SSL Certificates at UIUC 12/14/2004 Bob Foertsch
Campus Information Technologies and Educational Services University of Illinois at Urbana-Champaign
Overview What is SSL? How does it work? What is a SSL Certificate? Why are they used? How is one created? What makes it unique? Are certificates good forever? How to keep them valid? UIUC operational issues • Ordering • Cost • Support
www.cites.uiuc.edu
Bob Foertsch 12/14/2004
2
What is SSL? (pronounced as separate letters) Short for Secure Sockets Layer is a protocol developed in 1996 by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection. By convention, URLs that require an SSL connection start with https: instead of http:
www.cites.uiuc.edu
Bob Foertsch 12/14/2004
3
SSL Protocol Client side Client initiates a connection
Client verifies the server’s Digital ID. If requested by the server, the client sends its Digital ID.
When the authentication is complete, the client sends the server a session key encrypted using the server’s public key.
Server side Hello? Server Digital ID
Server responds by sending the client its Digital ID. The server may also request the client’s Digital ID for client authentication.
Client Digital ID Session key
Once a session key is established, secure communications commence between client and server
www.cites.uiuc.edu
Bob Foertsch 12/14/2004
4
Why use a SSL Certificate? • Confirms that you are who you say you are in a virtual world. • Encrypts information sent to and from your web server. • Information exchanged with you is private and entirely protected from being viewed or tampered with.
www.cites.uiuc.edu
Bob Foertsch 12/14/2004
5
What is in the SSL Certificate? • The domain for which the certificate was issued. • The legal owner of the certificate. • The physical location of the owner. • The validity dates of the certificate. • The server’s public key.
www.cites.uiuc.edu
Bob Foertsch 12/14/2004
6
What is all this ‘key’ business? When you create a certificate request your web server generates two unique cryptographic keys: • The Public Key, which is also known as a Certificate Signing Request (CSR) file • The Private Key file Public-Key Cryptography is typically used to protect the session key used by asymmetric encryption algorithm. The Public Key is used to encrypt the session key, which in turn is used to encrypt some data, and the Private Key is used for decryption. The most important thing you can do to protect your certificate and the security of your web site is to backup your Private Key! www.cites.uiuc.edu
Bob Foertsch 12/14/2004
7
Generating a CSR
A CSR cannot be generated without generating a Private Key file nor can the Private Key file be generated without generating a CSR file. In certain web server software platforms like Microsoft IIS, both are generated simultaneously through the Wizard on the web server. Typically, you will be prompted to enter the following information about your Organization in order to generate the Private Key and CSR pair from the web server: Organization Name Organizational unit Country Code State or Province Locality Common Name www.cites.uiuc.edu
Bob Foertsch 12/14/2004
8
CSR MUSTs Generate your Certificate Signing Request (CSR) and back up your private key. There are some fields in your CSR that need to have exact values. Country code US State or province Illinois Locality or city Urbana Organizational name University of Illinois Note:
Do not include the "http:// or https://" in your common name. www.cites.uiuc.edu
Bob Foertsch 12/14/2004
9
