PKI ADMINISTRATION USING EJBCA AND OPENCA By Ayesha Ishrath Ghori and Asra Parveen George Mason University-Fall 2006 Abstract: For secure exchange of information between two entities, there’s a need for some private information (key) to be shared. Even prior to the intended communication, we need a separate, out-of-band secure communication to occur. This requires an “introducer” between the two entities, which had had no relationship in the past. The idea of having a key that can be revealed publicly without compromising communications security, is the basis of a PKI. The “PKI” provides for services like encryption, digital signatures, data integrity, key establishment, zero knowledge/ minimum knowledge protocols. This paper presents an analysis of majorly existing Certificate Authorities, which can help people get to know “what’s in.” People who are new to this entire concept can be able to judge, based on the analysis of secure communication. This paper provides a comparative analysis between two leading certificate Authorities EJBCA and OpenCA. The OpenCA is a popular Linux based certificate authority and EJBCA is a Enterprise JAVA based CA. PKI: In cryptography, a public key infrastructure (PKI) is an arrangement that provides for trusted third party vetting of, and vouching for, user identities. It also allows binding of public keys to users. This is usually carried out by software at a central location together with other coordinated software at distributed locations. The public keys are typically in certificates.A PKI (public key infrastructure) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. General concepts Certification Authority (CA): A CA issues certificates to, and vouches for the authenticity of entities. The level of trust you can assign to a CA is individual, per CA, and depends on the CA’s policy and practices statement. Certificate revocation list (CRL): A Certificate revocation list (CRL) is a list of certificates (more accurately: their serial numbers) which have been revoked, are no longer valid, and should not be relied upon by any system user. RootCA: A RootCA has a self-signed certificate and is also called Trusted Root. Verification of other certificates in the PKI ends with the RootCAs self-signed certificate. Since the RootCAs certificate is self-signed it must somehow be configured as a trusted root with all clients in the PKI. SubCA: A subordinate CA, or SubCA for short, is a CA whose certificate is signed by another CA that can be another SubCA or a RootCA. Since the SubCAs certificate is signed by another CA, it does not have to be configured as a trusted root. It is part of a certificate chain that ends in the RootCA. Registration Authority (RA): An RA is an administrative function that registers entities in the PKI. The RA is trusted to identify and authenticate entities according to the CAs policy. There can be one or more RAs connected to each CA in the PKI. End-entity: An end-entity is a user, such as an e-mail client, a web server, a web browser or a VPN-gateway. End-entities are not allowed to issue certificates to other entities; they make up the leaf nodes in the PKI.Hierarchical PKI: As part of our project, we have implemented the following hierarchical PKI using two open source PKI Implementations, EJBCA and OpenCA. Digital Certificates: A digital certificate is an electronic means of establishing your credentials when doing business or other transactions on the Web. It is issued by a certification authority (CA). User’s distinguished name, User’s public key, User’s Credentials, Serial number, Issuer name, Expiration date, copy of the certificate holder’s public key (used for encrypting and decrypting messages and digital signatures), and the digital signature of the certificate –issuing authority so that a recipient can verify that the certificate is real. Digital signature which meets ITU (International Telecommunication Union) Telecommunication Standardization (ITU-T) PKIX X.509 version 3 [RFC 2459] standard is generated based on • Detailed information about the key holder. • An expiration date, after which the certificate is placed on the CA’s CRL(Certificate Revocation Lit) The operating system stores a certificate locally on the computer or device that requested it or, in the case of a user, on the computer or device that the user used to request it. The storage location is called the certificate store. A certificate store will often have numerous certificates, possibly issued from a number of different certification authorities. How digital Certificates Are Structured: For a digital certificate to be useful, it has to be structured in an understandable and reliable way so that the information within the certificate can be easily retrieved and understood. For example, passport follows a similar structure allowing people to easily understand the information in a type of passport that they may never have seen before. In the same way, as long as digital certificates are standardized, they can be read and understood regardless of who issued the certificate. The EJBCA and OpenCA standards specify that digital certificates used for them conform to the International Telecommunications Union (ITU) X.509 standard. Because both the CA’s rely on an established, recognized standard for the structure of digital certificates, thus increases their acceptance. The X.509 standard specifies that digital certificates contain standardized information. Specifically, X.509 version 3 certificates contain the following fields: Version number The version o the X.509 standard to which the certificate conforms. Serial number A number that uniquely identifies the certificate and is issued by the certification authority. Certificate algorithm identifier The names of the specific public key algorithms that the certification authority has used to sign the digital certificate. Issuers name The identity of certification authority
View Full Document
Unlocking...