TNC 2006, Catania TERENA Server Certificate Service SCS Towards the large-scale use of affordable popup-free server certificates for the European NRENs Licia Florio, John Dyer TERENA & members of the community
Apr 01, 2015
TNC 2006, Catania
TERENA Server Certificate Service
SCS
Towards the large-scale use of affordable popup-free server certificates
for the European NRENs
Licia Florio, John Dyer
TERENA
& members of the community
TNC 2006, Catania
• Motivation for the TERENA SCS• Project description• Service Characteristics• Why join ?
AGENDA
TNC 2006, Catania
The background
• European NREN PKIs around for many years- But still not widely deployed
• Anticipated growth in need:- AAI middleware services
- Grids
- Web-based ‘stuff’ (mail, e-learning, webservices etc.)
- VPN, email
- eduroam
• Only major use outside Grids is for Servers
TNC 2006, Catania
Why have Server Certificates
• Pop-ups• Self Issued Certificate not-recognized by
browsers
• User sees a pop-up
• Doesn’t check the certificate
• Clicks YES
• Could be connected to anything
• In reality subverting the Certificate concept
TNC 2006, Catania
Problem #2
• Authorized CAs are known to the browsers• Accreditation of a CA is very expensive• Certificates are relatively expensive
• when bought in large numbers on a per certificate cost
• Our Community needs a cost effective way to obtain large numbers of server certificates
TNC 2006, Catania
Finding a community solution
• TF-EMC2 discussions started in 2004• First (draft) proposal in October 2004: • Interest expressed by a number of NRENs• Call for Proposals issued by TERENA in August 2005; • Offers from commercial CAs received in September 2005, • preferred supplier (GlobalSign) announced on 19
December 2005, • contract signed on 9 January 2006
TNC 2006, Catania
Participating NRENs
• ACOnet (Austria), • CARNet (Croatia), • CESNET (Czech Republic), • CRU (France), • RedIRIS (Spain), • SURFnet (Netherlands), • SWITCH (Switzerland), • UNI•C (Denmark)
• TERENA is the contracting party
TNC 2006, Catania
What did we get
?
TNC 2006, Catania
The Basics
• Each participating NREN has nominated RA Administrators
• These people have been trained at GlobalSign on how to administer the process
• They are the contact point between the Server SysAdmins and GlobalSign
• They are responsible for maintaining the integrity of the identification process
• They can requested unlimited number of certificates during the 1 year pilot
TNC 2006, Catania
The Process
1) Sysadmin generates key pair and creates CSR2) Sysadmin submits CSR through GlobalSign’s enrollment
pages3) Admin contact of organization receives a challenge e-
mail to be replied to (with postal mail, fax, e-mail with scan of signed document, later possibly with a digitally signed e-mail)
4) RA administrator verifies request (identity of the applicant, organization, DNS domain in subject)
5) RA administrator approves (or rejects) the request6) If approved: sysadmin receives certificate by mail
TNC 2006, Catania
The SCS pre-installed root.
• SCS server certificates chain up to the ubiquitous GTE CyberTrust Global Root, which comes preinstalled with• all major operating systems (Windows, Mac OS 9 ff., …)• most Web browsers/applications (Mozilla, Opera, …)• many software suites (Sun JRE/JDK, IBM Websphere,
Lotus Notes, Oracle Wallet Manager, KDE, OpenSSL, …)• many mobile devices (Palm, Blackberry; phones from
Nokia, Sony Ericsson, Motorola, …)
• For issuing SCS certificates, the Cybertrust Educational CA intermediate cert is used (2006–2013)
TNC 2006, Catania
Certificates Available
• No User Certificates• Server Certificates only
• Available with 1, 2, 3 years validity
• Three specific Types
TNC 2006, Catania
SureServerEDU TLS
• recommended default type for general-purpose servers • (Web, e-mail, directory service, …)
• mandatory attributes: • countryName (C), organizationName (O), commonName
(CN)
• optional attributes: • stateOrProvinceName (S), localityName (L),
organizationalUnitName (OU), domainComponent (DC)
TNC 2006, Catania
SureServerEDU TLS emailserver
• special-purpose type for servers creating e-mail messages on their own (alerting service or similar) – not needed for standard SMTP/IMAP/POP servers
• mandatory attributes: • countryName (C), organizationName (O), commonName
(CN), emailAddress (E)
• optional attributes: • stateOrProvinceName (S), localityName (L),
organizationalUnitName (OU), domainComponent (DC)
TNC 2006, Catania
SureServerEDU
• standard type used by GlobalSign (includes legacy netscape-cert-type extension)
TNC 2006, Catania
Not yet available
• Expected June 2006
• subjectAltName extension with one or more dNSNames (support for DNS aliases)
TNC 2006, Catania
Service Operational
• First Certificate Issued: 16 March 2006
TNC 2006, Catania
Acknowledgements
• So many people in the community• Some around the table, others not• Licia, Karel
• These slides were based on material from Licia Florio of TERENA and Kasper Brand of SWITCH – Sorry for any liberties I have taken with their material
TNC 2006, Catania
In Licia’s words:
TNC 2006, Catania
“We got a cool service”
TNC 2006, Catania
Joining the TERENA SCS
• Initial Pilot runs for one year
• After June 06 we can open to service to new NRENs
• Some NRENs are already waiting
• There is fee to pay to join
• If the pilot is successful, we will expand again