Learning Center
Plans & pricing Sign in
Sign Out



									Presentation on

 Mr. Frankie F. T. Cheung
 HPC Team
 Computer Centre
 The University of Hong Kong
Agenda (HKU Grid CA)
0. Introduction
2. CA System
3. CA private key
4. CA certificate
5. Certificate Revocation
6. Certificate Revocation List
7. End entity certificates and keys
8. Records Archival
9. Audits
10. Publication & Repository
11. Privacy and confidentiality
12. Comprise and Disaster Recovery    2
  0. Introduction
• What is HKU?
   – Oldest university in Hong Kong
   – Comprehensive university with 10 faculties
   – 12,300 undergraduate & 9,900 postgraduate students
• What is HKU Computer Centre?
   – A centralized IT service department to facilitate the
     use of the latest information technology in HKU
     teaching, learning, research and administration.
   – To aim to provide the best quality IT service in Hong
     Kong as well as in the global perspective.

   0. Introduction
• Why we want to host a CA ?
• HKU is the member of Grid organizations:
   – The member of China National Grid (CNGrid)
   – The member of PRAGMA Grid
   – The member of EGEE TWGrid
• The need from local researchers to use Grid
   – Researchers from multi-discipline (Chemistry, Physics,
     Geo-science, Engineering) demand Grid resources
   – No IGTF CA system in Hong Kong region
   – They are reluctant to apply user certificate from other
     region‟s CA
   0. Introduction
• CP/CPS is revised by 13 February 2009
• Hardware delivery at early March 2009
• Software (OS, OpenCA etc) setup at late March
• Put in production at 8 April 2009
   –   Generate CA private key
   –   Issue CA certificate
   –   Issue a user certificate
   –   Issue a host certificate
   –   Online web repository ready

    1. CP/CPS
•   CP/CPS was drafted at 24 Dec 2008
•   It was reviewed by IGCA and CNIC
•   It was revised by 13 February
•   CP OID: [CP/CPS 1.2]
•   CPS OID: [CP/CPS 1.2]
•   It was structured as defined in RFC 3647 [CP/CPS 1.1]

   1. CP/CPS
• Policy Administration [CP/CPS 9.12]
   – Policy is developed and maintained by HKU GRID
      Policy Management Authority (HKU GRID PMA) at
      HKU Computer Centre
   – All major changes related to policy, technology or
      security must be approved by APGrid PMA before
      signing any certificates under the new CP/CPS.
   – Minor changes related to editorial problems can
      be made without approved by APGrid PMA.
   – New OID will be assigned to major changes and
      will not be assigned to minor changes.
• All versions are available at online repository
  ( => “Publications”) 7
  1. CP/CPS
• Organization of HKU Grid PMA   [CP/CPS 5.2]

  1. CP/CPS
• Staff in HKU Grid PMA
   – CA Managers:
      • Dr. P. T. Ho (
      • Mr. W. K. Kwan (
   – CA Operators:
      • Mr. Frankie Cheung (
      • Mr. Gripen Kwok (
   – RA Operator:
      • Mr. W. K. Kwan (

   2. CA System
• The CA systems are 2 dedicated machines
   – One offline signing server (Offline CA server)
   – One online web server (Online RA server)
• Hardware: 2 x IBM x3650 servers, each with Intel
  quad-core 2.66GHz CPU, 2GB Ram, 4 x 73 disks in

   2. CA System
• Software:
   –   OS: Fedora v9
   –   CA software: OpenCA v1.0.2
   –   OpenSSL: OpenSSL v0.9.8h
   –   Web server: Apache v2.2.9
   –   Database: MySQL v5.0.51a
• Firewall protection:
   – Campus firewall block all incoming traffic except
   – Host firewall block all incoming traffic except
     HTTP/HTTPS, SSH and SMTP from admin network
   2. CA System
• The CA systems are located at Rack #40 in Room
  108 (Computer Server Room), Run Run Shaw
  Building, The University of Hong Kong [CP/CPS 5.1]
   – Before reaching the room doors: With 2 closed-circuit
     security cameras

