John DouglassSystems Support Specialist

Office of Information Technology

Rolling Your Own PKI

Who the heck is this guy?

• Primary developer for the Georgia Tech PKI 

• Assisted in the development of the CREN CA Services• Author of “Papyrus” (now called “Kalamos”) a PHP based CA application.• Co-Author of the GT LAWN wireless authentication system and our residential network registration system START.

Custom vs. Established

Advantages• You are in control of your own destiny• Definitely cheaper• Can often use tools and methods that your technical groups currently understand

Disadvantages• Technical expertise is required• User education is PIVOTAL to success• Client issues abound (if you don’t prepare for it)

So You Have a Custom Root

•Hierarchical vs. Flat Architecture• Are you your own root?

• Is anyone besides you a relying party?• What features of PKI are you attempting to use?

• Client Authentication?• Encryption?• Object Sign?• Web Server Certificates?

• What client software can you support?

Browser and OS Support

vs

Browser and OS Interaction

Mozilla• Multiplatform• Utilizes its own internal certdatabase• Can use smartcards via PKCS11

Internet Explorer• Utilizes operating system cert management• Can use smartcards via PKCS11• NO cert functions are supported on MacOS

Safari• Utilizes OS cert management via keychain• Can use smartcards via PKCS11

Opera• Works like Mozilla

OpenSSL is the Core

• OpenSSL was not necessarily designed to BE a CA…but we can force it to be• It relies heavily upon a very mysterious configuration file (TBD)• It utilizes a text file as a “cert database” though there are simple ways around this (TBD)• It is usable from a system() or exec() call in any scripting language.• Freely available for many OS

Software Certs vs. Smartcards

Phase 1: Software Certs

Mozilla<FORM name="ReqForm" method="POST" action="user-sign-cert.php"><KEYGEN NAME="csr" CHALLENGE="challengePassword”><INPUT tabindex="3" name="submit" type=submit value="Generate Private Key"></FORM>commonName = CNemailAddress = EMAIL…stateOrProvinceName = GeorgiacountryName = USSPKAC = $_POST[‘csr’];

$OPENSSL ca -config $OPENSSL_CONF -name $ca -extensions $extensions -startdate $certStartDate -days $days -spkac -in $requestFile -out $certFile –key $passphrase -batch

Software Certs vs. Smartcards

Phase 1: Software Certs

Internet Explorer<SCRIPT language="VBScript"><!--Dim Enroll

On Error Resume Next

Set Enroll = CreateObject("CEnroll.CEnroll.2") if ( (Err.Number = 438) OR (Err.Number = 429) ) Then Err.Clear Set Enroll = CreateObject("CEnroll.CEnroll.1") End If if Err.Number <> 0 then document.write("<h2 align=center>Can't instantiate the CEnroll control: " & Hex(err) ) End If

Function GetProviderList()

Dim CspList, cspIndex, ProviderName

On Error Resume Next

' initialize all our valuesbase = 0count = 0enhanced = 0CspList = ""ProviderName = ""

For ProvType = 0 to 13 cspIndex = 0 Enroll.ProviderType = ProvType ProviderName = Enroll.enumProviders(cspIndex, 0)

while ProviderName <> "" Set oOption = document.createElement("OPTION") oOption.text = ProviderName oOption.value = ProvType' This is a personal "hack" to limit the crypto providers. if ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" Then Document.ReqForm.CspProvider.add(oOption) end if if ProviderName = "Microsoft Base Cryptographic Provider v1.0" Then base = count end if if ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" Then enhanced = count end if cspIndex = cspIndex + 1 ProviderName = "" ProviderName = Enroll.enumProviders(cspIndex, 0) count = count + 1 wendNextDocument.ReqForm.CspProvider.selectedIndex = baseif enhanced then' Document.ReqForm.CspProvider.selectedIndex = enhanced DOcument.ReqForm.CspProvider.selectedIndex = 0 end ifEnd Function

Function CSR(keyflags)

CSR = "" szName = "<? print($DN); ?>" Enroll.HashAlgorithm = "MD5" err.clear

On Error Resume Next

set options = document.all.CspProvider.options

index = options.selectedIndex Enroll.providerName = options(index).text tmpProviderType = options(index).value Enroll.providerType = tmpProviderType Enroll.KeySpec = 2

if tmpProviderType < 2 Then Enroll.KeySpec = 1 end if

Enroll.GenKeyFlags = &h04000001 OR keyflags CSR = Enroll.createPKCS10(szname, "1.3.6.1.5.5.7.3.2") if len(CSR) <> 0 then Exit Function Enroll.GenKeyFlags = &h04000000 OR keyflags CSR = Enroll.createPKCS10(szname, "1.3.6.1.5.5.7.3.2") if len(CSR) <> 0 then Exit Function if Enroll.providerName = "Microsoft Enhanced Cryptographic Provider v1.0" Then MsgBox("The 1024-bit key generation failed. Please upgrade your browser to the latest version.") Exit Function end if

Enroll.GenKeyFlags = 2 OR keyflags CSR = Enroll.createPKCS10(szName, "1.3.6.1.5.5.7.3.2") if len(CSR) <> 0 then Exit Function Enroll.GenKeyFlags = keyflags CSR = Enroll.createPKCS10(szName, "1.3.6.1.5.5.7.3.2") if len(CSR) <> 0 then Exit Function Enroll.GenKeyFlags = 0 CSR = Enroll.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")End Function

Sub REQUEST_OnClick Dim Form Set Form = Document.ReqForm err.clear result = CSR(2)

if len(result) = 0 Then result = MsgBox("Unable to generate PKCS10.", 0, "Alert") Exit Sub end if

Form.csr.value = result Form.SubmitEnd Sub--></SCRIPT><INPUT TYPE="hidden" NAME="csr" VALUE=""><input type="hidden" name="cert" value="<? print($certtype); ?>"><SELECT NAME="CspProvider"></SELECT><input type="button" name="btnRequest" value="Generate Private Key" onClick="REQUEST_OnClick" language="VBSCRIPT" border=1></FORM>

Well…• ActiveX + VBScript• You need to designate the DN components

$OPENSSL ca -config $OPENSSL_CONFIG -name $myca -extensions $extensions -startdate $certStartDate -enddate $certEndDate -out $certfile -key $passphrase -in $requestfile -batch

Software Certs vs. Smartcards

Phase 2: Smartcard Certs

Smartcards• If you want to use an open source CA…your vendor almost definitely will need to agree and modify their product.• Enter “Kalamos” an XML-RPC based certificate request signing code base.

Browser and OS Support

vs

Right down to it…

•Pick your battles•Attempt one

thing at a time•Plan as best you

can, but expect changes

•Expect limitations