ULAGrid Certification Authority

IST-2006-026409 www.eu-eela.org

E-infrastructure shared between Europe and Latin America

ULAGrid Certification Authority

Vanessa HamarUniversidad de Los Andes – Merida,Venezuela5th F2F Banff, 17/07/2007

2IST-2006-026409


www.eu-eela.org

Overview

• Introduction• Key Sizes• Repository• Identification and Authentication

3IST-2006-026409


www.eu-eela.org

Introduction

• The ULAGrid Certification Authority is a traditional X.509 Public Key Certification Authority which issues long-term credentials.

• CP/CPS follows the IETF’s RFC 36471.3.6.1.4.1.19286.2.2.2.0.1.3

4IST-2006-026409


www.eu-eela.org

Key Sizes

• Keys of length less than 1024 bits are not accepted. • All user keys will have a 1024 bit RSA key size.• All host and service keys will have a 2048 bit RSA key

size.• The ULA CA key length will always have a RSA 2048 bit

key size • The lifetime is 10 years for the CA and 1 year for End

Entities.

5IST-2006-026409


www.eu-eela.org

Repository

• The online repository of information from the ULAGrid CA is accessible at:

https://ra.cecalc.ula.ve/pub/ Email = [email protected]

• This is a secure online repository that contains: – The ULAGrid CA’ s certificate,– All end entity certificates issued by the CA.– A Certificate Revocation List, – A copy of the most recent approved version of this policy and all

previous approved versions.

6IST-2006-026409


www.eu-eela.org

Repository

• URL for the CAs main web page with infohttps://ra.cecalc.ula.ve

• URL for the CRL on the CAs web site http://ra.cecalc.ula.ve/pub/crl/cacrl.crl

https://ra.cecalc.ula.ve/

http://ra.cecalc.ula.ve/pub/crl/cacrl.crl

7IST-2006-026409


www.eu-eela.org

Repository

8IST-2006-026409


www.eu-eela.org

Repository

9IST-2006-026409


www.eu-eela.org

Repository

10

IST-2006-026409


www.eu-eela.org

Identification and authentication

• The Subject Name is of the X.500 name type, a Distinguished Name.

• The generic format for a service subject is a follows:• C=VE, O=Grid, O=Universidad de Los Andes,

OU=CeCalCULA, CN=service/FQDN

• The “C=VE” and “O=Grid” are the subject’s fix parts and must be present in all the certificates.

• An additional subscriber’s organization “O=”, describing the organization’s name must be provided, as well as an “OU=” describing the organization group.

• All the subject parts are mandatory in all the certificates, including the two “O=”.

• The Distinguished Name must be unique for each subject name certified by the ULAGrid CA service.

11

IST-2006-026409


www.eu-eela.org

Identification and authentication

• ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -subject -noout

• subject= /C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/[email protected]

• ra:~# openssl x509 -in usercert.pem -subject –noout• subject= /C=VE/O=Grid/O=Universidad de Los

Andes/OU=CeCalCULA/CN=Vanessa Hamar

12

IST-2006-026409


www.eu-eela.org

Profile ULAGrid CA

• For CA certificates: • Basic Constraints: critical, ca: true • Subject Key Identifier: hash • Authority Key Identifier: keyid • Key Usage: critical, digitalSignature, nonRepudiation,

KeyCertSign, cRLSign• Extended Key Usage timeStamping • Netscape Cert Type: SSL Certificate Authority, Email Certificate

Authority Object Signing • Netscape Comment: Grid Venezuela Certificate. For information

go to https://ra.cecalc.ula.ve/gridvenezuela/• Certificate Policies: 1.3.6.1.4.1.19286.2.2.2.0.1.3

13

IST-2006-026409


www.eu-eela.org

Profile ULAGrid CA• Certificate:• Data:• Version: 3 (0x2)• Serial Number:• 8e:2a:83:5b:16:0f:a0:e8• Signature Algorithm: sha1WithRSAEncryption• Issuer: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA,

CN=ULAGrid Certification Authority/[email protected]• Validity• Not Before: Jul 13 14:15:02 2007 GMT• Not After : Jul 10 14:15:02 2017 GMT• Subject: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA,

