SCS: the new Server Certificate Service offering from SWITCH/TERENA

Similar documents
Euro-PacketCable Certificate Requirements

Forum of European Supervisory Authorities for Electronic Signatures (FESA) Working Paper on Qualified Certificates for Automatically Signing Systems

How to generate SSL certificates for use with a KVM box & XViewer with XCA v0.9.3

The InCommon Certificate Service FAQ This document subject to change as elements of the program are refined.

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0

SSL Peach Pit User Guide. Peach Fuzzer, LLC. Version

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Creation and Management of Certificates

Intel vpro Technology. How To Purchase and Install Go Daddy* Certificates for Intel AMT Remote Setup and Configuration

Intel vpro Technology. How To Purchase and Install Symantec* Certificates for Intel AMT Remote Setup and Configuration

MaaS360 Cloud Extender

Overview of DFN`s Certificate Services - Regular, Grid and short-lived -

MaaS360 On-Premises Cloud Extender

Installing an SSL Certificate Provided by a Certificate Authority (CA) on the BlueSecure Controller (BSC)

Comodo Certification Practice Statement

IPv4 Shortage Multiple SSL Certificates on a single IP address

CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.0

Working with Certificate and Key Files in MatrixSSL

Generating and Installing SSL Certificates on the Cisco ISA500

Certification Practice Statement

Intel Setup and Configuration Software (Intel SCS)

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

Comodo Certification Practice Statement

Analysis of the HTTPS Certificate Ecosystem

Technical Certificates Overview

Installing an SSL Certificate Provided by a Certificate Authority (CA) on the vwlan Appliance

Windows Mobile SSL Certificates

Name-based SSL virtual hosts: how to tackle the problem

ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0

X.509 and SSL. A look into the complex world of X.509 and SSL UUASC 07/05/07. Phil Dibowitz

Acano solution. Certificate Guidelines R1.7. for Single Combined Acano Server Deployments. December H

Acano solution. Certificate Guidelines R1.7. for Single Split Acano Server Deployments. December F

ETSI TS V1.1.1 ( )

Acano solution. Virtualized Deployment R1.1 Installation Guide. Acano. February B

Siemens PKI Certificate Authority (CA) Hierarchy

Renewing an SSL Certificate Provided by a Certificate Authority (CA) on the vwlan Appliance

Shakambaree Technologies Pvt. Ltd.

ncipher Modules Integration Guide for Axway Validation Authority Server 4.11 (Responder)

Yealink Technical White Paper. Contents. About VPN Types of VPN Access VPN Technology... 3 Example Use of a VPN Tunnel...

How To Issue A Certificate On A Cablelabs Device (Cablelabs) To A Certificate Request Agent (Cra)

About Opensistemas The PKI CACert

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Securing Web Access with a Private Certificate Authority

Replacing VirtualCenter Server Certificates VMware Infrastructure 3

Licia Florio Project Development Officer Identity Federations in Europe

Activating HTTPS using wildcard certificate in Horizon Application Manager 1.5

DigiCert Certification Practice Statement

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

SwissSign Certificate Policy and Certification Practice Statement for Gold Certificates

GlobalSign Enterprise PKI Support. GlobalSign Enterprise Solution EPKI Administrator Guide v2.4

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

SolarWinds Technical Reference

Advanced Configuration Steps

TeliaSonera Server Certificate Policy and Certification Practice Statement


Replacing Default vcenter Server 5.0 and ESXi Certificates

Configuring Advanced Windows Server 2012 Services

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

SECO Whitepaper. SuisseID Smart Card Logon Configuration Guide. Prepared for SECO. Publish Date Version V1.0

SEZ SEZ Online Manual Digital Signature Certficate [DSC] V Version 1.2

GlobalSign Integration Guide

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Do Web Browsers Obey Best Practices When Validating Digital Certificates?

