Terena server certificate service
1 / 19

TERENA Server Certificate Service - PowerPoint PPT Presentation

  • Uploaded on

TERENA Server Certificate Service. Towards the large-scale use of affordable popup-free server certificates for the European NRENs. Licia Florio TERENA. Topics. PKI and X.509 certificates Motivation for the TERENA Server Certificate Project What is the project Service Characteristics

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'TERENA Server Certificate Service' - colorado-hooper

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Terena server certificate service

TERENA Server Certificate Service

Towards the large-scale use of affordable popup-free server certificates for the European NRENs

Licia Florio


EuroCAMP Ljubljana,

3-5 March 2006


  • PKI and X.509 certificates

  • Motivation for the TERENA Server Certificate Project

  • What is the project

  • Service Characteristics

  • Why joining


Pki in short

Diego’s priv key

Diego’s pub key


I’ve arrived in Slovenia..


I’ve arrived in Slovenia..


I’ve arrived in Slovenia..





PKI in short

  • Public key cryptography

    - public key (encryption, signature verification)

    - private key (decryption, signing)



  • Public Key distribution

  • Building trust

  • Scalability

  • Solution: create a hierarchical trust fabric: X.509 PKI


X 509 pki infrastructure
X.509 PKI Infrastructure

  • What are the elements

    - Certification Authority (CA)

    * Certificates issuer (trusted 3d party)

    - X.509 Certificates

    * Bind the pub key to the holder

    - Registration Authority (RA)

    *Identity verification

    - End Entity

    * Private key holder (machine, end-user)

    - Relying parties



Real x 509 certificate usage today
Real X.509 Certificate Usage Today

  • Grid (closed community)

    - Use both server and user certs

  • Web servers

    - Only server certificates

    - In many case with pop-up problem

    Large scale user certificate use: nowhere !


The famous pop up pki problem 1
The Famous Pop-up:PKI Problem#1

  • Due to the fact that the issuer of the certificate is not trusted by the browsers


Terena server certificate service1
TERENA Server Certificate Service

  • What is it about?

    • - Service…of course ;-) in short SCS

  • To issue server certificates

    - popup free

    - unlimitednumber

    - Very low price

    (price is not per certificate)

  • For whom?

    • For the National Research and Education Network community in Europe


When scs started
When SCS started

  • Project started in june 2004

  • European NREN PKIs around for ~7 years

    - But still not really deployed

  • Anticipated growth in need:

    - AAI middleware services

    - Web-based ‘stuff’ (mail, e-learning, webservices etc.)

    - VPN, email

    - eduroam

  • Community needs more server certificates


Pki growth problems
PKI Growth Problems

  • Pop-up Problem#1

    - Typically for NRENs CA

    - Defeats the security purpose of the certificate

  • Costs Problem#2

    - For a large number of server certificates costs can become a problem


Solution 1
Solution 1

  • Fixing the pop-up problem

    - Get root certificate in root repositories

    - Requires webtrust audit

    - Expensive for an individual NREN PKI (~25.000 first time, annual ~25.000 for the audits, plus all the costs to follow guidelines) --> CA hierarchy adds to cost!

  • Running a CA

    • Is that so interesting?


Solution 2
Solution 2

  • Fixing the costs

    - Try to contract a CA already in the browser

    - Flexibility in the certificates profiles definitions

    - Tailored RA procedures

    - Not per certificate costs


Solution 2 the way forward
Solution 2: the way forward

  • 8 NRENs + TERENA combined forces (proposal launched feb. 2005)

  • Investigated market

  • Investigated EU tender guidelines

  • Ran a light-weight tender (start Sep 2005)

  • Signed a contract (Jan 2006)

  • First certificate issued on 16 March 2006 !


Who is involved
Who is involved

  • ACOnet (.at),

  • CARnet (.hr),

  • CESnet (.cz),

  • RedIRIS (.es),

  • RENATER (.fr),

  • SURFnet (.nl),

  • SWITCH (.ch)

  • UNI-C (.dk),

  • TERENA signing party


Service structure
Service Structure

  • TERENA contracts with supplier

    - For an initial one year

    - Possibility to extend the contract

  • NRENs contract with TERENA (liability!)

  • NRENs are ‘delegated RA’ for the supplier

  • TERENA appoints delegated RAs

  • NRENs are responsible for delivering RA services and technical support


Service features
Service Features

  • Re-use existing RA organisation

  • Certificate profile flexibility (Grids!)

  • Electronic RA procedures (under implementation)

  • Easy server certificate delivery

  • NREN-specific branding!


Benefits for the universities
Benefits for the Universities

  • Need server certificates to enable SSL/TLS channels

  • Very low costs upon agreement with your NRENs


How to join
How to join

  • Your NREN has to join

  • After June 06 we can open to service to new NRENs

    • Some NRENs are already waiting

  • There is fee to pay to join



  • To make security tools a normal habit, they need to be easy to use

    • Scs is easy

  • SCS proves how a ‘federated’ approach has solved a big problem

  • We got a cool service 

  • http://www.terena.nl/activities/tf-emc2/scs.html