   2. CA System
• The CA systems are located at Rack #40 in Room
  108 (Computer Server Room), Run Run Shaw
  Building, The University of Hong Kong [CP/CPS 5.1]
   – Two level doors: Only HKU Computer Centre system
     administrators & operators grant access

   2. CA System

• The CA systems are located at Rack #40 in Room
  108 (Computer Server Room), Run Run Shaw
  Building, The University of Hong Kong [CP/CPS 5.1]

  • A secure
  environment where
  access is controlled
  • The servers are
  located at a rack
  with key-locking,
  only administrator
  and operators keep
  the key

   2. CA System
• The CA signing server is completely off line. No
  network cable is connected to this server. [CP/CPS 6.2]
• No Hardware Security Module(HSM) is deployed
• The CA systems are professionally managed CA

      3. CA private key
•   Encryption algorithm: DES3
•   Asymmetric algorithm: RSA
•   Key size: 2048 bits [CP/CPS 6.1.5]
•   Protected by a pass-phase of 20 characters       [CP/CPS

• The pass-phase is only known to HKU Grid PMA.
• Backup copies of the encrypted private key are kept
  on offline mediums (4mm tapes) in the locked
  cabinet of HKU Computer Centre server room,
  where access is controlled. [CP/CPS 6.2.4]
     – Backup copies of the private key is encrypted by
       backup password only known to CA operators.
     – openssl des3 -salt -k password -e -in keyfile.tar.gz -
       out keyfile.pencrypted.tar.gz
   3. CA private key
• The pass-phrase of the encrypted private is kept in
  a sealed envelope, which is put in another locked
  cabinet of HKU Computer Centre Staff room, for
  which only the HKU Grid PMA have key to access.
  [CP/CPS 6.2.4]

• When there is necessary to generate the new CA
  certificate(1 year before CA cert expired), a new CA
  private key and pass-phase will be generated. Then
  new key will be used for signing purpose. [CP/CPS 5.6]
• The overlap of the old and new key must be at least
  1 year. The old version private key would be still
  kept to verify old signatures signed by valid
  certificate.                                17
    4. CA certificate [CP/CPS 5.6, 7.1.2]
•   Version: 3 (0x2)
•   Serial Number: b3:7f:1f:87:24:9e:40:87
•   Signature Algorithm: sha1WithRSAEncryption
•   Validity
    – Not Before: Apr 8 13:05:28 2009 GMT
    – Not After : Apr 3 13:05:28 2029 GMT
• Subject Public Key Info:
    – Public Key Algorithm: rsaEncryption
    – RSA Public Key: (2048 bit)
  4. CA certificate
• X509v3 extensions:
   – X509v3 Basic Constraints: critical, CA:TRUE
   – X509v3 Subject Key Identifier:
      • 6B:D2:25:93:24:C4:F2:6F:8A:89:55:4E:D2:5A:55:95:B7
   – X509v3 Authority Key Identifier:
      • keyid:6B:D2:25:93:24:C4:F2:6F:8A:89:55:4E:D2:5A:55:
   – X509v3 Key Usage: critical, Certificate Sign, CRL Sign
   – X509v3 Subject Alternative Name:
   – X509v3 Issuer Alternative Name:
      •                     19
   5. Certificate Revocation
• Can be requested by: [CP/CPS 4.9.2]
   – The certificate subscriber
   – HKU Grid CA/RA
   – Any other entity presenting evidence of circumstances
     that the criteria described in CP/CPS 4.2.1 violated.
   – Any entities presenting evidence of the compromise
     of associated private key.
   • An end entity must request revocation within one
     working day after detection [CP/CPS 4.9.1]:
   – The subscriber's private key is compromised or is
     suspected to have been compromised.
   – The subscriber's information in the certificate is
     suspected to be inaccurate.                  20
   5. Certificate Revocation
• Procedure for Revocation Request     [CP/CPS 4.9.3]   :
   – End entity must use CRIN (Certificate Revocation
     Identification Number) pin or send revocation request
     using signed E-mail
   – CA operator will authenticate the revocation request
     by CRIN pin or signed E-mail, or even telephone/VTC
     when necessary
   – CA operator would revoke the certificate, update CRL
     and send notification E-mail
• HKU Grid CA must react within one working day, to
  any revocation request received. [CP/CPS 4.9.5]