Submit a CSR -----BEGIN CERTIFICATE RE Q UEST----MIICLjCCAZcCA Q Awgb4xCzAJBgNVBAYTAlVT M RE w D wY DV Q Q IEwhJbGxpbm9pczEP M A0 GA1UEBx M G VXJiY W5hM R8wH Q Y DV Q Q KExZVbml2ZXJzaXR5IG9mIElsbGlub2lz M S A w HgYDV Q QLExdDSVRFUyBTZ W N1c ml0eSBTZXJ2a W NlczE m M C Q G A1UEAxMdd3d3 LX MuY2l0ZX Mtc2VjdXJpdHkud Wl1Yy5lZHUxIDAeBgkqhkiG9w0BC QE W EXNlY3Vy aXR5Q H Vpd W MuZ W R1 MIGfMA0GCSqGSIb3D QEBAQ U AA4G NA D CBiQ KBgQ C vO3O8+H/i aG M RJaU9bB4Zu2Q6ToQeLmgsOdAb Md7wtcL1kNzpsPiwT+riNpLmjXitn9l3SyBP 9ChIZAvwEojW2sRqcT+nvFhvSQbrbRC QlrN/IblbETzeYqL MgCnz1E WtJb686dNt lUGYuTr4fN0uj3JbqgVOtdFFINlzg/DI5wIDAQ ABoC8wE wYJKoZIhvcNAQkC M Q Y T BFVJVUM w G AYJKoZIhvcNA QkH M Q sTCTEyM1FXR W FzZDANBgkqhkiG9w0BA Q QFAA OB gQC R3f1xlWFzqJ3eLQT W/rbNIXotYmjyN1 W NayQK9KI W UPrE1Vb76/JxI102nfNU nDC4ABpx17RzSRnU314ePPJVIyE8wtjfvT+/K70K7jrrTdq72OKq8qKDAVEp4+ m 8 V7S W1xYE Q4DjJptW m KhK3tv6+ClinGU D4ql5P6ozLza3Hg== -----END CE RTIFICATE REQ U EST-----
www.cites.uiuc.edu
Bob Foertsch 12/14/2004
10
View a CSR Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=Illinois, L=Urbana, O=University ofIllinois, OU=CITES Security Services, C N=w w w -s.cites-security.uiuc.edu/emailAddress=security @uiuc.edu Subject Public Key Info: Public Key Algorithm:rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:af:3b:73:bc:f8:7f:e2:68:63:11:25:a5:3d:6c: 1e:19:bb:64:3a:4e:84:1e:2e:68:2c:39:d0:1b:31: de:f0:b5:c2:f5:90:dc:e9:b0:f8:b0:4f:ea:e2:36: 92:e6:8d:78:ad:9f:d9:77:4b:20:4f:f4:28:48:64: 0b:f0:12:88:d6:da:c4:6a:71:3f:a7:bc:58:6f:49: 06:eb:6d:10:90:96:b3:7f:21:b9:5b:11:3c:de:62: a2:cc:80:29:f3:d4:45:ad:25:be:bc:e9:d3:6d:95: 41:98:b9:3a:f8:7c:dd:2e:8f:72:5b:aa:05:4e:b5: d1:45:20:d9:73:83:f0:c8:e7 Exponent: 65537 (0x10001) Signature Algorithm: md5 W ithRSAEncryption
www.cites.uiuc.edu
Bob Foertsch 12/14/2004
11
All good things come to an end Certificates are no longer valid when: • private key lost/password forgotten • machine name changes • server software changes (possibly) • after expiration date (our certificate life is one year)
www.cites.uiuc.edu
Bob Foertsch 12/14/2004
12
Certificate is dead or dying The contact person for the certificate is sent a renewal notice about 1 month prior to certificate expiration. Renewals can occur up to 4 weeks prior to expiration without losing any valid time IF there are no changes in the core certificate information. Generally, submission of a new CSR is required to renew a certificate. Under special circumstances (usually an emergency) a certificate can be re-issued at no additional charge. www.cites.uiuc.edu
Bob Foertsch 12/14/2004
13
Renew shortcuts If the private key is unchanged, some software permit re-signable CSR's: AbaSioux NCSA or NCSA Derivative Server Alibaba Netscape Code signing Alibaba2.x and later OpenSSL-based web server Apache-ModSSL Raven SSL Apache-SSL (Ben-SSL, RedHat Linux not Stronghold) AppleDev Roxen BROKAT Twister Secure Socket Relay (SSR - Medcom) C2Net Stronghold Sioux1 Dart-based Server Spry Web Server Hockey Web Server Stalker CommuniGatePro Innosoft PMDF-TLS Sterling Commerce CONNECT: Mailbox Marimba TinySSL Marimba (SSL) Web Crossing Microsoft Authenticode WebSTAR 4.0 and later WebTen (from Tenon)
www.cites.uiuc.edu
Bob Foertsch 12/14/2004
14
OOPS! Private key lost/overwritten • No longer can have validated SSL connections • Public key useless without private key Remedy - generate a new private/public key pair and request a new certificate. In general, if the core information in the CSR is unchanged, a new certificate can be re-issued at no additional charge. Remember, keep your private key safe and secure!
