ulagrid certification authority
Download
Skip this Video
Download Presentation
ULAGrid Certification Authority

Loading in 2 Seconds...

play fullscreen
1 / 20

ULAGrid Certification Authority - PowerPoint PPT Presentation


  • 132 Views
  • Uploaded on

ULAGrid Certification Authority. Vanessa Hamar Universidad de Los Andes – Merida,Venezuela 5 th F2F Banff, 17/07/2007. Overview. Introduction Key Sizes Repository Identification and Authentication. Introduction.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'ULAGrid Certification Authority' - una


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ulagrid certification authority

ULAGrid Certification Authority

Vanessa Hamar

Universidad de Los Andes – Merida,Venezuela

5th F2F

Banff, 17/07/2007

slide2
Overview
  • Introduction
  • Key Sizes
  • Repository
  • Identification and Authentication
introduction
Introduction
  • The ULAGrid Certification Authority is a traditional X.509 Public Key Certification Authority which issues long-term credentials.
  • CP/CPS follows the IETF’s RFC 3647

1.3.6.1.4.1.19286.2.2.2.0.1.3

key sizes
Key Sizes
  • Keys of length less than 1024 bits are not accepted.
  • All user keys will have a 1024 bit RSA key size.
  • All host and service keys will have a 2048 bit RSA key size.
  • The ULA CA key length will always have a RSA 2048 bit key size
  • The lifetime is 10 years for the CA and 1 year for End Entities.
repository
Repository
  • The online repository of information from the ULAGrid CA is accessible at:

https://ra.cecalc.ula.ve/pub/

Email = [email protected]

  • This is a secure online repository that contains:
    • The ULAGrid CA’ s certificate,
    • All end entity certificates issued by the CA.
    • A Certificate Revocation List,
    • A copy of the most recent approved version of this policy and all previous approved versions.
repository1
Repository
  • URL for the CAs main web page with info

https://ra.cecalc.ula.ve

  • URL for the CRL on the CAs web site

http://ra.cecalc.ula.ve/pub/crl/cacrl.crl

identification and authentication
Identification and authentication
  • The Subject Name is of the X.500 name type, a Distinguished Name.
  • The generic format for a service subject is a follows:
  • C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=service/FQDN
  • The “C=VE” and “O=Grid” are the subject’s fix parts and must be present in all the certificates.
  • An additional subscriber’s organization “O=”, describing the organization’s name must be provided, as well as an “OU=” describing the organization group.
  • All the subject parts are mandatory in all the certificates, including the two “O=”.
  • The Distinguished Name must be unique for each subject name certified by the ULAGrid CA service.
identification and authentication1
Identification and authentication
  • ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -subject -noout
  • subject= /C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/[email protected]
  • ra:~# openssl x509 -in usercert.pem -subject –noout
  • subject= /C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=Vanessa Hamar
profile ulagrid ca
Profile ULAGrid CA
  • For CA certificates:
  • Basic Constraints: critical, ca: true
  • Subject Key Identifier: hash
  • Authority Key Identifier: keyid
  • Key Usage: critical, digitalSignature, nonRepudiation, KeyCertSign, cRLSign
  • Extended Key Usage timeStamping
  • Netscape Cert Type: SSL Certificate Authority, Email Certificate Authority Object Signing
  • Netscape Comment: Grid Venezuela Certificate. For information go to https://ra.cecalc.ula.ve/gridvenezuela/
  • Certificate Policies: 1.3.6.1.4.1.19286.2.2.2.0.1.3
profile ulagrid ca1
Profile ULAGrid CA
  • Certificate:
  • Data:
  • Version: 3 (0x2)
  • Serial Number:
  • 8e:2a:83:5b:16:0f:a0:e8
  • Signature Algorithm: sha1WithRSAEncryption
  • Issuer: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=ULAGrid Certification Authority/[email protected]
  • Validity
  • Not Before: Jul 13 14:15:02 2007 GMT
  • Not After : Jul 10 14:15:02 2017 GMT
  • Subject: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=ULAGrid Certification Authority/[email protected]
  • Subject Public Key Info:
  • Public Key Algorithm: rsaEncryption
  • RSA Public Key: (2048 bit)
  • Modulus (2048 bit):
  • Exponent: 65537 (0x10001)
  • X509v3 extensions:
  • X509v3 Basic Constraints: critical
  • CA:TRUE
  • Signature Algorithm: sha1WithRSAEncryption
profile ulagrid ca2
Profile ULAGrid CA
  • X509v3 Subject Key Identifier:
  • DC:F3:0B:A6:12:93:E5:A3:CC:34:77:B8:3B:CC:C9:8E:BD:8F:2A:05
  • X509v3 Authority Key Identifier:
  • keyid:DC:F3:0B:A6:12:93:E5:A3:CC:34:77:B8:3B:CC:C9:8E:BD:8F:2A:05
  • DirName:/C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/[email protected]
  • serial:8E:2A:83:5B:16:0F:A0:E8
  • X509v3 Key Usage:
  • Certificate Sign, CRL Sign
  • X509v3 Subject Alternative Name:
  • email:[email protected]
  • X509v3 Issuer Alternative Name:
  • email:[email protected]
  • Netscape Cert Type:
  • SSL CA, S/MIME CA, Object Signing CA
  • Netscape Comment:
  • CeCalCULA Certification Authority Certificate
profiles users
Profiles Users

