SERJUG 25th November 2009Copyright JNT Association 2009 1

The JANET Certificate Service

Damien Shaw

JANET Technical Administration Group

SERJUG 25th November 2009Copyright JNT Association 2009 2

JANET SCS

• Server Certificate Service

• January 2006 TERENA sign contract

• Under a GlobalSign Root Certificate

• JANET SCS began in December 2006

– ~440 user organisations

– Processed 11,387 requests

– Issued 9,066 certificates

SERJUG 25th November 2009Copyright JNT Association 2009 3

JANET SCS

Pros

Cheap

Very good presence in browsers

No per-certificate fee

Solved the pop-up problem

Cons

Server Availability

SPF issues

Windows 2008

SANs

SERJUG 25th November 2009Copyright JNT Association 2009 4

JANET SCS

• Lengthy signup process

• Manual process for requesters

– Sign by hand and fax / email back

• Manual process for JANET(UK)

– Causes some delay during busy periods

• Required strict input into forms

• Doesn’t Scale

SERJUG 25th November 2009Copyright JNT Association 2009 5

TERENA Certificate Service

• TERENA procurement

• Committee of SCS staff from NRENS

Cesnet – Milan Sova

Cru – Dominique Launay

JANET(UK) – Damien Shaw

Red Iris – Daniel García

Uni-C Kurt Bøge

Uninett – Jan Meijer

TERENA –Karel Vietsch, Licia Florio & Kevin Meynell

• September 2008 – March 2009

SERJUG 25th November 2009Copyright JNT Association 2009 6

Procurement

• 11 Proposals received

• 5 Invited for interview

• Contract awarded to Comodo CA Ltd

• No longer just a Server Certificate

Service!

• Email & Client Certificates?

• Code Signing Certificates?

• EV Certificates?

SERJUG 25th November 2009Copyright JNT Association 2009 7

JANET Certificate Service

• Launched on 18th November 2009

• Simple Sign up process

• Online system for requests

• No signatures required

• Automated approval of requests

• Users can view, retrieve and revoke

certificates through their user account

• Certificates issued within minutes!

SERJUG 25th November 2009Copyright JNT Association 2009 8

Certificate ChainAddTrust

External CA

Root

UTN-

UserFirst-

Hardware

TERENA

SSL CA

End Entity

SSL

SERJUG 25th November 2009Copyright JNT Association 2009 9

JANET Certificate Service

• Root presence across most browsers

(99.3% browser compatibility) and

platforms – including the iPhone and

Wii!

• Supports multiple (maximum of 100)

domain names (SANs) with a single

certificate

• Wildcard certificates not supported

(JANET(UK) policy decision)

SERJUG 25th November 2009Copyright JNT Association 2009 10

How it works

• Organisation completes an Authorised

Representative Form

• This confirms acceptance of Terms and

Conditions and provides us with a list

of authorised users

• JANET(UK) enable the organisation for

service and create user accounts

• JANET(UK) issues users with login

credentials

SERJUG 25th November 2009Copyright JNT Association 2009 11

CPS is King!

• TERENA Certificate Service Certificate

Practice Statement

• Outlines the legal, commercial and

technical principles and practices

employed in providing certificate

services.

• Defines the underlying certification

processes for subscribers and

describes TCS repository operations.

SERJUG 25th November 2009Copyright JNT Association 2009 12

CPS is King!

• TERENA Certificate Service Certificate

Practice StatementJANET Certificate Service Terms and Conditions:

5.1 – Organisations are required to

comply with the TERENA Certificate

Service Certificate Practice Statement.

SERJUG 25th November 2009Copyright JNT Association 2009 13

CPS is King!

• TERENA Certificate Service Certificate

Practice Statement

CPS:

4.12 – TCS Certificates are not for

financial transactions

4.30 – Subscriber Obligations

4.31 – Representations by Subscriber

upon Acceptance

SERJUG 25th November 2009Copyright JNT Association 2009 14

Live Demo

https://certificates.ja.net/jcs/

SERJUG 25th November 2009Copyright JNT Association 2009 15

What happens next…

• End User Installs Issued Certificate

• End User Installs Intermediate

Certificate

• End User Tests installation of

certificate

openssl s_client -connect myserver.example.com:443 -showcerts

SERJUG 25th November 2009Copyright JNT Association 2009 16

Stats so far...

• Organisations signed up: 50

• Certificates Issued: 97

– 3 Year: 86

– 2 Year: 1

– 1 Year: 10

SERJUG 25th November 2009Copyright JNT Association 2009 17

Future Developments

• Additional features:

– User can see who requested a certificate

– User can list certificates by expiry date

– Username and password sent automatically

– User can paste the CSR into the request page

– Certificate to be emailed to an address chosen by

the user

– .zip renamed to something more useful

– Revocation features

– Expiry notifications

SERJUG 25th November 2009Copyright JNT Association 2009 18

Future Developments

• Feature requests

– Based on your feedback

• Other certificate types

– Email and Client Certificates

– Code Signing Certificates

– Extended Validation Certificates

SERJUG 25th November 2009Copyright JNT Association 2009 19

Advantages

• Much Simpler Process

• A single consistent interface - ‘federated’

• Faster certificate issuance times– Requester validated by login credentials

– CSRs validated against info held by JANET(UK)

• Fewer rejected requests

• Ability to view certificates all in one place

• Revoke certificates via the interface

• Greater control over expiry notifications

• Overall flexibility

SERJUG 25th November 2009Copyright JNT Association 2009 20

Useful Links:

JANET (UK)

• http://www.ja.net/services/jcs/

• https://certificates.ja.net/

TERENA

• https://www.terena.org/activities/tcs/

• https://www.terena.org/activities/tcs/repository/

COMODO

• https://support.comodo.com/

SERJUG 25th November 2009Copyright JNT Association 2009 21

Questions?

service@ja.net