Terena server certificate service
Sponsored Links
This presentation is the property of its rightful owner.
1 / 19

TERENA Server Certificate Service PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

TERENA Server Certificate Service. Towards the large-scale use of affordable popup-free server certificates for the European NRENs. Licia Florio TERENA. Topics. PKI and X.509 certificates Motivation for the TERENA Server Certificate Project What is the project Service Characteristics

Download Presentation

TERENA Server Certificate Service

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Terena server certificate service

TERENA Server Certificate Service

Towards the large-scale use of affordable popup-free server certificates for the European NRENs

Licia Florio


EuroCAMP Ljubljana,

3-5 March 2006



  • PKI and X.509 certificates

  • Motivation for the TERENA Server Certificate Project

  • What is the project

  • Service Characteristics

  • Why joining


Pki in short

Diego’s priv key

Diego’s pub key


I’ve arrived in Slovenia..


I’ve arrived in Slovenia..


I’ve arrived in Slovenia..





PKI in short

  • Public key cryptography

    - public key (encryption, signature verification)

    - private key (decryption, signing)




  • Public Key distribution

  • Building trust

  • Scalability

  • Solution: create a hierarchical trust fabric: X.509 PKI


X 509 pki infrastructure

X.509 PKI Infrastructure

  • What are the elements

    - Certification Authority (CA)

    * Certificates issuer (trusted 3d party)

    - X.509 Certificates

    * Bind the pub key to the holder

    - Registration Authority (RA)

    *Identity verification

    - End Entity

    * Private key holder (machine, end-user)

    - Relying parties



Real x 509 certificate usage today

Real X.509 Certificate Usage Today

  • Grid (closed community)

    - Use both server and user certs

  • Web servers

    - Only server certificates

    - In many case with pop-up problem

    Large scale user certificate use: nowhere !


The famous pop up pki problem 1

The Famous Pop-up:PKI Problem#1

  • Due to the fact that the issuer of the certificate is not trusted by the browsers


Terena server certificate service1

TERENA Server Certificate Service

  • What is it about?

    • - Service…of course ;-) in short SCS

  • To issue server certificates

    - popup free

    - unlimitednumber

    - Very low price

    (price is not per certificate)

  • For whom?

    • For the National Research and Education Network community in Europe


When scs started

When SCS started

  • Project started in june 2004

  • European NREN PKIs around for ~7 years

    - But still not really deployed

  • Anticipated growth in need:

    - AAI middleware services

    - Web-based ‘stuff’ (mail, e-learning, webservices etc.)

    - VPN, email

    - eduroam

  • Community needs more server certificates


Pki growth problems

PKI Growth Problems

  • Pop-up Problem#1

    - Typically for NRENs CA

    - Defeats the security purpose of the certificate

  • Costs Problem#2

    - For a large number of server certificates costs can become a problem


Solution 1

Solution 1

  • Fixing the pop-up problem

    - Get root certificate in root repositories

    - Requires webtrust audit

    - Expensive for an individual NREN PKI (~25.000 first time, annual ~25.000 for the audits, plus all the costs to follow guidelines) --> CA hierarchy adds to cost!

  • Running a CA

    • Is that so interesting?


Solution 2

Solution 2

  • Fixing the costs

    - Try to contract a CA already in the browser

    - Flexibility in the certificates profiles definitions

    - Tailored RA procedures

    - Not per certificate costs


Solution 2 the way forward

Solution 2: the way forward

  • 8 NRENs + TERENA combined forces (proposal launched feb. 2005)

  • Investigated market

  • Investigated EU tender guidelines

  • Ran a light-weight tender (start Sep 2005)

  • Signed a contract (Jan 2006)

  • First certificate issued on 16 March 2006 !


Who is involved

Who is involved

  • ACOnet (.at),

  • CARnet (.hr),

  • CESnet (.cz),

  • RedIRIS (.es),

  • RENATER (.fr),

  • SURFnet (.nl),

  • SWITCH (.ch)

  • UNI-C (.dk),

  • TERENA signing party


Service structure

Service Structure

  • TERENA contracts with supplier

    - For an initial one year

    - Possibility to extend the contract

  • NRENs contract with TERENA (liability!)

  • NRENs are ‘delegated RA’ for the supplier

  • TERENA appoints delegated RAs

  • NRENs are responsible for delivering RA services and technical support


Service features

Service Features

  • Re-use existing RA organisation

  • Certificate profile flexibility (Grids!)

  • Electronic RA procedures (under implementation)

  • Easy server certificate delivery

  • NREN-specific branding!


Benefits for the universities

Benefits for the Universities

  • Need server certificates to enable SSL/TLS channels

  • Very low costs upon agreement with your NRENs


How to join

How to join

  • Your NREN has to join

  • After June 06 we can open to service to new NRENs

    • Some NRENs are already waiting

  • There is fee to pay to join




  • To make security tools a normal habit, they need to be easy to use

    • Scs is easy

  • SCS proves how a ‘federated’ approach has solved a big problem

  • We got a cool service 

  • http://www.terena.nl/activities/tf-emc2/scs.html


  • Login