john douglass systems support specialist office of information technology rolling your own pki
TRANSCRIPT
Who the heck is this guy?
• Primary developer for the Georgia Tech PKI
• Assisted in the development of the CREN CA Services• Author of “Papyrus” (now called “Kalamos”) a PHP based CA application.• Co-Author of the GT LAWN wireless authentication system and our residential network registration system START.
Custom vs. Established
Advantages• You are in control of your own destiny• Definitely cheaper• Can often use tools and methods that your technical groups currently understand
Disadvantages• Technical expertise is required• User education is PIVOTAL to success• Client issues abound (if you don’t prepare for it)
So You Have a Custom Root
•Hierarchical vs. Flat Architecture• Are you your own root?
• Is anyone besides you a relying party?• What features of PKI are you attempting to use?
• Client Authentication?• Encryption?• Object Sign?• Web Server Certificates?
• What client software can you support?
Browser and OS Interaction
Mozilla• Multiplatform• Utilizes its own internal certdatabase• Can use smartcards via PKCS11
Internet Explorer• Utilizes operating system cert management• Can use smartcards via PKCS11• NO cert functions are supported on MacOS
Safari• Utilizes OS cert management via keychain• Can use smartcards via PKCS11
Opera• Works like Mozilla
OpenSSL is the Core
• OpenSSL was not necessarily designed to BE a CA…but we can force it to be• It relies heavily upon a very mysterious configuration file (TBD)• It utilizes a text file as a “cert database” though there are simple ways around this (TBD)• It is usable from a system() or exec() call in any scripting language.• Freely available for many OS
Software Certs vs. Smartcards
Phase 1: Software Certs
Mozilla<FORM name="ReqForm" method="POST" action="user-sign-cert.php"><KEYGEN NAME="csr" CHALLENGE="challengePassword”><INPUT tabindex="3" name="submit" type=submit value="Generate Private Key"></FORM>commonName = CNemailAddress = EMAIL…stateOrProvinceName = GeorgiacountryName = USSPKAC = $_POST[‘csr’];
$OPENSSL ca -config $OPENSSL_CONF -name $ca -extensions $extensions -startdate $certStartDate -days $days -spkac -in $requestFile -out $certFile –key $passphrase -batch
Software Certs vs. Smartcards
Phase 1: Software Certs
Internet Explorer<SCRIPT language="VBScript"><!--Dim Enroll
On Error Resume Next
Set Enroll = CreateObject("CEnroll.CEnroll.2") if ( (Err.Number = 438) OR (Err.Number = 429) ) Then Err.Clear Set Enroll = CreateObject("CEnroll.CEnroll.1") End If if Err.Number <> 0 then document.write("<h2 align=center>Can't instantiate the CEnroll control: " & Hex(err) ) End If
Function GetProviderList()
Dim CspList, cspIndex, ProviderName
On Error Resume Next
' initialize all our valuesbase = 0count = 0enhanced = 0CspList = ""ProviderName = ""
For ProvType = 0 to 13 cspIndex = 0 Enroll.ProviderType = ProvType ProviderName = Enroll.enumProviders(cspIndex, 0)
while ProviderName <> "" Set oOption = document.createElement("OPTION") oOption.text = ProviderName oOption.value = ProvType' This is a personal "hack" to limit the crypto providers. if ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" Then Document.ReqForm.CspProvider.add(oOption) end if if ProviderName = "Microsoft Base Cryptographic Provider v1.0" Then base = count end if if ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" Then enhanced = count end if cspIndex = cspIndex + 1 ProviderName = "" ProviderName = Enroll.enumProviders(cspIndex, 0) count = count + 1 wendNextDocument.ReqForm.CspProvider.selectedIndex = baseif enhanced then' Document.ReqForm.CspProvider.selectedIndex = enhanced DOcument.ReqForm.CspProvider.selectedIndex = 0 end ifEnd Function
Function CSR(keyflags)
CSR = "" szName = "<? print($DN); ?>" Enroll.HashAlgorithm = "MD5" err.clear
On Error Resume Next
set options = document.all.CspProvider.options
index = options.selectedIndex Enroll.providerName = options(index).text tmpProviderType = options(index).value Enroll.providerType = tmpProviderType Enroll.KeySpec = 2
if tmpProviderType < 2 Then Enroll.KeySpec = 1 end if
Enroll.GenKeyFlags = &h04000001 OR keyflags CSR = Enroll.createPKCS10(szname, "1.3.6.1.5.5.7.3.2") if len(CSR) <> 0 then Exit Function Enroll.GenKeyFlags = &h04000000 OR keyflags CSR = Enroll.createPKCS10(szname, "1.3.6.1.5.5.7.3.2") if len(CSR) <> 0 then Exit Function if Enroll.providerName = "Microsoft Enhanced Cryptographic Provider v1.0" Then MsgBox("The 1024-bit key generation failed. Please upgrade your browser to the latest version.") Exit Function end if
Enroll.GenKeyFlags = 2 OR keyflags CSR = Enroll.createPKCS10(szName, "1.3.6.1.5.5.7.3.2") if len(CSR) <> 0 then Exit Function Enroll.GenKeyFlags = keyflags CSR = Enroll.createPKCS10(szName, "1.3.6.1.5.5.7.3.2") if len(CSR) <> 0 then Exit Function Enroll.GenKeyFlags = 0 CSR = Enroll.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")End Function
Sub REQUEST_OnClick Dim Form Set Form = Document.ReqForm err.clear result = CSR(2)
if len(result) = 0 Then result = MsgBox("Unable to generate PKCS10.", 0, "Alert") Exit Sub end if
Form.csr.value = result Form.SubmitEnd Sub--></SCRIPT><INPUT TYPE="hidden" NAME="csr" VALUE=""><input type="hidden" name="cert" value="<? print($certtype); ?>"><SELECT NAME="CspProvider"></SELECT><input type="button" name="btnRequest" value="Generate Private Key" onClick="REQUEST_OnClick" language="VBSCRIPT" border=1></FORM>
Well…• ActiveX + VBScript• You need to designate the DN components
$OPENSSL ca -config $OPENSSL_CONFIG -name $myca -extensions $extensions -startdate $certStartDate -enddate $certEndDate -out $certfile -key $passphrase -in $requestfile -batch
Software Certs vs. Smartcards
Phase 2: Smartcard Certs
Smartcards• If you want to use an open source CA…your vendor almost definitely will need to agree and modify their product.• Enter “Kalamos” an XML-RPC based certificate request signing code base.