PKI Made Easy: Managing Certificates with Dogtag. Ade Lee Sr. Software Engineer Red Hat, Inc. 08.11.2013

2013 PKI Made Easy: Managing Certificates with Dogtag Ade Lee Sr. Software Engineer Red Hat, Inc. 08.11.2013

Agenda What is PKI? What is Dogtag? Installing Dogtag Interacting with Dogtag using REST Future directions Questions 2 SouthEast LinuxFest

Agenda What is PKI? 3 SouthEast LinuxFest

Mission #1: Buying Beer 4 SouthEast LinuxFest

Need ID? 5 SouthEast LinuxFest

Digital Certificate 6 SouthEast LinuxFest

Public/Private Keys In certificates, the identifier is the public key in a public/private key pair. Messages encrypted with a public key can only be decrypted using the private key, and visa versa. Being able to decrypt proves possession of the private key and hence, identity. We can use private/public key pairs to identify: Servers (eg. bankofamerica.com) Individuals Devices (routers, locomotives etc.) 7 SouthEast LinuxFest

Use Case: Secure Web Browsing A client initiates contact with the secure web server (using https). The server returns a digital certificate. The client checks the validity of the certificate through a trusted certificate authority. The client generates a symmetric key, encrypts it with the server's public key, and sends it to the server. The server decrypts the symmetric key using its private key. The server and client can exchange details using the symmetric key. 8 SouthEast LinuxFest

Use Case: Client Authentication User contacts server application using a browser and establishes SSL connection. Server requests client certificate for authentication. User selects certificate for which he has the private key from browser certificate database. Server checks whether the client certificate is valid, and trusted. Cert is used to establish identity. Server uses authorization checks to provide access to applications. 9 SouthEast LinuxFest

Use Case: Email Encryption User requests an encryption cert. The client optionally encrypts the private key and sends it in a CRMF request to the server for escrow. User imports private key and encryption cert into the email client. User sends recipient a signed email containing his public key. Recipient encrypts a secret message with the public key and sends to the user. Only the user can read the encrypted message. If private key is lost / employee leaves company, encryption key can be recovered from escrow. 10 SouthEast LinuxFest

What about portability? Private key is stored in your browser's certificate database. What if you want to use a different machine? Can't put a certificate database in your wallet... Or can you? 11 SouthEast LinuxFest

What do we need to manage Driver's Licenses? Registration Authorities that issue licenses after verifying proof of identification. Mechanism to revoke, reinstate, renew license. Mechanism for reissuing licenses after licenses are lost/stolen. Mechanism to check license status. 12 SouthEast LinuxFest

Is this License valid? 13 SouthEast LinuxFest

What do we need for PKI? A community of entities with public/private keys Registration Authorities that accept cert requests and confirm the requestors' identities Certificate Authorities that issue certificates to certify the validity of public keys Certificate repositories that store public keys Certificate revocation lists and online certificate status managers to verify certificate status Key recovery authorities to recover lost encryption keys Token management system 14 SouthEast LinuxFest

Agenda What is PKI? What is Dogtag? 15 SouthEast LinuxFest

Dogtag Certificate System Security framework to handle full life cycle of X.509 certificates including issuance, renewal, revocation, publishing, private key escrow, and token management. Red Hat Certificate System is based on Dogtag. RHCS is Common Criteria (EAL4) certified, FIPS 140-2 Level 2 security libraries with Level 3 validated HSM hardware. RHCS is deployed by largest PKI deployments in the world. Scales to millions of certs and keys. Latest version (10.0.4) is currently available on Fedora 18 and 19. 16 SouthEast LinuxFest

Dogtag History Netscape Certificate Server 1.0 [1997] Netscape Certificate Management System 4.1 [1999] Netscape/iPlanet Certificate Management System 4.2 [2000] Sun ONE Certificate Server 4.7 [2002] Netscape Certificate Management System 6.1 SP1 [2003] Red Hat Certificate System 7.3 [2007] Dogtag Certificate Server 1.0.0 [2008] Dogtag Certificate Server 9.0 [2011] Red Hat Certificate Server 8.1 [2012] Dogtag Certificate Server 10.0 [2013] 17 SouthEast LinuxFest

Features Ability to create and manage certificates Easily deployable and maintainable Highly scalable Cloning for high availability and disaster recovery Based on open standards and protocols. Hence, able to interoperate with other certificate systems (not just Red Hat's) 18 SouthEast LinuxFest

Features continued.. Single CA can support multiple registration authorities Root or Subordinate CA, cross-certified CAs, and CA cloning Interfaces: Administration, Agent, and End Entity Signed Auditing Self tests Certificate Issuance, Profiles Plugin Framework for customization 19 SouthEast LinuxFest

Features continued.. Publishing, Notifications, and Jobs CRLs and OCSP Encryption Key escrow and recovery Support for hardware tokens Smart Cards and Crypto Accelerators SCEP Interfaces : web UI, RESTful interface, command line utilities, console (graphical client) 20 SouthEast LinuxFest