GRAVITYZONE HERE. Deployment Guide VLE Environment

1. If there is a temporary SSL certificate in your /ServerRoot/ssl/certs/ directory, move or delete it. 2. Run the following command:

Secure Web Appliance. SSL Intercept

Certificate Policy and Certification Practice Statement CNRS/CNRS-Projets/Datagrid-fr

Lotus Notes 6.x Client Installation Guide for Windows. Information Technology Services. CSULB

Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices

Using VMware vcenter SSO 5.5 with VMware vcloud Automation Center 6.1

Using the Motorola SSL Mobile VPN Solution with MSP

BlackBerry Enterprise Server for Microsoft Office 365 preinstallation checklist

Class 3 Registration Authority Charter

Installation and Configuration Guide

Configuring Advanced Windows Server 2012 Services

Sun Java System Web Server 6.1 Using Self-Signed OpenSSL Certificate. Brent Wagner, Seeds of Genius October 2007

Clientless SSL VPN Users

Technical specification

Gradwell VoIP Migration Issues Report

CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.2.3

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Updating Your Network Infrastructure and Active Directory Technology Skills to Windows Server 2008

CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.3

About VPN Yealink IP Phones Compatible with VPN Installing the OpenVPN Server Configuring the OpenVPN Feature on IP Phones...

Certificate Management

Trusted Certificate Service

Basic Configuration. Key Operator Tools older products. Program/Change LDAP Server (page 3 of keyop tools) Use LDAP Server must be ON to work

INFORMATION TECHNOLOGY SECURITY: PORTFOLIO OVERVIEW

Learn More Cloud Extender Requirements Cheat Sheet

PKI Made Easy: Managing Certificates with Dogtag. Ade Lee Sr. Software Engineer Red Hat, Inc

Websense Security Gateway Encryption

Defender Token Deployment System Quick Start Guide

Transcription:

SCS: the new Server Certificate Service offering from SWITCH/TERENA Kaspar Brand SWITCH 2006 SWITCH

A very brief SCS project history Discussions with other European NRENs started in 2004, within TERENA s TF-EMC2 (Task Force on European Middleware Coordination and Collaboration) First (draft) proposal in October 2004: Goal: To setup a service that offers popup-free cheap server-certificates against a flatrate fee for educational and research organisations using their NREN as a service provider. Call for Proposals issued by TERENA in August 2005; participating NRENs: ACOnet (Austria), CARNet (Croatia), CESNET (Czech Republic), CRU (France), RedIRIS (Spain), SURFnet (Netherlands), SWITCH (Switzerland), UNI C (Denmark) Offers from commercial CAs received in September 2005, preferred supplier (GlobalSign) announced on 19 December 2005, contract signed on 9 January 2006 Service operational by mid-march 2006 2006 SWITCH 2

Pop-up free? 2006 SWITCH 3

SCS: enter the world of preinstalled roots SCS server certificates chain up to the ubiquitous GTE CyberTrust Global Root, which comes preinstalled with all major operating systems (Windows, Mac OS 9 ff., ) most Web browsers/applications (Mozilla, Opera, ) many software suites (Sun JRE/JDK, IBM Websphere, Lotus Notes, Oracle Wallet Manager, KDE, OpenSSL, ) many mobile devices (Palm, Blackberry; phones from Nokia, Sony Ericsson, Motorola, ) For issuing SCS certificates, the Cybertrust Educational CA intermediate cert is used (2006 2013) 2006 SWITCH 4

And where s the private key? on an HSM (hardware security module), which come in different flavors: Chrysalis (SafeNet) Luna CA3 IBM 4758 ncipher nshield 2006 SWITCH 5

