The JANET Certificate Service - London South Bank University · 2009-12-11 · JANET Certificate...
Transcript of The JANET Certificate Service - London South Bank University · 2009-12-11 · JANET Certificate...
SERJUG 25th November 2009Copyright JNT Association 2009 1
The JANET Certificate Service
Damien Shaw
JANET Technical Administration Group
SERJUG 25th November 2009Copyright JNT Association 2009 2
JANET SCS
• Server Certificate Service
• January 2006 TERENA sign contract
• Under a GlobalSign Root Certificate
• JANET SCS began in December 2006
– ~440 user organisations
– Processed 11,387 requests
– Issued 9,066 certificates
SERJUG 25th November 2009Copyright JNT Association 2009 3
JANET SCS
Pros
Cheap
Very good presence in browsers
No per-certificate fee
Solved the pop-up problem
Cons
Server Availability
SPF issues
Windows 2008
SANs
SERJUG 25th November 2009Copyright JNT Association 2009 4
JANET SCS
• Lengthy signup process
• Manual process for requesters
– Sign by hand and fax / email back
• Manual process for JANET(UK)
– Causes some delay during busy periods
• Required strict input into forms
• Doesn’t Scale
SERJUG 25th November 2009Copyright JNT Association 2009 5
TERENA Certificate Service
• TERENA procurement
• Committee of SCS staff from NRENS
Cesnet – Milan Sova
Cru – Dominique Launay
JANET(UK) – Damien Shaw
Red Iris – Daniel García
Uni-C Kurt Bøge
Uninett – Jan Meijer
TERENA –Karel Vietsch, Licia Florio & Kevin Meynell
• September 2008 – March 2009
SERJUG 25th November 2009Copyright JNT Association 2009 6
Procurement
• 11 Proposals received
• 5 Invited for interview
• Contract awarded to Comodo CA Ltd
• No longer just a Server Certificate
Service!
• Email & Client Certificates?
• Code Signing Certificates?
• EV Certificates?
SERJUG 25th November 2009Copyright JNT Association 2009 7
JANET Certificate Service
• Launched on 18th November 2009
• Simple Sign up process
• Online system for requests
• No signatures required
• Automated approval of requests
• Users can view, retrieve and revoke
certificates through their user account
• Certificates issued within minutes!
SERJUG 25th November 2009Copyright JNT Association 2009 8
Certificate ChainAddTrust
External CA
Root
UTN-
UserFirst-
Hardware
TERENA
SSL CA
End Entity
SSL
SERJUG 25th November 2009Copyright JNT Association 2009 9
JANET Certificate Service
• Root presence across most browsers
(99.3% browser compatibility) and
platforms – including the iPhone and
Wii!
• Supports multiple (maximum of 100)
domain names (SANs) with a single
certificate
• Wildcard certificates not supported
(JANET(UK) policy decision)
SERJUG 25th November 2009Copyright JNT Association 2009 10
How it works
• Organisation completes an Authorised
Representative Form
• This confirms acceptance of Terms and
Conditions and provides us with a list
of authorised users
• JANET(UK) enable the organisation for
service and create user accounts
• JANET(UK) issues users with login
credentials
SERJUG 25th November 2009Copyright JNT Association 2009 11
CPS is King!
• TERENA Certificate Service Certificate
Practice Statement
• Outlines the legal, commercial and
technical principles and practices
employed in providing certificate
services.
• Defines the underlying certification
processes for subscribers and
describes TCS repository operations.
SERJUG 25th November 2009Copyright JNT Association 2009 12
CPS is King!
• TERENA Certificate Service Certificate
Practice StatementJANET Certificate Service Terms and Conditions:
5.1 – Organisations are required to
comply with the TERENA Certificate
Service Certificate Practice Statement.
SERJUG 25th November 2009Copyright JNT Association 2009 13
CPS is King!
• TERENA Certificate Service Certificate
Practice Statement
CPS:
4.12 – TCS Certificates are not for
financial transactions
4.30 – Subscriber Obligations
4.31 – Representations by Subscriber
upon Acceptance
SERJUG 25th November 2009Copyright JNT Association 2009 14
Live Demo
https://certificates.ja.net/jcs/
SERJUG 25th November 2009Copyright JNT Association 2009 15
What happens next…
• End User Installs Issued Certificate
• End User Installs Intermediate
Certificate
• End User Tests installation of
certificate
openssl s_client -connect myserver.example.com:443 -showcerts
SERJUG 25th November 2009Copyright JNT Association 2009 16
Stats so far...
• Organisations signed up: 50
• Certificates Issued: 97
– 3 Year: 86
– 2 Year: 1
– 1 Year: 10
SERJUG 25th November 2009Copyright JNT Association 2009 17
Future Developments
• Additional features:
– User can see who requested a certificate
– User can list certificates by expiry date
– Username and password sent automatically
– User can paste the CSR into the request page
– Certificate to be emailed to an address chosen by
the user
– .zip renamed to something more useful
– Revocation features
– Expiry notifications
SERJUG 25th November 2009Copyright JNT Association 2009 18
Future Developments
• Feature requests
– Based on your feedback
• Other certificate types
– Email and Client Certificates
– Code Signing Certificates
– Extended Validation Certificates
SERJUG 25th November 2009Copyright JNT Association 2009 19
Advantages
• Much Simpler Process
• A single consistent interface - ‘federated’
• Faster certificate issuance times– Requester validated by login credentials
– CSRs validated against info held by JANET(UK)
• Fewer rejected requests
• Ability to view certificates all in one place
• Revoke certificates via the interface
• Greater control over expiry notifications
• Overall flexibility
SERJUG 25th November 2009Copyright JNT Association 2009 20
Useful Links:
JANET (UK)
• http://www.ja.net/services/jcs/
• https://certificates.ja.net/
TERENA
• https://www.terena.org/activities/tcs/
• https://www.terena.org/activities/tcs/repository/
COMODO
• https://support.comodo.com/