Certification AuthorityMIEIC – Segurança de Sistemas Informáticos

João Brito – ei07052João Coelho – ei07118

Contents

• Theorethical introduction

• State of art

• Tecnologies review

• Use case scenarios

Problem

• How to deploy a Certificate Authority for University of Porto?

• How to provide trusted digital certificates?

• How to mantain a CRL?

Theoretical Introduction

What is a CA?

Goals

• Ensure:

• Information integrity

• User authentication

• Non-repudiation of electronic data

State of art

Technologies • OpenCA• Apache• PHP• Perl

• PHPki• Apache• PHP

• EJBCA• Java Aplication Server (JBoss)• Apache Ant (required to install)

SolutionDeployment of a CA based on EJBCA architecture.

Functionalities

• Administration

• CA creation and activation;

• Manage entities;

• Profile management;

• Public Area

• Certificate aquisition;

• Certificate revokation

check;

Deployment• EJBCA deployment• Apache Ant – configure and install EJBCA• JBoss Aplication Server – Application server that will

provide the CA service

• Administrators should install the SuperAdmin certificate to access the following URL:

• https://localhost:8443/ejbca/adminweb

User configuration• User information to certify: • Name• Address• Phone number• Email

• User details must be verified with user personal documents• Citizen card• Email/SMS secret key

Certificates

• Browser certificates• Authenticate users on faculty’s services.

• SSL/SSH Certification

Certificates

Other applications

• Certificate Signing Requests

• User uploads his public keys;

• CA retrieves certificate;

Base64 encoding

PEM format

Specific software needed

• OpenSSL

Certificate applications

• Signing information is not a functionality of this application.

• Document signing has to be done at client side.

• Examples:• Import certificate to thunderbird• Use with openssh

Signature Validation

• User list certifitates

• Entering certificate

properties:

• Issuer DN

• Certificate serial

number

Key expiration

• Certificate’s validity date should not go beyound graduation year.

• Key generation could be performed by CICA’s.

• An aternative is submission of a new key gernerated by the user and the CA should return a new digital certificate.

Revoke Lists

• The list update rate is defined by the system

administrator.

• Should be frequently updated.

• Can be obtained by anyone on public EJBCA webpage

Considerations

• Must be provided:

• Webpage documentation for the user:• Certificate creation guides• Certificate revokation guides

• Certification documentation:• Step-by-step user guide for common certification

software• For example openpgp, openssl, etc.

Thank you!

Questions?