Certificates Browsers You What is all this certificate
Certificates, Browsers & You: What is all this certificate crud? Frank J. Nagy And Associates. . . God of Kerberos
Certificate Talks • Introduction and Theory • Using get-cert (KCA certificate) under Linux • Using get-cert (KCA certificate) under OS X • Using Network Identity Manager for Windows • More Theory
• Public key encryption, Public Key Infrastructure (PKI) • Digital Signature • {Digital} Certificate • X. 509 Standard (CCITT) and X. 500 Naming Conventions • Distinguished and Common Names • Certificate Authority (CA) • CA Certificate • Chain of Trust • Secure Socket Layer (SSL)
Public Key Encryption Bob's keys: Bob's Co-workers: (public) Bob (private) Pat "Hey Bob, how about lunch at Taco Bell. I hear they have free refills!" HNFms. Em 6 Un Bejhhy. CGKOK Juxhiyg. SBCEi. C 0 QYIh/Hn 3 xgi. K Bcy. LK 1 Uc. Yi. Y lxx 2 l. CFHDC/A Doug Susan Anyone can get Bob's Public Key, but Bob keeps his Private Key to himself HNFms. Em 6 Un Bejhhy. CGKOK Juxhiyg. SBCEi. C 0 QYIh/Hn 3 xgi. K Bcy. LK 1 Uc. Yi. Y lxx 2 l. CFHDC/A "Hey Bob, how about lunch at Taco Bell. I hear they have free refills!"
Digital Signature
Digital Certificate Bob Info: Name Department Cubical Number Certificate Info: Expiration Date Serial Number Bob's Public Key: Certificate Authority CA Private Key:
Look Inside the Certificate Subject Information: - Organization - Name - Email (optional) Certificate Information: - Issuer (CA) Name - Validity dates (begin: end) - Serial Number - Usage flags Hash Data Subject's Public Key Signature (by CA Private Key)
Some Certificate Uses • Signing messages – – Identify author Make message tamper-evident • Identify host for SSL connection • Web site authentication (common KCA usage) • Others
And now for something. . . Completely specific: The How. To talks on getting KCA certificates under Linux, Mac OS X and Windows
Certificate Parts • Subject (of the certificate) • Valid and Expiration Dates • Serial Number • Public Key of the Subject • Issuer of this certificate • Hash and signature encoding algorithms • Signed by CA Certificate private key • Extensions (E-mail address, etc. )
Certificate Parts #2 • • Distinguished Names (DN) and Common Names (CN) – /DC=org/DC=doegrids/OU=People/CN=Frank J. Nagy 442270 – /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 – /DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA HSM – /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Frank J. Nagy/CN=UID: nagy Signature makes certificate tamper-evident
Types of Certificates • Long-term personal certificates – • Short-term personal certificates – • DOEGrids, Thawte, Verisign, etc. Fermilab KCA Host/Service certificates – – For a particular node *. fnal. gov
Fermilab Kerberos CA (KCA) • Get a certificate based on Kerberos credentials • Tied to the Fermilab Infrastructure – • KCA uid=nagy is user name in CNAS, etc. Short-term certificate, valid for maximum lifetime (7 days) of the Kerberos ticket
Certificate Authority • Validates identity – KCA relies on your having Kerberos credentials • Issues certificates signed with CA private key • Identified by Certificate Authority Certificate – • CA Certificate needed to valid issued certificate Maintains Certificate Revocation List (CRL)
Trust Chain and Root CA Subordinate CA End User
Further Reading • • What is a Digital Signature? – http: //www. youdzone. com/signature. html – The source of some of the images in my talk. Open. SSL Certificate Cookbook – Certificate Management and Installation with Open. SSL • – Open. SSL Certificate Cookbook • • http: //gagravarr. org/writing/openssl-certs/index. shtml http: //www. amigodocarro. com/html/ssl_cook. html Wikipedia: Public key certificate – http: //en. wikipedia. org/wiki/Public_key_certificate
- Slides: 16