Kyiv, Ukraine Provides PKI service for educational and scientific grid infrastructure in Ukraine Off-line CA CA stuff – 3 persons RA stuff – 9 persons

3 RA KPI (NTUU KPI) KIPT (National Science Center "Kharkiv Institute of Physics and Technology“) ICMP (Institute for Condensed Matter Physics of NAS of Ukraine, Lviv) ONU (HPC & FOSS Center at the I.I. Mechnikov Odessa National University) CHSTU (Chernigiv State Technological University) ISMA (Institute for Scintillation Materials NAS of Ukraine, Kharkiv) IAP (Institute of Applied Physics of NAS of Ukraine, Sumy) Temporarily suspended DONNU (Donetsk National University) MHI (Marine Hydrophysical Institute, NAS of Ukraine)

4 RA

5 Certificates statistics
All issued certificates : 2210 Issued in 2016 : 220 In 2016 People : 87 Hosts : 133 Service : 0 Revoked in 2016 People : 0 Hosts : 0

6 CA changes Root certificate
Old CA root certificate Issued Jan 21, 2008 was re-signed after 5 years Valid to Jan 21, 2018 2048 bit keyId CD:C0:D7:E1:B5:7D:9F:A9:94:48:4E:E8:14:56:55:94:ED:FF:BC:A0 Subject DN : DC=org, DC=ugrid, CN=UGRID CA CRL distribution point:

7 CA changes Root certificate
New CA root certificate Issued Jan 26, 2017 Valid to Jan 21, 2037 4096 bit keyId 8C:74:B4:B7:26:16:00:E5:0B:24:BD:23:76:7F:94:8B:E6:81:B3:CF Subject DN : DC=org, DC=ugrid, CN=UGRID CA G2 CRL distribution point:

8 CA changes Address Old address High-Performance Computing Center
National Technical University of Ukraine “Kyiv Polytechnic Institute” 03056, Prospect Peremohy, 37, building 6, Kyiv, Ukraine New address Department of Computer Engineering Faculty of Informatics and Computer Engineering National Technical University of Ukraine "Igor Sikorsky Kyiv Polytechnic Institute“ 03056, Prospect Peremohy, 37, building 18,

9 CA changes policy changes
Old OID New OID not approved by PMA yet Organization name, department name, address 1.5.1 Organization administering the document 1.5.3 Person determining CPS suitability for the policy minimum key length now is 2048 (was 1024) for end entity, 4096 for CA root 4.1.1 Who can submit a certificate application 4.2.2 Approval or rejection of certificate applications 6.1.5 Key sizes

10 CA changes policy changes
The UGRID CA uses SHA256 with RSA encryption as its signature algorithm (was SHA1 with RSA encryption) 7.1.4 Algorithm object identifiers The distinguished name of the CA is “DC=org, DC=ugrid, CN=UGRID CA G2” was “DC=org, DC=ugrid, CN=UGRID CA” 7.1.5 Name forms The lifetime of the UGRID CA root certificate is 20 years (was 5 years) 6.3.2 Certificate operational periods and key pair usage periods

11 Overview Self-audit was done in accordance with the GFD.169
Audit date: Jan 18, 2017 Summary: A : 55 B : 4 C : 5 D : 1 X : 2

12 3.1 Certification Authority 3.1.3 CA Key
(11) The CA key must be configured for long term use. (C) Old root certificate will expire Jan 21, 2018. Initially was issued: Jan 21, 2008 for 5 years, then validity period was extended to be 10 years.

13 3.1 Certification Authority 3.1.3 CA Key
(15) The on-line CA architecture should provide for a (preferably tamper-protected) log of issued certificates and signed revocation lists. (X) Not applicable, offline CA (17) The overlap of the old and new key must be at least the longest time an end-entity certificate can be valid … (D) We cannot sign certificates with one-year validity time, because old certificate “valid to” date is Jan 21, 2018. So overlap between old key and new key will be less than 1 year. Old CA certificate is available, we sign CRLs. New certificate is not in the IGTF distribution yet

14 3.1 Certification Authority 3.1.4 CA Certificate
(21) The profile of the CA certificates must comply with the Grid Certificate Profile as defined by the Open Grid Forum GFD.125. (B) GFD.125 or GFD.225 ?

15 3.1 Certification Authority 3.1.6 Certificate Revocation List
(28) Every CA must issue a new CRL at least 7 days … (C) Usually we issue CRL’s 10 days before nextUpdate field. But several times we issued CRL’s less 7 days before nextUpdate field, when we got notification with subject “Your CRL update is OVERDUE” from robot. We’re going to set up our notification script to warn CA operator on last working day not after 10 days before nextUpdate.

16 3.1 Certification Authority 3.1.7 End Entity Certificates and Keys
(39) Certificates (and private keys) managed in a software token should only be re-keyed, not renewed. (B) It is stated in the CP/CPS, but we don’t check (40) Certificates associated with a private key residing solely on hardware token may be renewed … (X) Not applicable, don’t use hardware tokens

17 3.1 Certification Authority 3.1.8 Records Archival
(43) These records must be available to external auditors in the course of their work as auditor. (C)Difficult to make available for auditing

18 3. 1 Certification Authority 3. 1
3.1 Certification Authority Publication and Repository Responsibilities (48) The repository must be run at least on a best-effort basis, with an intended availability of 24x7. (B) YES, but some hours of downtime was due to power/ network failures

19 3.1 Certification Authority 3.1.11 Compromise and Disaster Recover
(55) The CA must have an adequate compromise and disaster recovery procedure, and we willing to discuss this procedure in the PMA. The procedure need not be disclosed in the policy and practice statements. (C) No compromise and disaster recovery plans, But we’re working on it

20 3.2 RA 3.2.1 Entity Identification
(4) For host and service certificate requests, an RA should ensure that the requestor is appropriately authorized by the owner of the associated FQDN … (B)When host certificate is issued for the first time, ownership verified by DNS/WHOIS and personal RA knowledge. We maintain a database table that maps hostnames (for which certificates were issued) to owners (their personal certificates), and their organizations. But procedure how to change this ownership isn’t well documented. Now we accept signed s or hard copy of signed and sealed letter from organization.

21 3.2 RA 3.2.3 RA to CA Communications
(8) The CP/CPS should describe how the RA or CA is informed of changes that may affect the status of the certificate. (C) This procedure isn’t well documented

22 Thank you!

Download ppt "UGRID CA Sergii Stirenko, Oleg Alienin"

Similar presentations

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr. 2009 Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.
IHEP Grid CA Status Report Wei F2F Meeting 8 Mar. 2010 Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
KISTI Grid CA Status Report Korea Institute of Science and Technology Information Sangwan Kim Jae-Hyuck Kwan

KISTI Grid CA Status Report Korea Institute of Science and Technology Information Sangwan Kim Jae-Hyuck Kwan
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

Similar presentations

Ads by Google