April 22, 2023 1

CERN Certificates platformhttp://ca.cern.ch

Ruben GasparOn behalf

Emmanuel Ormancey / Anatoly GladkovIT/IS

HEPIX Fall 2005

April 22, 2023 2

AgendaAgenda Cern Certification Authority overview

Architecture User, Host, “Enrollment” certificates

Certificate usage Web sites SmartCards

Project status

April 22, 2023 3

CERN Certification AuthorityCERN Certification AuthorityArchitectureArchitecture

Offline Root CA: Run on Virtual PC. Root CA Server image on removable disks. Root will be trusted by default inside CERN.

Online Issuing CA: User request for ‘software’ certificates (client certificates) Enrollment station for SmartCard certificates (authorized user

on authorized desktop only can issue certificates on smartcards), i.e. Card Service.

User request for Host certificates. Allow users to map existing certificates (i.e.

Grid,CACert,Thawte) to their account.

April 22, 2023 4

CERN Certification AuthorityCERN Certification AuthorityCertificate RequestCertificate Request

“Software” (client) certificates are requested by Users.

Internet Explorer or Mozilla browsers can handle automatically certificate request.

A manual procedure with OpenSSL is also provided.

April 22, 2023 5

CERN Certification AuthorityCERN Certification AuthorityEnrollment StationEnrollment Station

Smartcard certificates can be issued only by users with a valid “enrollment agent” certificate installed on dedicated machine.

April 22, 2023 6

CERN Certification AuthorityCERN Certification AuthorityHost Certificates and Certificate mappingHost Certificates and Certificate mapping

Users can request Host certificates for CERN Hosts they manage, and any non-CERN host (not already certificated).

Users can map an existing certificate to their account for authentication (i.e. Grid certificates).

April 22, 2023 7

Certificate usageCertificate usage Short term:

Authenticate to IS Websites (Win, Web, Mail, Terminal services, etc…)

Provide a common authentication interface for all CERN services: sort of Single Sign On

Sign and encrypt mails Medium to long term:

Provide Windows and Linux desktop authentication using Smartcard certificates.

Embed SmartCard chip to CERN Access card.

April 22, 2023 8

Websites authenticationWebsites authentication Certificate can be installed in any browser, on

any platform. Certificate is mapped to user account

Several certificates can be mapped. Authentication done automatically

Popup for selection if several certificates installed: multiple identity supported.

If no client certificate: Move to forms authentication:

Useful if using a public computer, but can be a security issue. Policy to be defined: force client certificate

User must always use their own computers, increased security but accessibility issue.

April 22, 2023 9

IT/IS Websites authenticationIT/IS Websites authenticationOverviewOverview

Opening a website

Cancelled or no certificate installed

If several client certificates matching server requirements are found, browser asks to choose.

Certificate authentication

complete.

April 22, 2023 10

Email signing and encryptingEmail signing and encrypting

In Outlook 2003:

April 22, 2023 11

SmartCards SmartCards for Desktop authenticationfor Desktop authentication

Medium to Long term achievement: Integrate SmartCard ship to CERN Access card Use SmartCard to authenticate Windows or Linux

desktop session. Use software (client) certificates for alternate accounts

authentication (in browser). No more passwords typed in:

Passwords can be set to random string not known even by the user, and can be reset automatically very often.

Policy to be defined: keep alternate password authentication ?

April 22, 2023 12

SmartCardsSmartCardsfor cross platform authenticationfor cross platform authentication

Use the same SmartCard for: Windows desktop (and laptop)

Browser authentication Linux desktop

Browser authentication Mac OS X desktop

Browser authentication Remote windows

Windows Terminal Services Remote Linux

Putty (to be defined, possible with OpenSC) OpenSSH (to be defined, possible with OpenSC) Exceed (to be confirmed)

April 22, 2023 13

Project statusProject status CERN Certification authority:

CERN CA is up and running. All described functionalities are available. Grid specifications taken into account (EUGridPMA specification).

Software (client) certificates: Available for SSO on IT/IS Websites, planned to be extended on all web

sites. CERN Certificate issuing available to all CERN users. Alternate Certificate mapping available, including Grid certificates.

SmartCards: Test cards have been issued, testing on Windows and Linux in

progress. Hardware vendors being evaluated with TS dept. to provide next

generation of CERN Access cards (Smartcard + Mifare contact less card + Magnetic stripe + Photo printed).

Estimated cost: ~5€ / card, ~15€ to 25€ / card reader (USB or PCMCIA).

April 22, 2023 14

Questions ?

http://ca.cern.ch