   6. Certificate Revocation List
• Lifetime is 30 days [CP/CPS 4.9.7]
• Issue CRL [CP/CPS 4.9.7]
   – Every 23 days (Cron job to check CRL remaining life
     time, send E-mail to CA operators 10 days before)
   – Or immediately after a revocation
   • Available at online repository
     ( => “Publications”)
   – Version: x509 v2 [CP/CPS 7.2]
   – Message digest algorithm: SHA-1       [CP/CPS 7.2]

    7. End entity certificates and
• Key size >=1024 bit [CP/CPS 6.1.5]
• Life time :1 year (365 days) [CP/CPS 5.6, 6.3.2]
• User certificate must not be shared [CP/CPS 4.5]
• Host certificate must be linked to a single network
  entity. [CP/CPS 4.5]
• CA only issue certificates based on cryptographic
  data generated by the subscriber. [CP/CPS 4.1.2]
    – The key generation happens at the client side.
    – Stated as responsibility of subscribers to manage the
      private key safely to prevent unauthorized uses
• End entity passphrase        [CP/CPS 4.5]
    – At least 12 characters (User cert is enforced by OpenCA
      web interface), and stated as responsibility of subscribers.
   7. End entity certificates and
• Enrollment Process (User Certificate)     [CP/CPS 4.1.2]

   1.Subscriber fill in user certificate application form and
      return to RA.
   2. Subscriber wait for receiving the E-mail
      acknowledgement from the RA, then he/she can visit
      HKU Grid CA website and requests for CSR. A new
      CSR serial number would be assigned.
   3.The subscriber would be arranged to have a face-to-
      face meeting with the RA and must present photo,
      work ID, CSR serial number and proof of work during
      the face-to-face meeting.
   4. The RA examines the request according to CP/CPS
   7. End entity certificates and
• Enrollment Process (User Certificate)   [CP/CPS 4.1.2]

   5.Once the subscriber is authenticated, the RA would
      endorse the user certificate application form and
      approve request. The RA will then pass the signed
      application form to CA via signed e-mail or fax.
   6. Upon receipt of the application form, CA will verify
      the RA signature in the application form and the CSR
      serial number. The HKU Grid CA manager may
      contact the RA if necessary via signed e-mail or
   7. Now the CA operator will issue the certificate and
      sends an E-mail to the subscriber regarding the way
      to download the certificate.
   7. End entity certificates and
• Enrollment Process (Host Certificate)    [CP/CPS 4.1.2]

   – Similar to User Certificate enrollment process
   – In step 1, subscriber who requests for host certificate
     must have a valid user certificate at HKU Grid CA.
   – In step 3, subscriber must provide evidence or proof
     that the host certificate request is authorized by the
     owner of the FQDN.

  7. End entity certificates and
• Meaningful names   [CP/CPS 3.1.2]

  – Reasonable association to end entity
  – CN is FQDN for host certificate
• Name uniqueness    [CP/CPS 3.1.5]

  – User certificate: CN must be the full name of the
    subscriber and combined with subscriber‟s email id.
  – Host certificate, the CN must be functional fully
    qualified domain name.

   7. End entity certificates and
• Identity Validation by RA   [CP/CPS 3.2]

   – HKU member will be identified by inspection of the
     staff card or student card
   – Other organizations subscriber must be identified by
     in person face-to-face interview. Photo-id and valid
     official documents (including work ID and the proof of
     work) must be presented at the interview
   – Subscriber must provide evidence or proof that the
     host certificate request is authorized by the owner of
     the FQDN.

