1 / 8

Renewal Simpler or Harder?

Renewal Simpler or Harder?. Jens Jensen, STFC RAL GridNet2/UK e-Science CA /NGS/GridPP. What is it?. CA issues a new certificate : With the same DN as before With the same key pair as before As opposed to rekeying : User generates a new key pair Generates a new CSR. Why is it?.

anjolie-beard
Download Presentation

Renewal Simpler or Harder?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RenewalSimpler or Harder? Jens Jensen, STFC RAL GridNet2/UK e-Science CA /NGS/GridPP GridNet2

  2. What is it? • CA issues a new certificate : • With the same DN as before • With the same key pair as before • As opposed to rekeying : • User generates a new key pair • Generates a new CSR GridNet2

  3. Why is it? • Conceptually simpler: • User doesn’t have to be reminded to reapply • CA can send cert directly to user • Or of course user can download it • Compare to rekeying: • Same mechanics as initial request • Except new CSR approved via existing cert GridNet2

  4. Context • Grid CAs permit renewals • A number of times • The number of times depends privkey prot’n • Many have it in their CP/CPS • Why? …(``must understand the consequences’’) • … but does it work? • Forget about theory – theory is useless GridNet2

  5. Investigate… • Anything with PEM formatted files: ~/.globus/usercert.pem ~/.globus/userkey.pem • Fine, just replace the cert… • PKCS#12 • More complicated, but doable • Needs access to encrypted private key • Browsers • IE6, IE7, Moz et al, Opera, Safari, ……… GridNet2

  6. Complications • Loss of private key • Different from initial request and normal rekeying procedure • Is it really simpler for users? • “We know how to rekey…” • Long term exposure of public key • Long term exposure of private key GridNet2

  7. Next Steps Suggested • Do we really need it… • In most cases, no, but why is it permitted? • Probably good for exceptional cases (only) • Even so, we need to know how to do it • Test browsers and stuff • Renew for renewable certificates • PEM • E.g. (most) host certs GridNet2

  8. Browsers • Importing • Import and it overwrites the existing cert • Adds to the existing cert • Does not import • Export/convert/import • More complicated than rekey • Removing certificate • Deletes private key GridNet2

More Related