GTE and GlobalSign/Ubizen/Cybertrust 1959 General Telephone & Electronics Corp. established as a merger of General Telephone (founded 1918) and Sylvania Electric Products (founded 1910) May 1995 Ubizen founded February 1996 GTE CyberTrust Root issued (valid thru 2006) October 1996 BelSign founded January 1998 GTE CyberTrust CA starts operations August 1998 GTE CyberTrust Global Root issued (valid thru 2018) August 1998 BelSign becomes GlobalSign September 1998 GlobalSign Root CA issued (valid thru 2014) 1999 Betrusted started as PwC's e-security business March 2000 GTE's CyberTrust Solutions, Inc. acquired by Baltimore Technologies ($150M) April 2000 Verizon merger (Bell Atlantic/GTE) completed July 2002 GlobalSign acquired by Ubizen (73%) February 2003 Betrusted acquired by One Equity Partners (Bank One) September 2003 Baltimore's OmniRoot (GTE root certificate) acquired by Betrusted ($3.2M) December 2003 Baltimore's UniCERT product acquired by Betrusted ($8M) May 2004 Ubizen acquired by Betrusted (78.7%) September 2004 Cybertrust formed by a merger of Betrusted and TruSecure (majority owner: One Equity Partners / Bank One) January 2006 TERENA signs contract with GlobalSign/Ubizen/Cybertrust 2006 SWITCH 6

Cheap? From the January 2006 press release of TERENA: This solution makes the cost per certificate very low when large numbers of certificates are issued. External costs for SCS certificates lower than for SwissSign SWITCH intends to offer two PKI service options: SWITCHpki Basic: for smaller organizations, basic fee includes up to ~10 certificates/year (either SwissSign or SCS) SWITCHpki Extended: for larger organizations (RA operators with direct access to CA platform), basic fee includes ~30 SwissSign certificates and an unlimited number of SCS certificates 2006 SWITCH 7

The SCS offering in more detail SCS = Server certificate service (no user certificates currently) Three types of server certificates available with 1, 2 or 3 years validity SureServerEDU TLS recommended default type for general-purpose servers (Web, e-mail, directory service, ) mandatory attributes: countryname (C), organizationname (O), commonname (CN) optional attributes: stateorprovincename (ST or S), localityname (L), organizationalunitname (OU), domaincomponent (DC) SureServerEDU TLS emailserver special-purpose type for servers creating e-mail messages on their own (alerting service or similar) not needed for standard SMTP/IMAP/POP servers mandatory attributes: countryname (C), organizationname (O), commonname (CN), emailaddress (E) optional attributes: stateorprovincename (ST or S), localityname (L), organizationalunitname (OU), domaincomponent (DC) SureServerEDU standard type used by GlobalSign (includes legacy netscape-cert-type extension) Not yet available with SCS (but announced for June 2006): subjectaltname extension with one or more dnsnames (support for DNS aliases) 2006 SWITCH 8

SCS Prerequisites Pre-registration of the organization with SWITCHpki using three registration forms (currently under development): for new participants: Application for SWITCHpki participation, signed by an official representative of the organization Proxy for SWITCHpki certificate applicants : appointment of contact persons/ra operators at the organization, signed by an official representative DNS domain authorization : authorization of SWITCHpki contact persons to authorize requests for specified list of DNS domains, signed by an official representative (unless specifically delegated to the contact persons) TANSTAAFL: liabilities arising from the contract with GlobalSign have to be accepted by each participating organisation (e.g. when approving a possibly fraudulent certificate request by ignoring mandatory verification steps). Risk is mostly hypothetical if procedures are properly adhered to (liability per SCS certificate capped at 0 Euro as per contract). 2006 SWITCH 9

Requesting an SCS certificate 1) Sysadmin generates key pair and creates CSR 2) Sysadmin submits CSR through GlobalSign s enrollment pages 3) Admin contact of organization receives a challenge e-mail to be replied to (with postal mail, fax, e-mail with scan of signed document, later possibly with a digitally signed e-mail) 4) RA administrator verifies request (identity of the applicant, organization, DNS domain in subject) 5) RA administrator approves (or rejects) the request 6) If approved: sysadmin receives certificate by mail 2006 SWITCH 10

2005 SWITCH 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information