PKI Administration Using EJBCA and OpenCA
-
Upload
shana-logan -
Category
Documents
-
view
171 -
download
28
description
Transcript of PKI Administration Using EJBCA and OpenCA
PKI Administration Using EJBCA and OpenCA
Presented By:
Ayesha Ghori and Asra Parveen
PKI: Public Key Infrastructure
A trusted third Party.
Secured communication.
Provides digital certificates that can identify an individual or an organization.
Stores and revokes Certificates.
Provides services like Encryption, digital Signatures, data integrity, key establishment, zero knowledge/minimum knowledge protocols.
PKI Components
Certificate Authority: A CA issues certificates to, and vouches for the authenticity of entities.
Registration Authority: An RA is an administrative function that registers entities in the PKI.
End entity: An end-entity is a user, such as an e-mail client, a web server, a web browser or a VPN-gateway.
PKI HIERARCHY
GMU CATOP CA
GMU FAIRFAXCASUBCA
GMU MANASSAS CASUBCA
GMU PW CAMPUS CASUBCA
RA INSTANCEGMU FAIRFAX
RA INSTANCEGMU MANASSAS
RA INSTANCEGMU PW CAMPUS
GMU Fairfax CA Administrator
GMU Manassas CA Administrator
Super Administrator
GMU Fairfax RA Administrator
GMU Manassas RA Administrator
GMU PW RA Administrator
GMU PW CA Administrator
EJBCA and OpenCASoftware Requirements
Software Requirements of EJBCAJava JDK 1.5 – Java 2 Platform Standard Development Kit.
Apache Ant – Java Build Utility, used to compile and build Java programs.
JBoss 4.0.5 – J2EE Application ServerEJBCA download
Software Requirements of OpenCAOpenLDAP.
OpenSSL.
Apache Project.
Apache mod_ssl.
EJBCA
EJBCA is a fully functional Certificate Authority built in Java.
Based on J2EE technology.
Robust
High performance, component based CA. Flexible and platform independent.
EJBCA can be used as standalone or integrated in any J2EE application.
EJBCA: Architecture
EJBCA AdministrationCreate and Initialize the Super AdministratorCreating and Configuring data sourcesCreating PublishersCreating Certificate AuthoritiesCreating Registration AuthoritiesCreating End EntitiesCreating CRL’sGenerating Certificates
The EJBCA Super Admin Certificate
OpenCA
Linux based.
Provides the choice of algorithms- des, des3, idea.
Extensions Provided: SKI and AKI.
In Addition to the PKI components of EJBCA, OpenCA also has a Registration Authority Operator.
OpenCA: Architecture
OpenCA Administration
Initializing the Certification Authority
Create the initial administrator
Create the initial RA Certificate
Submit a Certificate Request
Approve the Certificate
Issue the Certificate
Importing the Root Certificate
User CertificateUser Certificate
Comparison
Parameters EJBCA OpenCA
Ease of Configuration
Very Complex Complex
Confidentiality Offers Confidentiality using encryption
Offers Confidentiality using encryption
Integrity Offers Integrity by encryption
Offers Integrity by encryption
Authentication Offers Authentication by Digital Signature
Offers Authentication by Digital Signature
NonRepudiation YES YES
Ability to choose the algorithm to use
Yes Yes
OCSP Yes Yes
Ability to choose CSP
Yes No
CRL updates Automatic Manual
Cost Free Free
Extensions Yes Yes
LDAP Support Yes Yes
Support for smart cards
Yes No
Platform Java J2EE Perl CGI on Unix
Certificate Repositories
HSQL MySQL
Modules EJB Perl Modules
Components based
Yes Yes
Standalone Component
Present Not Present
Supported Browsers
Multiple Multiple
Scalability Good Bad
Conclusion
EJBCA is the simplest to use
Complexity during installation
Provides for automatic CRL updates
OpenCA is the best for Linux users
Manual revocations
Both can be used by various clients