Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 214 times |
Download: | 0 times |
Certificates, Browsers & You:What is all this certificate crud?
Frank J. NagyGod of Kerberos
AndAssociates...
Certificate Talks
• Introduction and Theory
• Using get-cert (KCA certificate) under Linux
• Using get-cert (KCA certificate) under OS X
• Using Network Identity Manager for Windows
• More Theory
• Public key encryption, Public Key Infrastructure (PKI)
• Digital Signature
• {Digital} Certificate
• X.509 Standard (CCITT) and X.500 Naming Conventions
• Distinguished and Common Names
• Certificate Authority (CA)
• CA Certificate
• Chain of Trust
• Secure Socket Layer (SSL)
Public Key Encryption
Bob
Pat Doug Susan
Bob's Co-workers:
Anyone can get Bob's Public Key, but Bob keeps his Private Key to himself
Bob's keys:
(public)
(private)
"Hey Bob, howabout lunch at TacoBell. I hear theyhave free refills!"
HNFmsEm6UnBejhhyCGKOKJuxhiygSBCEiC0QYIh/Hn3xgiKBcyLK1UcYiYlxx2lCFHDC/A
HNFmsEm6UnBejhhyCGKOKJuxhiygSBCEiC0QYIh/Hn3xgiKBcyLK1UcYiYlxx2lCFHDC/A
HNFmsEm6UnBejhhyCGKOKJuxhiygSBCEiC0QYIh/Hn3xgiKBcyLK1UcYiYlxx2lCFHDC/A
"Hey Bob, howabout lunch at TacoBell. I hear theyhave free refills!"
Digital Signature
Digital Certificate
Bob Info: Name Department Cubical Number
Certificate Info: Expiration Date Serial Number
Bob's Public Key:
CertificateAuthority
CA Private Key:
Look Inside the Certificate
Subject Information:- Organization- Name- Email (optional)
Certificate Information:- Issuer (CA) Name- Validity dates (begin:end)- Serial Number- Usage flags
Subject's Public Key
Hash Data
Signature (byCA Private Key)
Some Certificate Uses
• Signing messages
– Identify author
– Make message tamper-evident\
• Identify host for SSL connection
• Web site authentication (common KCA usage)
• Others
And now for something...
Completely specific:
The HowTo talks on getting KCA certificatesunder Linux, Mac OS X and Windows
Certificate Parts
• Subject (of the certificate)
• Valid and Expiration Dates
• Serial Number
• Public Key of the Subject
• Issuer of this certificate
• Hash and signature encoding algorithms
• Signed by CA Certificate private key
• Extensions (E-mail address, etc.)
Certificate Parts #2
• Distinguished Names (DN) and Common Names (CN)
– /DC=org/DC=doegrids/OU=People/CN=Frank J. Nagy 442270
– /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
– /DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA HSM
– /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Frank J. Nagy/CN=UID:nagy
• Signature makes certificate tamper-evident
Types of Certificates
• Long-term personal certificates
– DOEGrids, Thawte, Verisign, etc.
• Short-term personal certificates
– Fermilab KCA
• Host/Service certificates
– For a particular node
– *.fnal.gov
Fermilab Kerberos CA (KCA)
• Get a certificate based on Kerberos credentials
• Tied to the Fermilab Infrastructure
– KCA uid=nagy is user name in CNAS, etc.
• Short-term certificate, valid for maximum lifetime (7 days) of the Kerberos ticket
Certificate Authority
• Validates identity
– KCA relies on your having Kerberos credentials
• Issues certificates signed with CA private key
• Identified by Certificate Authority Certificate
– CA Certificate needed to valid issued certificate
• Maintains Certificate Revocation List (CRL)
Trust Chain and Root CA
Root CA
SubordinateCA
End User
SubordinateCA
Further Reading
• What is a Digital Signature?
– http://www.youdzone.com/signature.html
– The source of some of the images in my talk.
• OpenSSL Certificate Cookbook
– Certificate Management and Installation with OpenSSL
• http://gagravarr.org/writing/openssl-certs/index.shtml
– OpenSSL Certificate Cookbook
• http://www.amigodocarro.com/html/ssl_cook.html
• Wikipedia: Public key certificate
– http://en.wikipedia.org/wiki/Public_key_certificate
KCA Certificates for Linux
Firefox
How to import KCA Certificates in
Scientific Linux Fermi Firefox
Connie Sieh
Firefox – Try to access a page
Firefox – Try to access a page
Firefox – view certificates
Firefox – view certificates
Firefox – View Certificates
Firefox – Your certificates before
Firefox – STOP FIREFOX
Firefox – kinit <username>
Firefox – getcert waiting for user
Firefox – getcert done
Firefox – after getcert
Firefox – view certs after
Firefox – have cert – page loads
Computer Security Awareness Day September 29, 2009
David Schuman/ CD Desktop Support
• Where is it located• How do I renew certificate• Identity ([email protected])• How do I import the certificate•Firefox versus Internet Explorer
Computer Security Awareness Day September 29, 2009
Computer Security Awareness Day September 29, 2009
Computer Security Awareness Day September 29, 2009
Computer Security Awareness Day September 29, 2009
Computer Security Awareness Day September 29, 2009
Computer Security Awareness Day September 29, 2009
http://computing.fnal.gov/software/netidmgr/netidmgr-faq.html#PopUpCredentia
Computer Security Awareness Day September 29, 2009
Computer Security Awareness Day September 29, 2009
Computer Security Awareness Day September 29, 2009
Questions!
Computer Security Awareness Day September 29, 2009
Ben SegbawuSeptember 29 2009
Location Where can I get the get-cert script Where should I put the get-cert script
The Get Cert Script Options Username
RunGetCert App
Where to get and Where to put▪ http://security.fnal.gov/tools/index.html▪ Unzip and un-tar to /usr/bin/get-cert/
Options▪ -i (lower case I ) imports into firefox▪ -k imports into keychain
Username▪ if your user name is not the same as your
account name you will encounter an error▪ Work around is to modify the KCA script or
better yet create an account name on your OSX computer that matches your user name.
An apple script “GUI” front end that runs the get-cert script
Contact the Service Desk for support at http://servicedesk.fnal.gov