For natural person certificates:

  • Basic Constraints:critical, ca: false
  • Subject Key Identifier: hash
  • Authority Key Identifier:keyid
  • Key Usage: critical, digitalSignature, nonRepudiation, KeyEncipherment, dataEncipherment
  • Extended Key Usage clientAuth, emailProtection, timeStamping
  • Netscape Cert Type: SSL Client, S/MIME, Object Signing
  • Netscape Comment: Grid Venezuela Certificate. For information go to https://ra.cecalc.ula.ve/gridvenezuela/
  • CRL Distribution Points: http://ra.cecalc.ula.ve/pub/crl.crl
  • Certificate Policies: 1.3.6.1.4.1.19286.2.2.2.0.1.3
  • Subject Alternative Name: e-mail address
profile users
Profile Users

ra:~# openssl x509 -in usercert.pem -text -noout

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 2 (0x2)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=ULAGrid Certification Authority/[email protected]

Validity

Not Before: Jul 13 14:34:47 2007 GMT

Not After : Jul 12 14:34:47 2008 GMT

Subject: C=VE, O=Grid, O=Universidad de Los Andes, OU=CeCalCULA, CN=Vanessa Hamar

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):

profile users1
Profile Users

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

X509v3 Certificate Policies:

Policy: 1.3.6.1.4.1.19286.2.2.2.0.1.3

CPS: http://ra.cecalc.ula.ve/pub

Netscape Cert Type:

SSL Client, S/MIME, Object Signing

X509v3 Key Usage:

Digital Signature, Non Repudiation, Key Encipherment

X509v3 Extended Key Usage:

TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin

Netscape Comment:

Registration Authority Operator of CeCalCULA

X509v3 Subject Key Identifier:

95:0A:80:F1:4D:19:D2:EE:3F:D8:9B:3D:45:C3:B0:81:62:F8:5F:D3

others
Others
  • ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -purpose

Certificate purposes:

SSL client : No

SSL client CA : Yes

SSL server : No

SSL server CA : Yes

Netscape SSL server : No

Netscape SSL server CA : Yes

S/MIME signing : No

S/MIME signing CA : Yes

S/MIME encryption : No

S/MIME encryption CA : Yes

CRL signing : Yes

CRL signing CA : Yes

Any Purpose : Yes

Any Purpose CA : Yes

OCSP helper : Yes

OCSP helper CA : Yes

others1
Others
  • ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -fingerprint
    • SHA1 Fingerprint=B9:48:2F:45:C3:EF:EB:53:7F:97:20:50:17:E6:26:D0:65:D5:66:A5
  • # Signing policy file for ULAGridCA
    • access_id_CA X509 '/C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/[email protected]'
    • pos_rights globus CA:sign
    • cond_subjects globus '"/C=VE/O=Grid/*"‘
  • ca:/usr/local/openca/ca/var/crypto/cacerts# openssl x509 -in cacert.pem -serial
    • serial=8E2A835B160FA0E8
ad