   7. End entity certificates and
• x509 format with extension     [CP/CPS 7.1]

   – basicConstraints set to „CA: false‟ and marked as critical
   – keyUsage marked as critical
   – User certificate: subscriber E-mail is included in the
   – Host certificate: a FQDN is included as a dnsName in the
   – CRLDistributionPoints:
   – Policy Identifier contain an OID and URI:
      • Policy:
      • CPS:
        v1.0.pdf                                    29
   7. End entity certificates and
• Certificate Renewal [CP/CPS 4.6]
   – HKU Grid CA does not permit certificate signing
     request with the same key as the previous certificate.
• Certificate Re-key   [CP/CPS 4.7.3]

   – After a certificate has been revoked, expired or will be
     expired in one month
   – If the certificate has been revoked or expired, must
     follow enrolment process of CP/CPS 4.1.2

   7. End entity certificates and
• Certificate Re-key   [CP/CPS 4.7.3]

   – If the will be expired in one month, the subscriber,
     need not fill the application form and need not
     participate in the Face-to-Face meeting with RA
     until 5 years of initial ID vetting. After 5 years the
     subscriber of the certificate should follow the
     enrolment process CP/CPS 4.1.2 again to get a
     new certificate.
• Certificate Modification [CP/CPS 4.8]
   – HKU Grid CA does not support certificate modification.

  8. Records Archival
• Records archived      [CP/CPS 5.5.1]
  – Forms, emails, document etc. for certificate
    request and revoke request
  – Monthly tape backup includes (media kept in
    locked cabinet with restrict access)
     • Signing server and web server backup (including
       encrypted CA key)
     • Issued Certificates, revoke request, CRLs
     • Mail archive, system logs(login/logout/reboot)
• Retention period     [CP/CPS 5.5.2]

  – General: minimum 3 years
   9. Audits
• Compliance Audit: [CP/CPS 8]
• Accept external audit, by APGrid PMA
• Self-audit of CA/RA and operation annually (April)
   – Whether the HKU Grid CA certification duties are
     compliant to this CP/CPS?
   – Records archived mentioned in CP/CPS can be
     obtained with 3 years retention period?
   – Operated as minimum CA requirements specified by
     the APGrid PMA?
• A list of CA and RA personnel is verified at least
  once per year

   10. Publication & Repository
•   [CP/CPS 2.1]

   – CA Certificate
   – The end entity Certificates issued
   – CRL
   – Signing policy
   – Procedures for each type of end entity certificates
   – CP/CPS
   – Contact information
   – Other information
• This web repository is available 24x7 on a best
  effort basis
• Grant APGrid PMA and IGTF unlimited re-distribution
   11. Privacy and confidentiality
• Privacy   [CP/CPS 9.4]

   – Subscribers supply info in enrollment process and
     HKU Grid CA would not disclose this information
      • Position, Telephone
      • Photo, WorkID, & other valid official documents
   – Except those specified in the certificate
      • Name & Email for user certificate
      • FQDN for host certificate
      • Organization Name & Organization Unit Name
• Confidentiality    [CP/CPS 9.3]

   – Except explicit information specified in the web
     repository publication, all other information will be
     treated as confidential.                     35
   12. Compromise and Disaster
• If CA private key is compromised    [CP/CPS 5.7.1]:

   – Make all reasonable effort to inform subscribers, RAs
     and relying parties
   – Revoke all issued certificates
   – Terminate distribution services for certificates and
     CRLs issued using the compromised key.
   – Generate a new CA key pair and certificate and make
     the latter available in the public repository.
• If Entity Private Key is compromised    [CP/CPS 5.7.3]:

   – If an entity private key is compromised or suspected
     to be compromised, the entity or its administrator
     must request a revocation of the certificate
   12. Compromise and Disaster
• Hardware, Software, and/or Data Are Corrupted
  [CP/CPS 5.7.2]:
   – Hardware: Hardware replacement (Disk with RAID-6
     protection with tolerance of double disk failure)
   – Software/data corrupted: Restored from backup tape
• Disaster :
   – The system must be recovered as soon as possible.
   – Plan to keep the annual backup tape to the locked
     cabinet in another building (arrangement in progress),
     it would speed up system recovery in case serious
     disaster (fire, flood) in the building.

    Special Thank You to:
•    Yoshio Tanaka (AIST)
•    Henry Sukumar (IGCA)
•    Kevin Dong (CNIC CA)
•    Jinny Chien (ASGC CA)
•    WaUe Chen (NCHC CA)



To top