1 / 19

SSL Certificates at UIUC

SSL Certificates at UIUC. 12/14/2004. Bob Foertsch. Campus Information Technologies and Educational Services University of Illinois at Urbana-Champaign. Overview. What is SSL? How does it work? What is a SSL Certificate? Why are they used? How is one created? What makes it unique?

taniel
Download Presentation

SSL Certificates at UIUC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SSL Certificates at UIUC 12/14/2004 Bob Foertsch Campus Information Technologies and Educational ServicesUniversity of Illinois at Urbana-Champaign

  2. Overview • What is SSL? How does it work? • What is a SSL Certificate? Why are they used? • How is one created? What makes it unique? • Are certificates good forever? How to keep them valid? • UIUC operational issues • Ordering • Cost • Support www.cites.uiuc.edu

  3. What is SSL? (pronounced as separate letters) Short forSecure Sockets Layer is a protocol developed in 1996 by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection. By convention, URLs that require an SSL connection start with https: instead of http: www.cites.uiuc.edu

  4. SSL Protocol Client side Server side Hello? Client initiates a connection Server responds by sending the client its Digital ID. The server may also request the client’s Digital ID for client authentication. Server Digital ID Client verifies the server’s Digital ID. If requested by the server, the client sends its Digital ID. Client Digital ID When the authentication is complete, the client sends the server a session key encrypted using the server’s public key. Sessionkey Once a session key is established, secure communications commence between client and server www.cites.uiuc.edu

  5. Why use a SSL Certificate? • Confirms that you are who you say you are in a virtual world. • Encrypts information sent to and from your web server. • Information exchanged with you is private and entirely protected from being viewed or tampered with. www.cites.uiuc.edu

  6. What is in the SSL Certificate? • The domain for which the certificate was issued. • The legal owner of the certificate. • The physical location of the owner. • The validity dates of the certificate. • The server’s public key. www.cites.uiuc.edu

  7. What is all this ‘key’ business? When you create a certificate request your web server generates two unique cryptographic keys: • The Public Key, which is also known as a Certificate Signing Request (CSR) file • The Private Key file Public-Key Cryptography is typically used to protect the session key used by asymmetric encryption algorithm. The Public Key is used to encrypt the session key, which in turn is used to encrypt some data, and the Private Key is used for decryption. The most important thing you can do to protect your certificate and the security of your web site is to backup your Private Key! www.cites.uiuc.edu

  8. Generating a CSR A CSR cannot be generated without generating a Private Key file nor can the Private Key file be generated without generating a CSR file. In certain web server software platforms like Microsoft IIS, both are generated simultaneously through the Wizard on the web server. Typically, you will be prompted to enter the following information about your Organization in order to generate the Private Key and CSR pair from the web server: Organization Name Organizational unit Country Code State or Province Locality Common Name www.cites.uiuc.edu

  9. CSR MUSTs Generate your Certificate Signing Request (CSR) and back up your private key. There are some fields in your CSR that need to have exact values. Country code US State or province Illinois Locality or city Urbana Organizational name University of Illinois Note: Do not include the "http:// or https://" in your common name. www.cites.uiuc.edu

  10. Submit a CSR -----BEGIN CERTIFICATE REQUEST----- MIICLjCCAZcCAQAwgb4xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEP MA0GA1UEBxMGVXJiYW5hMR8wHQYDVQQKExZVbml2ZXJzaXR5IG9mIElsbGlub2lz MSAwHgYDVQQLExdDSVRFUyBTZWN1cml0eSBTZXJ2aWNlczEmMCQGA1UEAxMdd3d3 LXMuY2l0ZXMtc2VjdXJpdHkudWl1Yy5lZHUxIDAeBgkqhkiG9w0BCQEWEXNlY3Vy aXR5QHVpdWMuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvO3O8+H/i aGMRJaU9bB4Zu2Q6ToQeLmgsOdAbMd7wtcL1kNzpsPiwT+riNpLmjXitn9l3SyBP 9ChIZAvwEojW2sRqcT+nvFhvSQbrbRCQlrN/IblbETzeYqLMgCnz1EWtJb686dNt lUGYuTr4fN0uj3JbqgVOtdFFINlzg/DI5wIDAQABoC8wEwYJKoZIhvcNAQkCMQYT BFVJVUMwGAYJKoZIhvcNAQkHMQsTCTEyM1FXRWFzZDANBgkqhkiG9w0BAQQFAAOB gQCR3f1xlWFzqJ3eLQTW/rbNIXotYmjyN1WNayQK9KIWUPrE1Vb76/JxI102nfNU nDC4ABpx17RzSRnU314ePPJVIyE8wtjfvT+/K70K7jrrTdq72OKq8qKDAVEp4+m8 V7SW1xYEQ4DjJptWmKhK3tv6+ClinGUD4ql5P6ozLza3Hg== -----END CERTIFICATE REQUEST----- www.cites.uiuc.edu

  11. View a CSR Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=Illinois, L=Urbana, O=University of Illinois, OU=CITES Security Services, CN=www-s.cites-security.uiuc.edu/emailAddress=security@uiuc.edu Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:af:3b:73:bc:f8:7f:e2:68:63:11:25:a5:3d:6c: 1e:19:bb:64:3a:4e:84:1e:2e:68:2c:39:d0:1b:31: de:f0:b5:c2:f5:90:dc:e9:b0:f8:b0:4f:ea:e2:36: 92:e6:8d:78:ad:9f:d9:77:4b:20:4f:f4:28:48:64: 0b:f0:12:88:d6:da:c4:6a:71:3f:a7:bc:58:6f:49: 06:eb:6d:10:90:96:b3:7f:21:b9:5b:11:3c:de:62: a2:cc:80:29:f3:d4:45:ad:25:be:bc:e9:d3:6d:95: 41:98:b9:3a:f8:7c:dd:2e:8f:72:5b:aa:05:4e:b5: d1:45:20:d9:73:83:f0:c8:e7 Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption www.cites.uiuc.edu

