Cert Wizard a New Certificate Tool for the

  • Slides: 23
Download presentation
Cert. Wizard: a New Certificate Tool for the UK NGI User Community John Kewley

Cert. Wizard: a New Certificate Tool for the UK NGI User Community John Kewley (john. kewley@stfc. ac. uk), Jensen, David Meredith and Akay Okcun 27/02/2021 EGI TF 2011 1

Outline 1. 2. 3. 4. The UK e-Science CA Problems with our CA Web

Outline 1. 2. 3. 4. The UK e-Science CA Problems with our CA Web Interface Cert. Wizard Future Work 27/02/2021 EGI TF 2011 2

The UK e-Science CA • • • 2 nd largest Grid CA IGTF accredited

The UK e-Science CA • • • 2 nd largest Grid CA IGTF accredited classic CA 28, 972 certificates issued 2, 882 active currently RA network across UK academia (61 RAs with 112 RA Operators) 27/02/2021 EGI TF 2011 3

The UK e-Science CA To support ancillary services we also have * 2 x

The UK e-Science CA To support ancillary services we also have * 2 x SLCS online CAs (SSO and SARo. NGS) * 3 x My. Proxy Servers * 2 x VOMS server * Training CA (for short-lived training certificates) * Test CA (for RA Training and testing)

UK e. Science Root CA Hierarchy

UK e. Science Root CA Hierarchy

Problems • Many certificate problems on our helpdesk (typically browser issues) • Browsers change,

Problems • Many certificate problems on our helpdesk (typically browser issues) • Browsers change, we can't support them all, especially on different platforms • Open. CA s/w we use hasn't been kept up to date. . . and we had amended it! • Website certificate not trusted by browsers 27/02/2021 EGI TF 2011 6

"Hierarchitecture" Signing CA DB Cert. Wizard server Cert. Wizard client 27/02/2021 Open. CA Pe.

"Hierarchitecture" Signing CA DB Cert. Wizard server Cert. Wizard client 27/02/2021 Open. CA Pe. CR 2 Browser EGI TF 2011 Pe. CR/PCR 7

Features 1. Platform and browser independent 2. No CA Certificates to download first 3.

Features 1. Platform and browser independent 2. No CA Certificates to download first 3. Integrated into our existing My. Proxy. Uploader 27/02/2021 EGI TF 2011 8

Functionality • • • Apply for a new certificate Renew an existing certificate Request

Functionality • • • Apply for a new certificate Renew an existing certificate Request revocation of a certificate Export/Backup your certificate Import a certificate Integrated into our proxy generation tool: – GSI “local” proxies – My. Proxy upload – Adding VOMS attributes 27/02/2021 EGI TF 2011 9

http: //www. ngs. ac. uk/tools/certwizard 27/02/2021 EGI TF 2011 10

http: //www. ngs. ac. uk/tools/certwizard 27/02/2021 EGI TF 2011 10

Apply for a Certificate 27/02/2021 EGI TF 2011 11

Apply for a Certificate 27/02/2021 EGI TF 2011 11

Renew Certificate 27/02/2021 EGI TF 2011 12

Renew Certificate 27/02/2021 EGI TF 2011 12

Request Revocation 27/02/2021 EGI TF 2011 13

Request Revocation 27/02/2021 EGI TF 2011 13

Export/Backup 27/02/2021 EGI TF 2011 14

Export/Backup 27/02/2021 EGI TF 2011 14

Install Certificate Converts certificate to a usercert/userkey. pem pair for use by the proxy

Install Certificate Converts certificate to a usercert/userkey. pem pair for use by the proxy generation parts of the tool. 27/02/2021 EGI TF 2011 15

Seamless Interworking Integrated with My. Proxy. Uploader, our previous proxy generation tool • Uploading

Seamless Interworking Integrated with My. Proxy. Uploader, our previous proxy generation tool • Uploading to My. Proxy servers • Local Proxies • Add VOMS attributes 27/02/2021 EGI TF 2011 16

Configuration • • CA Certificates My. Proxy servers VOMS servers Your Certificate 27/02/2021 EGI

Configuration • • CA Certificates My. Proxy servers VOMS servers Your Certificate 27/02/2021 EGI TF 2011 17

My. Proxy. Uploader 27/02/2021 EGI TF 2011 18

My. Proxy. Uploader 27/02/2021 EGI TF 2011 18

Local Proxy 27/02/2021 EGI TF 2011 19

Local Proxy 27/02/2021 EGI TF 2011 19

VOMS attributes 27/02/2021 EGI TF 2011 20

VOMS attributes 27/02/2021 EGI TF 2011 20

Further Work • Adding an RA Tab • Adding a tab for Host Certificates,

Further Work • Adding an RA Tab • Adding a tab for Host Certificates, including bulk requests • Provision for email address changes • Permit renewals within 1 month of expiry • Upgrading underlying libraries 27/02/2021 EGI TF 2011 21

Other Developments • • • Rollover of CA Certificate Moving to an online CA

Other Developments • • • Rollover of CA Certificate Moving to an online CA Improved functionality for bulk requests Considering accreditation for our SLCS CA Restructuring of our CP/CPS 27/02/2021 EGI TF 2011 22

Acknowledgements • • Jensen, David Meredith and Akay Okcun Numerous other developers NGS STFC

Acknowledgements • • Jensen, David Meredith and Akay Okcun Numerous other developers NGS STFC 27/02/2021 EGI TF 2011 23