Embed Size (px)
Citation preview
UNAMgrid CA UNAMgrid CA
Juan Carlos GuelJuan Carlos GuelUNAM, México.UNAM, México.
Alejandro Núñez Alejandro Núñez UNAM, México.UNAM, México.
Israel BecerrilIsrael BecerrilUNAM, México.UNAM, México.
DGSCA UNAMDGSCA UNAM31/08/0631/08/06
What is UNAMgrid CAWhat is UNAMgrid CA• The UNAMgrid CA provide X.509 The UNAMgrid CA provide X.509
certificates to the Mexican academic certificates to the Mexican academic community and related entities for e-community and related entities for e-science.science.
• It is located in the Departamento de It is located in the Departamento de Seguridad en Cómputo (UNAM-CERT/DSC) Seguridad en Cómputo (UNAM-CERT/DSC) of the Direccion General de Servicios de of the Direccion General de Servicios de Cómputo Académico(DGSCA), of the Cómputo Académico(DGSCA), of the UNAM.UNAM.
Web SiteWeb Site
The UNAMgrid Site was created with The UNAMgrid Site was created with OpenCA tool adapting to HTML code.OpenCA tool adapting to HTML code.
The UNAMgrid Site is:The UNAMgrid Site is:
– Outline CAOutline CA– Online RAOnline RA– Online Public Web InterfaceOnline Public Web Interface
CA informationCA informationThe UNAMgrid CA will operate a secure repository The UNAMgrid CA will operate a secure repository
that contains:that contains:
• The UNAMgrid CA certificate (available in PEM, CRT, The UNAMgrid CA certificate (available in PEM, CRT, CER, TXT) and all previous ones necessary to check still CER, TXT) and all previous ones necessary to check still valid certificates,valid certificates,
• A Certificate Revocation List (available A Certificate Revocation List (available in DER, PEM, TXT)in DER, PEM, TXT)
• A copy of the most recent version of this A copy of the most recent version of this policy and all previous versions.policy and all previous versions.
How to get a CertificateHow to get a CertificateA brief overview of this process is as follows:A brief overview of this process is as follows:
1.1. Set your browser up to work with the Certificate Set your browser up to work with the Certificate Authority.Authority.
2.2. Request a certificate from the Certificate Request a certificate from the Certificate Authority.Authority.
3. Your nearest Registration Authority (RA) will 3. Your nearest Registration Authority (RA) will then require a face-to-face meeting with you to then require a face-to-face meeting with you to verify your identity. They will need to see your verify your identity. They will need to see your photo ID.photo ID.
4. The RA checks the PIN that you entered when 4. The RA checks the PIN that you entered when requesting your certificate.requesting your certificate.
5. Then the RA checks that you are part of a 5. Then the RA checks that you are part of a recognized organization.recognized organization.
6. If all criteria are validated then the RA will 6. If all criteria are validated then the RA will approve the request.approve the request.
7. The CA operator will review the approval and 7. The CA operator will review the approval and sign it.sign it.
8. You will be informed, by email, that your 8. You will be informed, by email, that your certificate is ready. The email will include the certificate is ready. The email will include the serial number and instructions about how to get serial number and instructions about how to get your certificate.your certificate.
Step 1: Setting up your browser to work with the CAStep 1: Setting up your browser to work with the CA
a)a) Go to the CA, located at Go to the CA, located at httphttp:://www//www..unamgridunamgrid..unamunam..mxmx
b)b) Click “CA Information”, then “Get CA Click “CA Information”, then “Get CA Certificate” and finally CA Certificate in Certificate” and finally CA Certificate in Browser Importable Format.Browser Importable Format.
c) c) For Firefox will display a text box asking for what For Firefox will display a text box asking for what purposes the Certificate should be trusted. Check all the purposes the Certificate should be trusted. Check all the boxes and click OK.boxes and click OK.
For Internet Explorer (IE) will display a prompt asking For Internet Explorer (IE) will display a prompt asking whether to Open or Save the certificate. Click Open and whether to Open or Save the certificate. Click Open and then click 'Install Certificate' which is located in the then click 'Install Certificate' which is located in the certificate window that opens.certificate window that opens.
