UGRID CA Sergii Stirenko Oleg Alienin stirenko ugrid org

UGRID CA Sergii Stirenko, Oleg Alienin stirenko@ugrid. org oleg@ugrid. org

CA Overview n Member of EUGrid. PMA since 2008 n Located in National Technical University of Ukraine "Igor Sikorsky Kyiv Polytechnic Institute“ , Kyiv, Ukraine n Provides PKI service for educational and scientific grid infrastructure in Ukraine n Off-line CA n CA stuff – 3 persons n RA stuff – 9 persons

RA KPI (NTUU KPI) KIPT (National Science Center "Kharkiv Institute of Physics and Technology“) n ICMP (Institute for Condensed Matter Physics of NAS of Ukraine, Lviv) n ONU (HPC & FOSS Center at the I. I. Mechnikov Odessa National University) n CHSTU (Chernigiv State Technological University) n ISMA (Institute for Scintillation Materials NAS of Ukraine, Kharkiv) n IAP (Institute of Applied Physics of NAS of Ukraine, Sumy) Temporarily suspended n DONNU (Donetsk National University) n MHI (Marine Hydrophysical Institute, NAS of Ukraine) n n

RA

Certificates statistics n All issued certificates : 2210 n Issued in 2016 : 220 n In 2016 o People : 87 o Hosts : 133 o Service : 0 n Revoked in 2016 o People : 0 o Hosts : 0

CA changes Root certificate Old CA root certificate n Issued Jan 21, 2008 n was re-signed after 5 years n Valid to Jan 21, 2018 n 2048 bit n key. Id CD: C 0: D 7: E 1: B 5: 7 D: 9 F: A 9: 94: 48: 4 E: E 8: 14: 56: 55: 94: E D: FF: BC: A 0 n Subject DN : DC=org, DC=ugrid, CN=UGRID CA n CRL distribution point: http: //ca. ugrid. org/cacrl. der

CA changes Root certificate New CA root certificate n Issued Jan 26, 2017 n Valid to Jan 21, 2037 n 4096 bit n key. Id 8 C: 74: B 7: 26: 16: 00: E 5: 0 B: 24: BD: 23: 76: 7 F: 94: 8 B: E 6: 81: B 3: CF n Subject DN : DC=org, DC=ugrid, CN=UGRID CA G 2 n CRL distribution point: http: //ca. ugrid. org/ca 2 crl. der

CA changes Address n Old address High-Performance Computing Center National Technical University of Ukraine “Kyiv Polytechnic Institute” 03056, Prospect Peremohy, 37, building 6, Kyiv, Ukraine n New address Department of Computer Engineering Faculty of Informatics and Computer Engineering National Technical University of Ukraine "Igor Sikorsky Kyiv Polytechnic Institute“ 03056, Prospect Peremohy, 37, building 18, Kyiv, Ukraine

CA changes policy changes Old OID 1. 2. 840. 113612. 5. 4. 2. 6. 1. 1. 1. 4 New OID 1. 2. 840. 113612. 5. 4. 2. 6. 1. 1. 1. 5 not approved by PMA yet n Organization name, department name, address o 1. 5. 1 Organization administering the document o n 1. 5. 3 Person determining CPS suitability for the policy minimum key length now is 2048 (was 1024) for end entity, 4096 for CA root o o o 4. 1. 1 Who can submit a certificate application 4. 2. 2 Approval or rejection of certificate applications 6. 1. 5 Key sizes

CA changes policy changes n The UGRID CA uses SHA 256 with RSA encryption as its signature algorithm (was SHA 1 with RSA encryption) o 7. 1. 4 Algorithm object identifiers n The distinguished name of the CA is “DC=org, DC=ugrid, CN=UGRID CA G 2” was “DC=org, DC=ugrid, CN=UGRID CA” o n 7. 1. 5 Name forms The lifetime of the UGRID CA root certificate is 20 years (was 5 years) o 6. 3. 2 Certificate operational periods and key pair usage periods

Overview o Self-audit was done in accordance with the GFD. 169 o Audit date: Jan 18, 2017 o Summary: n n n A : 55 B: 4 C: 5 D: 1 X: 2

3. 1 Certification Authority 3. 1. 3 CA Key n (11) The CA key must be configured for long term use. (C) Old root certificate will expire Jan 21, 2018. Initially was issued: Jan 21, 2008 for 5 years, then validity period was extended to be 10 years.

3. 1 Certification Authority 3. 1. 3 CA Key n (15) The on-line CA architecture should provide for a (preferably tamper-protected) log of issued certificates and signed revocation lists. (X) Not applicable, offline CA n (17) The overlap of the old and new key must be at least the longest time an end-entity certificate can be valid … (D) We cannot sign certificates with one-year validity time, because old certificate “valid to” date is Jan 21, 2018. So overlap between old key and new key will be less than 1 year. Old CA certificate is available, we sign CRLs. New certificate is not in the IGTF distribution yet

3. 1 Certification Authority 3. 1. 4 CA Certificate (21) The profile of the CA certificates must comply with the Grid Certificate Profile as defined by the Open Grid Forum GFD. 125. (B) GFD. 125 or GFD. 225 ? n

3. 1 Certification Authority 3. 1. 6 Certificate Revocation List n (28) Every CA must issue a new CRL at least 7 days … (C) Usually we issue CRL’s 10 days before next. Update field. But several times we issued CRL’s less 7 days before next. Update field, when we got notification with subject “Your CRL update is OVERDUE” from robot. We’re going to set up our notification script to warn CA operator on last working day not after 10 days before next. Update.

3. 1 Certification Authority 3. 1. 7 End Entity Certificates and Keys (39) Certificates (and private keys) managed in a software token should only be re-keyed, not renewed. (B) It is stated in the CP/CPS, but we don’t check n (40) Certificates associated with a private key residing solely on hardware token may be renewed … (X) Not applicable, don’t use hardware tokens n

3. 1 Certification Authority 3. 1. 8 Records Archival n (43) These records must be available to external auditors in the course of their work as auditor. (C)Difficult to make available for auditing

3. 1 Certification Authority 3. 1. 10 Publication and Repository Responsibilities n (48) The repository must be run at least on a best-effort basis, with an intended availability of 24 x 7. (B) YES, but some hours of downtime was due to power/ network failures

3. 1 Certification Authority 3. 1. 11 Compromise and Disaster Recover n (55) The CA must have an adequate compromise and disaster recovery procedure, and we willing to discuss this procedure in the PMA. The procedure need not be disclosed in the policy and practice statements. (C) No compromise and disaster recovery plans, But we’re working on it

3. 2 RA 3. 2. 1 Entity Identification n (4) For host and service certificate requests, an RA should ensure that the requestor is appropriately authorized by the owner of the associated FQDN … (B)When host certificate is issued for the first time, ownership verified by DNS/WHOIS and personal RA knowledge. We maintain a database table that maps hostnames (for which certificates were issued) to owners (their personal certificates), and their organizations. But procedure how to change this ownership isn’t well documented. Now we accept signed emails or hard copy of signed and sealed letter from organization.

3. 2 RA 3. 2. 3 RA to CA Communications n (8) The CP/CPS should describe how the RA or CA is informed of changes that may affect the status of the certificate. (C) This procedure isn’t well documented

Thank you!