Ulagrid certification authority
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

ULAGrid Certification Authority PowerPoint PPT Presentation


  • 53 Views
  • Uploaded on
  • Presentation posted in: General

ULAGrid Certification Authority. Vanessa Hamar Universidad de Los Andes – Merida,Venezuela 5 th F2F Banff, 17/07/2007. Overview. Introduction Key Sizes Repository Identification and Authentication. Introduction.

Download Presentation

ULAGrid Certification Authority

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Ulagrid certification authority

ULAGrid Certification Authority

Vanessa Hamar

Universidad de Los Andes – Merida,Venezuela

5th F2F

Banff, 17/07/2007


Ulagrid certification authority

Overview

  • Introduction

  • Key Sizes

  • Repository

  • Identification and Authentication


Introduction

Introduction

  • The ULAGrid Certification Authority is a traditional X.509 Public Key Certification Authority which issues long-term credentials.

  • CP/CPS follows the IETF’s RFC 3647

    1.3.6.1.4.1.19286.2.2.2.0.1.3


Key sizes

Key Sizes

  • Keys of length less than 1024 bits are not accepted.

  • All user keys will have a 1024 bit RSA key size.

  • All host and service keys will have a 2048 bit RSA key size.

  • The ULA CA key length will always have a RSA 2048 bit key size

  • The lifetime is 10 years for the CA and 1 year for End Entities.


Repository

Repository

  • The online repository of information from the ULAGrid CA is accessible at:

    https://ra.cecalc.ula.ve/pub/

    Email = [email protected]

  • This is a secure online repository that contains:

    • The ULAGrid CA’ s certificate,

    • All end entity certificates issued by the CA.

    • A Certificate Revocation List,

    • A copy of the most recent approved version of this policy and all previous approved versions.


Repository1

Repository

  • URL for the CAs main web page with info

    https://ra.cecalc.ula.ve

  • URL for the CRL on the CAs web site

    http://ra.cecalc.ula.ve/pub/crl/cacrl.crl


Repository2

Repository


Repository3

Repository


Repository4

Repository


Identification and authentication

Identification and authentication

  • The Subject Name is of the X.500 name type, a Distinguished Name.

  • The generic format for a service subject is a follows:

  • C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=service/FQDN

  • The “C=VE” and “O=Grid” are the subject’s fix parts and must be present in all the certificates.

  • An additional subscriber’s organization “O=”, describing the organization’s name must be provided, as well as an “OU=” describing the organization group.

  • All the subject parts are mandatory in all the certificates, including the two “O=”.

  • The Distinguished Name must be unique for each subject name certified by the ULAGrid CA service.


Identification and authentication1

Identification and authentication

  • ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -subject -noout

  • subject= /C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification [email protected]

  • ra:~# openssl x509 -in usercert.pem -subject –noout

  • subject= /C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=Vanessa Hamar


Profile ulagrid ca

Profile ULAGrid CA

  • For CA certificates:

  • Basic Constraints:critical, ca: true

  • Subject Key Identifier:hash

  • Authority Key Identifier:keyid

  • Key Usage: critical, digitalSignature, nonRepudiation, KeyCertSign, cRLSign

  • Extended Key Usage timeStamping

  • Netscape Cert Type: SSL Certificate Authority, Email Certificate Authority Object Signing

  • Netscape Comment: Grid Venezuela Certificate. For information go to https://ra.cecalc.ula.ve/gridvenezuela/

  • Certificate Policies:1.3.6.1.4.1.19286.2.2.2.0.1.3


Profile ulagrid ca1

Profile ULAGrid CA

  • Certificate:

  • Data:

  • Version: 3 (0x2)

  • Serial Number:

  • 8e:2a:83:5b:16:0f:a0:e8

  • Signature Algorithm: sha1WithRSAEncryption

  • Issuer: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=ULAGrid Certification [email protected]

  • Validity

  • Not Before: Jul 13 14:15:02 2007 GMT

  • Not After : Jul 10 14:15:02 2017 GMT

  • Subject: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=ULAGrid Certification [email protected]

  • Subject Public Key Info:

  • Public Key Algorithm: rsaEncryption

  • RSA Public Key: (2048 bit)

  • Modulus (2048 bit):

  • Exponent: 65537 (0x10001)

  • X509v3 extensions:

  • X509v3 Basic Constraints: critical

  • CA:TRUE

  • Signature Algorithm: sha1WithRSAEncryption


Profile ulagrid ca2

Profile ULAGrid CA

  • X509v3 Subject Key Identifier:

  • DC:F3:0B:A6:12:93:E5:A3:CC:34:77:B8:3B:CC:C9:8E:BD:8F:2A:05

  • X509v3 Authority Key Identifier:

  • keyid:DC:F3:0B:A6:12:93:E5:A3:CC:34:77:B8:3B:CC:C9:8E:BD:8F:2A:05

  • DirName:/C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification [email protected]

  • serial:8E:2A:83:5B:16:0F:A0:E8

  • X509v3 Key Usage:

  • Certificate Sign, CRL Sign

  • X509v3 Subject Alternative Name:

  • email:[email protected]

  • X509v3 Issuer Alternative Name:

  • email:[email protected]

  • Netscape Cert Type:

  • SSL CA, S/MIME CA, Object Signing CA

  • Netscape Comment:

  • CeCalCULA Certification Authority Certificate


Profiles users

Profiles Users

For natural person certificates:

  • Basic Constraints:critical, ca: false

  • Subject Key Identifier:hash

  • Authority Key Identifier:keyid

  • Key Usage: critical, digitalSignature, nonRepudiation, KeyEncipherment, dataEncipherment

  • Extended Key Usage clientAuth, emailProtection, timeStamping

  • Netscape Cert Type: SSL Client, S/MIME, Object Signing

  • Netscape Comment: Grid Venezuela Certificate. For information go to https://ra.cecalc.ula.ve/gridvenezuela/

  • CRL Distribution Points: http://ra.cecalc.ula.ve/pub/crl.crl

  • Certificate Policies: 1.3.6.1.4.1.19286.2.2.2.0.1.3

  • Subject Alternative Name: e-mail address


Profile users

Profile Users

ra:~# openssl x509 -in usercert.pem -text -noout

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 2 (0x2)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=ULAGrid Certification [email protected]

Validity

Not Before: Jul 13 14:34:47 2007 GMT

Not After : Jul 12 14:34:47 2008 GMT

Subject: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=Vanessa Hamar

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):


Profile users1

Profile Users

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

X509v3 Certificate Policies:

Policy: 1.3.6.1.4.1.19286.2.2.2.0.1.3

CPS: http://ra.cecalc.ula.ve/pub

Netscape Cert Type:

SSL Client, S/MIME, Object Signing

X509v3 Key Usage:

Digital Signature, Non Repudiation, Key Encipherment

X509v3 Extended Key Usage:

TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin

Netscape Comment:

Registration Authority Operator of CeCalCULA

X509v3 Subject Key Identifier:

95:0A:80:F1:4D:19:D2:EE:3F:D8:9B:3D:45:C3:B0:81:62:F8:5F:D3


Others

Others

  • ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -purpose

    Certificate purposes:

    SSL client : No

    SSL client CA : Yes

    SSL server : No

    SSL server CA : Yes

    Netscape SSL server : No

    Netscape SSL server CA : Yes

    S/MIME signing : No

    S/MIME signing CA : Yes

    S/MIME encryption : No

    S/MIME encryption CA : Yes

    CRL signing : Yes

    CRL signing CA : Yes

    Any Purpose : Yes

    Any Purpose CA : Yes

    OCSP helper : Yes

    OCSP helper CA : Yes


Others1

Others

  • ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -fingerprint

    • SHA1 Fingerprint=B9:48:2F:45:C3:EF:EB:53:7F:97:20:50:17:E6:26:D0:65:D5:66:A5

  • # Signing policy file for ULAGridCA

    • access_id_CA X509 '/C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification [email protected]'

    • pos_rights globus CA:sign

    • cond_subjects globus '"/C=VE/O=Grid/*"‘

  • ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -serial

    • serial=8E2A835B160FA0E8


Ulagrid certification authority

?


  • Login