www.cites.uiuc.edu
Bob Foertsch 12/14/2004
15
Get a Certificate -----BEGIN CERTIFICATE----MIIDejCCAuOgAwIBAgIDIInqMA0G C SqGSIb3D Q EBBAUA MIHEM Qsw C Q YDV Q Q G E wJa QTEV M B M G A1UECB M M V2VzdGVybiBDYXBlM RIwEAYDV Q Q H EwlDYXBlIFRvd24xHTAb BgNVBAoTFFRoYXd0ZSBDb25zd W x0a W5nIG NjMSgwJgYDVQ QLEx9DZXJ0aW ZpY2F0 a W9uIFNlcnZpY2VzIERpdmlza W9u M RkwFwYDV Q Q D E xBUaGF3dGUgU2VydmVyIENB M S Y wJAYJKoZIhvcNA QkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLm NvbTAeFw0wN DE w M TkxODEz MzVaFw0wNTEw MTkxODEz MzVaMIGcMQswC Q Y DV Q Q G EwJVUzER M A8 G A 1UE CB MIS W xsa W5vaX MxDzANBgNVBAcTBlVyY mFuYTEfMB0GA1UEChM W V W 5 pdmVyc2l0 eSBvZiBJbGxpbm9pczEgM B4GA1UECx MX Q 0lURV MgU2VjdXJpdHkgU2VydmljZXMx JjAkBgNVBA MT H Xd3dy1zLm NpdGVzLXNlY3VyaXR5LnVpd W MuZ W R1MIGfMA0G C Sq G SIb3D QEBA Q UAA4GNA D C BiQKBgQCvO3O8+H/iaG M RJaU9bB4Zu2Q6ToQeL mgsOdAb Md7wtcL1kNzpsPiwT+riNpLmjXitn9l3SyBP9ChIZAvwEojW 2sRqcT+nvFhvSQbr bRC QlrN/IblbETzeYqL MgCnz1E WtJb686dNtlU G YuTr4fN0uj3JbqgVOtdFFINlz g/DI5wIDA QABo4GfMIGcMB0GA1UdJQ Q W M B Q G C CsG A Q UFBw M BBggrBgEFB Q cDAjA5 BgNVH R 8E MjAwM C6gLKAqhihodHR w Oi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU2Vy dmVyQ0EuY3JsMDIGC CsG A Q UFBwEBBCYwJDAiBggrBgEFBQcwAYYW a H R0cDovL29j c3AudGhhd3RlLmNvbTA M BgNVH R M B Af8EAjAAMA0G C Sq GSIb3DQEBBAUAA4G BA NK G T9 MFIb3PDTgu W Xt67OXaX3QZqQbYOXSKm CgD N N O AAyS22S1HC5pX22alleiUar+q H H0ULb1ZNSN/N883LjWseGexhV1m F8ivMCamyGLfdm ZuVli9ksQ9AD3zxdwG80Lr Opsz3jaSci6Rh WL+9T+G W pwafAaR1DBnG0AuIc7y -----EN D CE RTIFICATE-----
www.cites.uiuc.edu
Bob Foertsch 12/14/2004
16
View a Certificate Certificate: Data: Version: 3 (0x2) SerialNu mber: 2132458 (0x2089ea) Signature Algorithm: md5 WithRSAEncryption Issuer: C=ZA, ST= Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server-certs @thawte.com Validity Not Before: Oct 19 18:13:35 2004 GM T Not After : Oct 19 18:13:35 2005 G M T Subject: C=US, ST=Illinois, L=Urbana, O=University ofIllinois, OU=CITES Security Services, CN=ww ws.cites-security.uiuc.edu Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:af:3b:73:bc:f8:7f:e2:68:63:11:25:a5:3d:6c: 1e:19:bb:64:3a:4e:84:1e:2e:68:2c:39:d0:1b:31: de:f0:b5:c2:f5:90:dc:e9:b0:f8:b0:4f:ea:e2:36: 92:e6:8d:78:ad:9f:d9:77:4b:20:4f:f4:28:48:64: 0b:f0:12:88:d6:da:c4:6a:71:3f:a7:bc:58:6f:49: 06:eb:6d:10:90:96:b3:7f:21:b9:5b:11:3c:de:62: a2:cc:80:29:f3:d4:45:ad:25:be:bc:e9:d3:6d:95: 41:98:b9:3a:f8:7c:dd:2e:8f:72:5b:aa:05:4e:b5: d1:45:20:d9:73:83:f0:c8:e7 Exponent:65537 (0x10001)
www.cites.uiuc.edu
Bob Foertsch 12/14/2004
17
UIUCisms Communication (CSR submission, certificate issuance, and support) is done through email (
[email protected]). Certificates can be issued to University-owned machines in these domains: • uiuc.edu • illinois.edu • prairienet.org • uillinois.edu • vcrcillinois.org Cost is currently set at $130 per certificate www.cites.uiuc.edu
Bob Foertsch 12/14/2004
18
Questions?
www.cites.uiuc.edu
Bob Foertsch 12/14/2004
19