Dogtag in IPA FreeIPA Core NTP Dogtag CA Kerberos KDC Directory Server DNS Authentication Users, Groups, Netgroups, HBAC Managed host (client) SSSD Configures Name lookups and service discovery Cert tracking & provisioning ipa-client Configures Certmonger nss_ldap Other maps Enrollment & un-enrollment Management Station Management framework CLI Management 21 WEBUI Browser SouthEast LinuxFest

Dogtag Components 22 SouthEast LinuxFest

Dogtag Token Management 23 SouthEast LinuxFest

Agenda What is PKI? What is Dogtag? Installing Dogtag 24 SouthEast LinuxFest

Installing Dogtag Subsystems Movie demonstrating how to install a Dogtag 10 instance with a CA and KRA using pkispawn. In this case, the CA and KRA are in the same instance https://www.youtube.com/watch?v=c3eeljaz7lu See the man pages for more advanced usage. 25 SouthEast LinuxFest

Enrollment with Key Archival 26 SouthEast LinuxFest

Enrollment with Key Archival Movie showing admin and agent interfaces, and key archival. https://www.youtube.com/watch?v=buapp-jejnk 27 SouthEast LinuxFest

Agenda What is PKI? What is Dogtag? Installing Dogtag Interacting with Dogtag using REST 28 SouthEast LinuxFest

Dogtag Java Architecture 29 SouthEast LinuxFest

Why a new RESTful Interface? We have battle-tested software that has been deployed in the largest public key infrastructures worldwide. We want to become the default PKI implementation for application developers. This means: Simplifying installation and configuration Standard interfaces 30 SouthEast LinuxFest

Why a new RESTful interface? Old interface consists of servlet calls with name-value parameter pairs. In new interface, application is presented as a collection of resources More intuitive URLs. POST /profilesubmitservletsslclient vs. POST /certrequests Standard operations and return codes Framework to automatically handle serialization to XML/JSON, crafting HTTP responses etc. on server and client 31 SouthEast LinuxFest

REST Resources on the CA certs, certrequests, users, groups, profiles Example invocations: GET /certs - list certificates GET /certs/{id} get specific cert by serial number POST /certs/search search for certs with criteria POST /agent/certs/{id}/revoke revoke a cert POST /certrequests create a new cert request GET /certrequests/{id} get cert request POST /agent/certrequests/{id}/approve approve a cert request POST /admin/users create a new user 32 SouthEast LinuxFest

REST Resources on the CA certs, certrequests, users, groups, profiles Example invocations: GET /certs - list certificates GET /certs/{id} get specific cert by serial number POST /certs/search search for certs with criteria POST /agent/certs/{id}/revoke revoke a cert POST /certrequests create a new cert request GET /certrequests/{id} get cert request POST /agent/certrequests/{id}/approve approve a cert request POST /admin/users create a new user 33 SouthEast LinuxFest

RESTEasy Client Proxy Framework RESTEasy client proxy framework is a way to use JAX-RS annotations on the client side. Server and client share a Java annotated interfaces which define REST resource objects and method calls. Client instantiates the REST resource objects, and makes method calls. Client framework converts the method call into HTTP requests, handling all data marshalling to JSON or XML. Server error codes handled through exceptions. Used by new CLI code ( pki ). 34 SouthEast LinuxFest

Writing client code for REST Interface Very easy in Java using the client proxy framework. Movie to provide some details: http://youtu.be/e9m9kkshjnm Some python support available as well. To be enhanced. REST interface documented at : http://pki.fedoraproject.org/wiki/rest http://pki.fedoraproject.org/wiki/resteasy 35 SouthEast LinuxFest

REST Resources on the DRM keys, keyrequests, users, groups, some system resources. GET /agent/keyrequests list key requests GET /agent/keyrequests/{id} get a key request POST /agent/keyrequets/archive submit an archival request POST /agent/keyrequests/recover submit recovery request POST /agent/keyrequests/{id}/approve approve request POST /agent/keyrequests/{id}/reject reject request POST /agent/keyrequests/{id}/cancel cancel request 36 SouthEast LinuxFest

DRM Enhancements in Dogtag 10 The DRM has traditionally been used to store X.509 private keys only, with public key as an identifier. With the REST interface, the client provides an identifier client_id The interface can therefore be used to securely archive just about anything, as long as it is packaged in a CRMF package. We have sample code (DRMTest.java) that stores symmetric keys, passphrases. On recovery, these are wrapped with a symmetric key or passphrase. Being investigated as a back-end for CloudKeep. 37 SouthEast LinuxFest

Agenda What is PKI? What is Dogtag? Installing Dogtag Interacting with Dogtag using REST Future directions 38 SouthEast LinuxFest

Whats next? Dogtag 10.1 scheduled for Fedora 20 (Jan 2014) Extend the REST interface to manage certificate profiles. This will be consumed by FreeIPA. Enhance the python client framework to the REST interface. Rewrite TPS as a Java component residing in a Tomcat instance. And more... 39 SouthEast LinuxFest

Resources Dogtag Project wiki: http://pki.fedoraproject.org Project trac: https://fedorahosted.org/pki Code: https://git.fedorahosted.org/cgit/pki.git Mailing lists: pki-users@redhat.com pki-devel@redhat.com pki-announce@redhat.com IRC (freenode #dogtag-pki) 40 SouthEast LinuxFest

Questions? 41 SouthEast LinuxFest