  12. All good things come to an end • Certificates are no longer valid when: • private key lost/password forgotten • machine name changes • server software changes (possibly) • after expiration date (our certificate life is one year) www.cites.uiuc.edu

  13. Certificate is dead or dying The contact person for the certificate is sent a renewal notice about 1 month prior to certificate expiration. Renewals can occur up to 4 weeks prior to expiration without losing any valid time IF there are no changes in the core certificate information. Generally, submission of a new CSR is required to renew a certificate. Under special circumstances (usually an emergency) a certificate can be re-issued at no additional charge. www.cites.uiuc.edu

  14. Renew shortcuts If the private key is unchanged, some software permit re-signable CSR's: AbaSioux  NCSA or NCSA Derivative Server Alibaba Netscape Code signing Alibaba2.x and later  OpenSSL-based web server Apache-ModSSL Raven SSL Apache-SSL (Ben-SSL, RedHat Linux not Stronghold) AppleDev Roxen BROKAT Twister  Secure Socket Relay (SSR - Medcom) C2Net Stronghold Sioux1 Dart-based Server Spry Web Server  Hockey Web Server Stalker CommuniGatePro Innosoft PMDF-TLS Sterling Commerce CONNECT: Mailbox Marimba TinySSL Marimba (SSL) Web Crossing Microsoft Authenticode WebSTAR 4.0 and later WebTen (from Tenon)       www.cites.uiuc.edu

  15. OOPS! Private key lost/overwritten • No longer can have validated SSL connections • Public key useless without private key • Remedy - generate a new private/public key pair and request a new certificate. In general, if the core information in the CSR is unchanged, a new certificate can be re-issued at no additional charge. • Remember, keep your private key safe and secure! www.cites.uiuc.edu

  16. Get a Certificate -----BEGIN CERTIFICATE----- MIIDejCCAuOgAwIBAgIDIInqMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0 aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw0wNDEw MTkxODEzMzVaFw0wNTEwMTkxODEzMzVaMIGcMQswCQYDVQQGEwJVUzERMA8GA1UE CBMISWxsaW5vaXMxDzANBgNVBAcTBlVyYmFuYTEfMB0GA1UEChMWVW5pdmVyc2l0 eSBvZiBJbGxpbm9pczEgMB4GA1UECxMXQ0lURVMgU2VjdXJpdHkgU2VydmljZXMx JjAkBgNVBAMTHXd3dy1zLmNpdGVzLXNlY3VyaXR5LnVpdWMuZWR1MIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQCvO3O8+H/iaGMRJaU9bB4Zu2Q6ToQeLmgsOdAb Md7wtcL1kNzpsPiwT+riNpLmjXitn9l3SyBP9ChIZAvwEojW2sRqcT+nvFhvSQbr bRCQlrN/IblbETzeYqLMgCnz1EWtJb686dNtlUGYuTr4fN0uj3JbqgVOtdFFINlz g/DI5wIDAQABo4GfMIGcMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA5 BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU2Vy dmVyQ0EuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29j c3AudGhhd3RlLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBANKG T9MFIb3PDTguWXt67OXaX3QZqQbYOXSKmCgDNNOAAyS22S1HC5pX22alleiUar+q HH0ULb1ZNSN/N883LjWseGexhV1mF8ivMCamyGLfdmZuVli9ksQ9AD3zxdwG80Lr Opsz3jaSci6RhWL+9T+GWpwafAaR1DBnG0AuIc7y -----END CERTIFICATE----- www.cites.uiuc.edu

  17. View a Certificate Certificate: Data: Version: 3 (0x2) Serial Number: 2132458 (0x2089ea) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server-certs@thawte.com Validity Not Before: Oct 19 18:13:35 2004 GMT Not After : Oct 19 18:13:35 2005 GMT Subject: C=US, ST=Illinois, L=Urbana, O=University of Illinois, OU=CITES Security Services, CN=www-s.cites-security.uiuc.edu Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:af:3b:73:bc:f8:7f:e2:68:63:11:25:a5:3d:6c: 1e:19:bb:64:3a:4e:84:1e:2e:68:2c:39:d0:1b:31: de:f0:b5:c2:f5:90:dc:e9:b0:f8:b0:4f:ea:e2:36: 92:e6:8d:78:ad:9f:d9:77:4b:20:4f:f4:28:48:64: 0b:f0:12:88:d6:da:c4:6a:71:3f:a7:bc:58:6f:49: 06:eb:6d:10:90:96:b3:7f:21:b9:5b:11:3c:de:62: a2:cc:80:29:f3:d4:45:ad:25:be:bc:e9:d3:6d:95: 41:98:b9:3a:f8:7c:dd:2e:8f:72:5b:aa:05:4e:b5: d1:45:20:d9:73:83:f0:c8:e7 Exponent: 65537 (0x10001) www.cites.uiuc.edu

  18. UIUCisms • Communication (CSR submission, certificate issuance, and support) is done through email (certmgr@uiuc.edu). • Certificates can be issued to University-owned machines in these domains: • uiuc.edu • illinois.edu • prairienet.org • uillinois.edu • vcrcillinois.org • Cost is currently set at $130 per certificate www.cites.uiuc.edu

  19. Questions? www.cites.uiuc.edu

More Related