Securing Web Access with a Private Certificate Authority

ApacheCon EU 2006: Dublin, June 28, 2006.

Securing Web Access with a Private Certificate Authority Hello World (Slide Two)

  • Introduction
  • The Basics:
    • Review of SSL Protocol
    • Review of Digital Certificates
    • A Private Certificate Authority in Action
  • The Nit anf Gritty
    • Creating a Private Certificate Authority
    • Publishing the Private Certificate Authority
    • Using Our Private Certificate Authority

Notice (Slide Three)

"Persons attempting to find a motive in this narrative will be prosecuted;persons attempting to find a moral will be banished; persons attempting to find a plot will be shot."

- Preface for The Adventures of Huck Finn By Mark Twain

The Basics (Slide Four)

SSL, Digital Certificates and Certificate Authorities

Key Players (Slide Five)

  • SSL Protocol
    • Encryption
    • Authentication
  • Digital Certificates
    • Identifying Information of Party
    • Name Of Issuing Certificate Authority
    • A "Signature" Of Issuing Certificate Authority
  • Type Of Digital Certificates
    • Root Certificate
    • Server Certificate
    • Client Certificate

SSL/TLS Protocol (Slide Six)

  • A web client requests a secure transaction.
  • If a new SSL session is being established the web server sends back a list of agreeable ciphers.
  • The server also sends along a digital certificate.

SSL/TLS Protocol (Slide Seven)

  • The client authenticates the server.
  • The client generates a symmetric key using an agreeable cipher and key size and then encodes the symmetric key.
  • If the server has requested a digital certificate to authenticate the client, the client sends it along with the encoded symmetric key.

SSL/TLS Protocol (Slide Eight)

  • Both the client and the server use the symmetric key to generate another symmetric key, know as the session key.
  • The client sends a message to the server stating that all future messages from the client will be encrypted with the session key.
  • The server sends a message to the client stating that all future messages from the server will be encrypted with the session key

Digital Certificate (Slide Nine)

  • Digital Certificates
    • A Serial Number
    • Identifying Information
      • Individual and/or Group Name
      • Location/Contact Information
    • Subject's Public Key
    • Name Of Issuing Certificate Authority
    • A "Signature" Of Issuing Certificate Authority
  • Type Of Digital Certificates
    • Root Certificate
    • Server Certificate
    • Client Certificate

Certificate Authorities (Slide Ten)

  • Public Certificate Authority; Verisign, Thawte, GeoTrust; recognized by default by most web browsers and web servers; used when no other relation exists between two parties.
  • Private Certificate Authority; by default not recognized; used when a relationship already exists between two parties.

A PCA in Action (Slide Eleven)

  • Secure valuable data in transit between employees/departments
    • Intranet

A PCA in Action (Slide Twelve)

  • Secure valuable data in transit between business/departents
    • Extranet

The Nit and Gritty (Slide Thirteen)

Creating, Publishing and Using a Private Certificate Authority

Creating a Private Certificate Authority (Slide Fourteen)

  • A self-signed Root Certificate

Creating a Private Certificate Authority (Slide Fifteen

 

  • Configuring OpenSSL:

Creating a Private Certificate Authority (Slide Sixteen)

  • Configuring OpenSSL:

Publishing the Private Certificate Authority (Slide Seventeen)

  • Setting MIME-type in Apache:

Using Our Private Certificate Authority: Server Certificate (Slide Eighteen)

  • Creating a Certificate Signing Request:

Using Our Private Certificate Authority: Server Certificate (Slide Nineteen)

  • Signing the Certificate Signing Request:

Using Our Private Certificate Authority: Server Certificate (Slide Twenty)

  • Configuring Apache:

Using Our Private Certificate Authority: Client Certificate (Slide Twenty One)

  • Creating a Certificate Signing Request:

Using Our Private Certificate Authority: Client Certificate (Slides Twenty Two)

  • Signing the Client Signing Request:

Using Our Private Certificate Authority: Client Certificate (Slide Twenty Three)

  • Configuring Apache:

Using Our Private Certificate Authority: Certificate Revocation List (Slide Twenty Four)

  • Revoking an Existing Digital Certificate

Publishing the Private Certificate Authority (Slide Twenty Five)

  • Setting MIME-type in Apache:

Using Our Private Certificate Authority:Certificate Revovation List (Slide Twenty Six)

  • Configuring Apache:

Review (Slide Twenty Seven)

  • The Basics:
    • Review of Digital Certificates
    • A Private Certificate Authority in Action
  • The Nit and Gritty
    • Creating a Private Certificate Authority
    • Publishing the Private Certificate Authority
    • Using Our Private Certificate Authority

Citation (Slide Twenty Eight)

Hirsch, Frederick Introducing SSL and Certificates using SSLeay. 8 Oct 2002 <http://www.pseudonym.org/ssl/wwwj-index.html>.

Mobily, Tony, et al. Professional Apache Security. Birmingham: Wrox Press, 2003.

Weinstein, Paul, et al. Professional Linux Security. Indianapolis: Wrox,, 2006.

Resources (Slide Twenty Nine)

  • This Presentation: Resources (Slide Thirty) Resources (Slide Thirty One) Any Questions (Slide Thirty Two)