CN=ULAGrid Certification Authority/[email protected]• Subject Public Key Info:• Public Key Algorithm: rsaEncryption• RSA Public Key: (2048 bit)• Modulus (2048 bit):• Exponent: 65537 (0x10001)• X509v3 extensions:• X509v3 Basic Constraints: critical• CA:TRUE• Signature Algorithm: sha1WithRSAEncryption

14

IST-2006-026409


www.eu-eela.org

Profile ULAGrid CA• X509v3 Subject Key Identifier: • DC:F3:0B:A6:12:93:E5:A3:CC:34:77:B8:3B:CC:C9:8E:BD:8F:2A:05• X509v3 Authority Key Identifier: • keyid:DC:F3:0B:A6:12:93:E5:A3:CC:34:77:B8:3B:CC:C9:8E:BD:8F:2A:05• DirName:/C=VE/O=Grid/O=Universidad de Los

Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/[email protected]

• serial:8E:2A:83:5B:16:0F:A0:E8

• X509v3 Key Usage: • Certificate Sign, CRL Sign• X509v3 Subject Alternative Name: • email:[email protected]• X509v3 Issuer Alternative Name: • email:[email protected]• Netscape Cert Type: • SSL CA, S/MIME CA, Object Signing CA• Netscape Comment: • CeCalCULA Certification Authority Certificate

15

IST-2006-026409


www.eu-eela.org

Profiles Users

For natural person certificates: – Basic Constraints:critical, ca: false – Subject Key Identifier: hash – Authority Key Identifier:keyid – Key Usage: critical, digitalSignature, nonRepudiation,

KeyEncipherment, dataEncipherment– Extended Key Usage clientAuth, emailProtection,

timeStamping– Netscape Cert Type: SSL Client, S/MIME, Object Signing – Netscape Comment: Grid Venezuela Certificate. For

information go to https://ra.cecalc.ula.ve/gridvenezuela/– CRL Distribution Points: http://ra.cecalc.ula.ve/pub/crl.crl– Certificate Policies: 1.3.6.1.4.1.19286.2.2.2.0.1.3– Subject Alternative Name: e-mail address

16

IST-2006-026409


www.eu-eela.org

Profile Users

ra:~# openssl x509 -in usercert.pem -text -nooutCertificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=VE, O=Grid, O=Universidad de Los Andes,

OU=CeCalCULA, CN=ULAGrid Certification Authority/[email protected]

Validity Not Before: Jul 13 14:34:47 2007 GMT Not After : Jul 12 14:34:47 2008 GMT Subject: C=VE, O=Grid, O=Universidad de Los Andes,

OU=CeCalCULA, CN=Vanessa Hamar Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit):

17

IST-2006-026409


www.eu-eela.org

Profile Users

Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.19286.2.2.2.0.1.3 CPS: http://ra.cecalc.ula.ve/pub

Netscape Cert Type: SSL Client, S/MIME, Object Signing X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: Registration Authority Operator of CeCalCULA X509v3 Subject Key Identifier: 95:0A:80:F1:4D:19:D2:EE:3F:D8:9B:3D:45:C3:B0:81:62:F8:5F:D3

18

IST-2006-026409


www.eu-eela.org

Others

• ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -purpose

Certificate purposes:SSL client : NoSSL client CA : YesSSL server : NoSSL server CA : YesNetscape SSL server : NoNetscape SSL server CA : YesS/MIME signing : NoS/MIME signing CA : YesS/MIME encryption : NoS/MIME encryption CA : YesCRL signing : YesCRL signing CA : YesAny Purpose : YesAny Purpose CA : YesOCSP helper : YesOCSP helper CA : Yes

19

IST-2006-026409


www.eu-eela.org

Others

• ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -fingerprint– SHA1

Fingerprint=B9:48:2F:45:C3:EF:EB:53:7F:97:20:50:17:E6:26:D0:65:D5:66:A5

• # Signing policy file for ULAGridCA– access_id_CA X509 '/C=VE/O=Grid/O=Universidad de Los

Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/[email protected]'

– pos_rights globus CA:sign– cond_subjects globus '"/C=VE/O=Grid/*"‘

• ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -serial– serial=8E2A835B160FA0E8

20

IST-2006-026409


www.eu-eela.org

?

ULAGrid Certification Authority

Documents

Transcript of ULAGrid Certification Authority