Post on 13-Feb-2016
description
Certification AuthorityMIEIC – Segurança de Sistemas Informáticos
João Brito – ei07052João Coelho – ei07118
Contents
• Theorethical introduction
• State of art
• Tecnologies review
• Use case scenarios
Problem
• How to deploy a Certificate Authority for University of Porto?
• How to provide trusted digital certificates?
• How to mantain a CRL?
Theoretical Introduction
What is a CA?
Goals
• Ensure:
• Information integrity
• User authentication
• Non-repudiation of electronic data
State of art
Technologies • OpenCA• Apache• PHP• Perl
• PHPki• Apache• PHP
• EJBCA• Java Aplication Server (JBoss)• Apache Ant (required to install)
SolutionDeployment of a CA based on EJBCA architecture.
Functionalities
• Administration
• CA creation and activation;
• Manage entities;
• Profile management;
• Public Area
• Certificate aquisition;
• Certificate revokation
check;
Deployment• EJBCA deployment• Apache Ant – configure and install EJBCA• JBoss Aplication Server – Application server that will
provide the CA service
• Administrators should install the SuperAdmin certificate to access the following URL:
• https://localhost:8443/ejbca/adminweb
User configuration• User information to certify: • Name• Address• Phone number• Email
• User details must be verified with user personal documents• Citizen card• Email/SMS secret key
Certificates
• Browser certificates• Authenticate users on faculty’s services.
• SSL/SSH Certification
Certificates
Other applications
• Certificate Signing Requests
• User uploads his public keys;
• CA retrieves certificate;
Base64 encoding
PEM format
Specific software needed
• OpenSSL
Certificate applications
• Signing information is not a functionality of this application.
• Document signing has to be done at client side.
• Examples:• Import certificate to thunderbird• Use with openssh
Signature Validation
• User list certifitates
• Entering certificate
properties:
• Issuer DN
• Certificate serial
number
Key expiration
• Certificate’s validity date should not go beyound graduation year.
• Key generation could be performed by CICA’s.
• An aternative is submission of a new key gernerated by the user and the CA should return a new digital certificate.
Revoke Lists
• The list update rate is defined by the system
administrator.
• Should be frequently updated.
• Can be obtained by anyone on public EJBCA webpage
Considerations
• Must be provided:
• Webpage documentation for the user:• Certificate creation guides• Certificate revokation guides
• Certification documentation:• Step-by-step user guide for common certification
software• For example openpgp, openssl, etc.
Thank you!
Questions?