Certificates, Browsers & You:What is all this certificate crud?

Frank J. NagyGod of Kerberos

AndAssociates...

Certificate Talks

• Introduction and Theory

• Using get-cert (KCA certificate) under Linux

• Using get-cert (KCA certificate) under OS X

• Using Network Identity Manager for Windows

• More Theory

• Public key encryption, Public Key Infrastructure (PKI)

• Digital Signature

• {Digital} Certificate

• X.509 Standard (CCITT) and X.500 Naming Conventions

• Distinguished and Common Names

• Certificate Authority (CA)

• CA Certificate

• Chain of Trust

• Secure Socket Layer (SSL)

Public Key Encryption

Bob

Pat Doug Susan

Bob's Co-workers:

Anyone can get Bob's Public Key, but Bob keeps his Private Key to himself

Bob's keys:

(public)

(private)

"Hey Bob, howabout lunch at TacoBell. I hear theyhave free refills!"

HNFmsEm6UnBejhhyCGKOKJuxhiygSBCEiC0QYIh/Hn3xgiKBcyLK1UcYiYlxx2lCFHDC/A

HNFmsEm6UnBejhhyCGKOKJuxhiygSBCEiC0QYIh/Hn3xgiKBcyLK1UcYiYlxx2lCFHDC/A

HNFmsEm6UnBejhhyCGKOKJuxhiygSBCEiC0QYIh/Hn3xgiKBcyLK1UcYiYlxx2lCFHDC/A

"Hey Bob, howabout lunch at TacoBell. I hear theyhave free refills!"

Digital Signature

Digital Certificate

Bob Info: Name Department Cubical Number

Certificate Info: Expiration Date Serial Number

Bob's Public Key:

CertificateAuthority

CA Private Key:

Look Inside the Certificate

Subject Information:- Organization- Name- Email (optional)

Certificate Information:- Issuer (CA) Name- Validity dates (begin:end)- Serial Number- Usage flags

Subject's Public Key

Hash Data

Signature (byCA Private Key)

Some Certificate Uses

• Signing messages

– Identify author

– Make message tamper-evident\

• Identify host for SSL connection

• Web site authentication (common KCA usage)

• Others

And now for something...

Completely specific:

The HowTo talks on getting KCA certificatesunder Linux, Mac OS X and Windows

Certificate Parts

• Subject (of the certificate)

• Valid and Expiration Dates

• Serial Number

• Public Key of the Subject

• Issuer of this certificate

• Hash and signature encoding algorithms

• Signed by CA Certificate private key

• Extensions (E-mail address, etc.)

Certificate Parts #2

• Distinguished Names (DN) and Common Names (CN)

– /DC=org/DC=doegrids/OU=People/CN=Frank J. Nagy 442270

– /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1

– /DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA HSM

– /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Frank J. Nagy/CN=UID:nagy

• Signature makes certificate tamper-evident

Types of Certificates

• Long-term personal certificates

– DOEGrids, Thawte, Verisign, etc.

• Short-term personal certificates

– Fermilab KCA

• Host/Service certificates

– For a particular node

– *.fnal.gov

Fermilab Kerberos CA (KCA)

• Get a certificate based on Kerberos credentials

• Tied to the Fermilab Infrastructure

– KCA uid=nagy is user name in CNAS, etc.

• Short-term certificate, valid for maximum lifetime (7 days) of the Kerberos ticket

Certificate Authority

• Validates identity

– KCA relies on your having Kerberos credentials

• Issues certificates signed with CA private key

• Identified by Certificate Authority Certificate

– CA Certificate needed to valid issued certificate

• Maintains Certificate Revocation List (CRL)

Trust Chain and Root CA

Root CA

SubordinateCA

End User

SubordinateCA

Further Reading

• What is a Digital Signature?

– http://www.youdzone.com/signature.html

– The source of some of the images in my talk.

• OpenSSL Certificate Cookbook

– Certificate Management and Installation with OpenSSL

• http://gagravarr.org/writing/openssl-certs/index.shtml

– OpenSSL Certificate Cookbook

• http://www.amigodocarro.com/html/ssl_cook.html

• Wikipedia: Public key certificate

– http://en.wikipedia.org/wiki/Public_key_certificate

KCA Certificates for Linux

Firefox

How to import KCA Certificates in

Scientific Linux Fermi Firefox

Connie Sieh

csieh@fnal.gov

Firefox – Try to access a page

Firefox – Try to access a page

Firefox – view certificates

Firefox – view certificates

Firefox – View Certificates

Firefox – Your certificates before

Firefox – STOP FIREFOX

Firefox – kinit <username>

Firefox – getcert waiting for user

Firefox – getcert done

Firefox – after getcert

Firefox – view certs after

Firefox – have cert – page loads

Computer Security Awareness Day September 29, 2009

David Schuman/ CD Desktop Support

• Where is it located• How do I renew certificate• Identity (user@FERMI.WIN.FNAL.GOV)• How do I import the certificate•Firefox versus Internet Explorer

Computer Security Awareness Day September 29, 2009

Computer Security Awareness Day September 29, 2009

Computer Security Awareness Day September 29, 2009

Computer Security Awareness Day September 29, 2009

Computer Security Awareness Day September 29, 2009

Computer Security Awareness Day September 29, 2009

http://computing.fnal.gov/software/netidmgr/netidmgr-faq.html#PopUpCredentia

Computer Security Awareness Day September 29, 2009

Computer Security Awareness Day September 29, 2009

Computer Security Awareness Day September 29, 2009

Questions!

Computer Security Awareness Day September 29, 2009

Ben SegbawuSeptember 29 2009

Location Where can I get the get-cert script Where should I put the get-cert script

The Get Cert Script Options Username

RunGetCert App

Where to get and Where to put▪ http://security.fnal.gov/tools/index.html▪ Unzip and un-tar to /usr/bin/get-cert/

Options▪ -i (lower case I ) imports into firefox▪ -k imports into keychain

Username▪ if your user name is not the same as your

account name you will encounter an error▪ Work around is to modify the KCA script or

better yet create an account name on your OSX computer that matches your user name.

An apple script “GUI” front end that runs the get-cert script

Contact the Service Desk for support at http://servicedesk.fnal.gov