Transcript Slides - the GMU ECE Department

PKI Administration Using
EJBCA and OpenCA
Presented By:
Ayesha Ghori and Asra Parveen
PKI: Public Key Infrastructure
A trusted third Party.
Secured communication.
Provides digital certificates that can identify an
individual or an organization.
Stores and revokes Certificates.
Provides services like Encryption, digital Signatures,
data integrity, key establishment, zero
knowledge/minimum knowledge protocols.
PKI Components
Certificate Authority: A CA issues
certificates to, and vouches for the authenticity
of entities.
Registration Authority: An RA is an
administrative function that registers entities in
the PKI.
End entity: An end-entity is a user, such as
an e-mail client, a web server, a web browser
or a VPN-gateway.
PKI HIERARCHY
Super Administrator
GMU CA
TOP CA
GMU
MANASSAS CA
SUBCA
GMU
FAIRFAXCA
SUBCA
GMU Manassas CA
Administrator
GMU Fairfax CA
Administrator
RA INSTANCE
GMU FAIRFAX
GMU Fairfax RA
Administrator
GMU PW
CAMPUS CA
SUBCA
RA INSTANCE
GMU MANASSAS
GMU Manassas RA
Administrator
GMU PW CA
Administrator
RA INSTANCE
GMU PW CAMPUS
GMU PW RA
Administrator
EJBCA and OpenCA
Software Requirements
Software Requirements of EJBCA
Java JDK 1.5 – Java 2 Platform Standard Development Kit.
Apache Ant – Java Build Utility, used to compile and build Java programs.
JBoss 4.0.5 – J2EE Application Server
EJBCA download
Software Requirements of OpenCA
OpenLDAP.
OpenSSL.
Apache Project.
Apache mod_ssl.
EJBCA
EJBCA is a fully functional Certificate
Authority built in Java.
Based on J2EE technology.
Robust
High performance, component based CA.
Flexible and platform independent.
EJBCA can be used as standalone or
integrated in any J2EE application.
EJBCA: Architecture
EJBCA Administration
Create and Initialize the Super
Administrator
Creating and Configuring data sources
Creating Publishers
Creating Certificate Authorities
Creating Registration Authorities
Creating End Entities
Creating CRL’s
Generating Certificates
The EJBCA Super Admin Certificate
OpenCA
Linux based.
Provides the choice of algorithms- des, des3,
idea.
Extensions Provided: SKI and AKI.
In Addition to the PKI components of EJBCA,
OpenCA also has a Registration Authority
Operator.
OpenCA: Architecture
OpenCA Administration
Initializing the Certification Authority
Create the initial administrator
Create the initial RA Certificate
Submit a Certificate Request
Approve the Certificate
Issue the Certificate
Importing the Root Certificate
User Certificate
Comparison
Parameters
Ease of
Configuration
Confidentiality
Integrity
Authentication
EJBCA
Very Complex
Offers
Confidentiality
using encryption
Offers Integrity
by encryption
Offers
Authentication by
Digital Signature
OpenCA
Complex
Offers
Confidentiality
using encryption
Offers Integrity
by encryption
Offers
Authentication by
Digital Signature
Ability to choose
the algorithm to
use
OCSP
Yes
Yes
Yes
Yes
Ability to choose
Yes
CSP
CRL updates
Automatic
No
Manual
Cost
Free
Free
Extensions
Yes
Yes
LDAP Support
Yes
Yes
Support for smart
cards
Yes
No
Platform
Certificate
Repositories
Modules
Components
based
Standalone
Component
Supported
Browsers
Scalability
Java J2EE
HSQL
Perl CGI on Unix
MySQL
EJB
Perl Modules
Yes
Yes
Present
Not Present
Multiple
Multiple
Good
Bad
Conclusion
EJBCA is the simplest to use
Complexity during installation
Provides for automatic CRL updates
OpenCA is the best for Linux users
Manual revocations
Both can be used by various clients