TNC 2006, Catania

TERENA Server Certificate Service

SCS

Towards the large-scale use of affordable popup-free server certificates

for the European NRENs

Licia Florio, John Dyer

TERENA

& members of the community

TNC 2006, Catania

• Motivation for the TERENA SCS• Project description• Service Characteristics• Why join ?

AGENDA

TNC 2006, Catania

The background

• European NREN PKIs around for many years- But still not widely deployed

• Anticipated growth in need:- AAI middleware services

- Grids

- Web-based ‘stuff’ (mail, e-learning, webservices etc.)

- VPN, email

- eduroam

• Only major use outside Grids is for Servers

TNC 2006, Catania

Why have Server Certificates

• Pop-ups• Self Issued Certificate not-recognized by

browsers

• User sees a pop-up

• Doesn’t check the certificate

• Clicks YES

• Could be connected to anything

• In reality subverting the Certificate concept

TNC 2006, Catania

Problem #2

• Authorized CAs are known to the browsers• Accreditation of a CA is very expensive• Certificates are relatively expensive

• when bought in large numbers on a per certificate cost

• Our Community needs a cost effective way to obtain large numbers of server certificates

TNC 2006, Catania

Finding a community solution

• TF-EMC2 discussions started in 2004• First (draft) proposal in October 2004: • Interest expressed by a number of NRENs• Call for Proposals issued by TERENA in August 2005; • Offers from commercial CAs received in September 2005, • preferred supplier (GlobalSign) announced on 19

December 2005, • contract signed on 9 January 2006

TNC 2006, Catania

Participating NRENs

• ACOnet (Austria), • CARNet (Croatia), • CESNET (Czech Republic), • CRU (France), • RedIRIS (Spain), • SURFnet (Netherlands), • SWITCH (Switzerland), • UNI•C (Denmark)

• TERENA is the contracting party

TNC 2006, Catania

What did we get

?

TNC 2006, Catania

The Basics

• Each participating NREN has nominated RA Administrators

• These people have been trained at GlobalSign on how to administer the process

• They are the contact point between the Server SysAdmins and GlobalSign

• They are responsible for maintaining the integrity of the identification process

• They can requested unlimited number of certificates during the 1 year pilot

TNC 2006, Catania

The Process

1) Sysadmin generates key pair and creates CSR2) Sysadmin submits CSR through GlobalSign’s enrollment

pages3) Admin contact of organization receives a challenge e-

mail to be replied to (with postal mail, fax, e-mail with scan of signed document, later possibly with a digitally signed e-mail)

4) RA administrator verifies request (identity of the applicant, organization, DNS domain in subject)

5) RA administrator approves (or rejects) the request6) If approved: sysadmin receives certificate by mail

TNC 2006, Catania

The SCS pre-installed root.

• SCS server certificates chain up to the ubiquitous GTE CyberTrust Global Root, which comes preinstalled with• all major operating systems (Windows, Mac OS 9 ff., …)• most Web browsers/applications (Mozilla, Opera, …)• many software suites (Sun JRE/JDK, IBM Websphere,

Lotus Notes, Oracle Wallet Manager, KDE, OpenSSL, …)• many mobile devices (Palm, Blackberry; phones from

Nokia, Sony Ericsson, Motorola, …)

• For issuing SCS certificates, the Cybertrust Educational CA intermediate cert is used (2006–2013)

TNC 2006, Catania

Certificates Available

• No User Certificates• Server Certificates only

• Available with 1, 2, 3 years validity

• Three specific Types

TNC 2006, Catania

SureServerEDU TLS

• recommended default type for general-purpose servers • (Web, e-mail, directory service, …)

• mandatory attributes: • countryName (C), organizationName (O), commonName

(CN)

• optional attributes: • stateOrProvinceName (S), localityName (L),

organizationalUnitName (OU), domainComponent (DC)

TNC 2006, Catania

SureServerEDU TLS emailserver

• special-purpose type for servers creating e-mail messages on their own (alerting service or similar) – not needed for standard SMTP/IMAP/POP servers

• mandatory attributes: • countryName (C), organizationName (O), commonName

(CN), emailAddress (E)

• optional attributes: • stateOrProvinceName (S), localityName (L),

organizationalUnitName (OU), domainComponent (DC)

TNC 2006, Catania

SureServerEDU

• standard type used by GlobalSign (includes legacy netscape-cert-type extension)

TNC 2006, Catania

Not yet available

• Expected June 2006

• subjectAltName extension with one or more dNSNames (support for DNS aliases)

TNC 2006, Catania

Service Operational

• First Certificate Issued: 16 March 2006

TNC 2006, Catania

Acknowledgements

• So many people in the community• Some around the table, others not• Licia, Karel

• These slides were based on material from Licia Florio of TERENA and Kasper Brand of SWITCH – Sorry for any liberties I have taken with their material

TNC 2006, Catania

In Licia’s words:

TNC 2006, Catania

“We got a cool service”

TNC 2006, Catania

Joining the TERENA SCS

• Initial Pilot runs for one year

• After June 06 we can open to service to new NRENs

• Some NRENs are already waiting

• There is fee to pay to join

• If the pilot is successful, we will expand again