Step 2: Request a CertificateStep 2: Request a Certificate
To request a User Certificate, you will need To request a User Certificate, you will need to do the following:to do the following:
a)a) Navigate to the CA at Navigate to the CA at httphttp:://www//www..unamgridunamgrid..unamunam..mxmx
a)a) Click Certificates, then Request a Click Certificates, then Request a Certificate and finally User CertificatesCertificate and finally User Certificates
c) c) You will see a form asking you for your details. You must You will see a form asking you for your details. You must fill in this form with your real name (first and last name fill in this form with your real name (first and last name must be provided and separated by a single space). must be provided and separated by a single space). Provide a valid email address and select the RA. Also Provide a valid email address and select the RA. Also enter a PIN that will be used to verify your identity.enter a PIN that will be used to verify your identity.
d) d) You will see a confirmation form with the You will see a confirmation form with the data that you entered. Review the details data that you entered. Review the details and then press Continue.and then press Continue.
e) Your browser now is generating a keypair.e) Your browser now is generating a keypair.
f) Wait for a while, the browser generates the f) Wait for a while, the browser generates the keypair.keypair.
g) You will get a message saying that the request g) You will get a message saying that the request has been successful. Your RA will contact you has been successful. Your RA will contact you shortly to arrange a face to face meeting.shortly to arrange a face to face meeting.
Step 3: Download the CertificateStep 3: Download the Certificate
When your Certificate is signed you will When your Certificate is signed you will need to import it into your browser. You can need to import it into your browser. You can do this by doing the following:do this by doing the following:
• Navigating to the CA webpage at Navigating to the CA webpage at httphttp:://www//www..unamgridunamgrid..unamunam..mxmx and clicking and clicking Certificates, then Import Certificate into Certificates, then Import Certificate into Browser and entering the serial number Browser and entering the serial number given in the e-mail.given in the e-mail.
Verifying ImportVerifying Import
When you have imported your certificate, test that When you have imported your certificate, test that it worked by doing the following:it worked by doing the following:
a)a) Navigate to the CA webpage at Navigate to the CA webpage at httphttp:://www//www..unamgridunamgrid..unamunam..mxmx
b)b) Click Certificates and then Test Click Certificates and then Test Certificate.Certificate.
d) Type in your Master Password (Firefox only).d) Type in your Master Password (Firefox only).
e) You will be presented with a form. Click Sign.e) You will be presented with a form. Click Sign.
f) Select the certificate you have just requested. Enter your f) Select the certificate you have just requested. Enter your Master Password and press OK.Master Password and press OK.
g) You should see Valid Certificate on the Web page. If not, g) You should see Valid Certificate on the Web page. If not, your private key and public key may have been your private key and public key may have been corrupted and you should contact to technical support.corrupted and you should contact to technical support.
Step 4: Downloading the Certificate Revocation List (CRL) Step 4: Downloading the Certificate Revocation List (CRL) into your browserinto your browser
The Certificate Revocation List is a list of The Certificate Revocation List is a list of Certificates that have been revoked and should not Certificates that have been revoked and should not be trusted. be trusted. You should have this imported into your browser You should have this imported into your browser otherwise you may be tricked into connecting to a otherwise you may be tricked into connecting to a compromised site.compromised site.To import the CRL into your browser:To import the CRL into your browser:
a)a) Navigate to the CA at Navigate to the CA at httphttp:://www//www..unamgridunamgrid..unamunam..mxmx
b)b) Click CA Info, then Certificate Revocation Lists Click CA Info, then Certificate Revocation Lists and finally CRL in DER formatand finally CRL in DER format
c) Click Yes to setting up automatic update.c) Click Yes to setting up automatic update.d) Check the box to allow automatic updates.d) Check the box to allow automatic updates.e) Click Ok.e) Click Ok.
Future worksFuture works• Issue a new CA certificate with the following: Issue a new CA certificate with the following:
C=mx, O=UNAMgrid, OU=UNAM, CN=CA C=mx, O=UNAMgrid, OU=UNAM, CN=CA
• New CP/CPS: Version 2cNew CP/CPS: Version 2c
• Modify the OpenCA source code to validate a Modify the OpenCA source code to validate a person certificate when a new host/service request person certificate when a new host/service request is generatedis generated
• Modify the OpenCA source code to send an e-Modify the OpenCA source code to send an e-mail to CA Operator and RA Operator when a mail to CA Operator and RA Operator when a new request is generated, this will help to make new request is generated, this will help to make more easy to signed process.more easy to signed process.
• Create and publish “Howto”:Create and publish “Howto”:– How does certificate workHow does certificate work
– How to request a certificateHow to request a certificate
– How to revoke a certificateHow to revoke a certificate
– Prepare a certificate for use by Globus ToolkitPrepare a certificate for use by Globus Toolkit
– Convert a certificate to/from PEM formatConvert a certificate to/from PEM format
Comments??Comments??
