2. (cc) 2011 Juanjo Amor and Wikipedia
Some rights reserved. This work licensed under Creative Commons
Attribution-ShareAlike License. To view a copy of full license, see
http://creativecommons.org/licenses/by-sa/3.0/ or write to
Creative Commons, 559 Nathan Abbott Way, Stanford,
California 94305, USA.
Juanjo Amor CACert
7. About Opensistemas
Opensistemas is an international company highly
specialized in offering global IT solutionsbased
on Open Sourceand Linuxplatforms.
Juanjo Amor CACert
10. About Opensistemas
Our Vision: To become the international leader in Open
Source Technologies.
Our Mission:
Juanjo Amor CACert
11. About Opensistemas
Our Vision: To become the international leader in Open
Source Technologies.
Our Mission: Apply our knowledge of the opportunities offered
by Open Source to deliver effective solutions and innovation to
our customers while promoting the professional development
of our employees and building value for shareholders.
Juanjo Amor CACert
12. About Opensistemas
Our Vision: To become the international leader in Open
Source Technologies.
Our Mission: Apply our knowledge of the opportunities offered
by Open Source to deliver effective solutions and innovation to
our customers while promoting the professional development
of our employees and building value for shareholders.
Our Values:
Juanjo Amor CACert
13. About Opensistemas
Our Vision: To become the international leader in Open
Source Technologies.
Our Mission: Apply our knowledge of the opportunities offered
by Open Source to deliver effective solutions and innovation to
our customers while promoting the professional development
of our employees and building value for shareholders.
Our Values:
Deliver effective solutiosn to our customers.
Corporate social responsibility.
Commitment to Open Source.
Ethics and Respect for individuals.
Research and Innovation.
Teamwork.
Commitment to the development of a society connected by
information and knowledge.
Juanjo Amor CACert
16. About Opensistemas
Opensistemas is present in nine locations over five countries: Spain
(Madrid, Valencia, Barcelona, Sevilla, Zaragoza), Chile (Santiago),
Colombia (Bogot´a), United Kingdom (London) and China (Shanghai).
Juanjo Amor CACert
21. PKI concepts
PKI meaning...
PKI = Public Key Infrastructure
a set of hardware, software, people, policies, and procedures
needed to create, manage, distribute, use, store, and revoke
digital certificates
Juanjo Amor CACert
22. PKI concepts
PKI meaning...
PKI = Public Key Infrastructure
a set of hardware, software, people, policies, and procedures
needed to create, manage, distribute, use, store, and revoke
digital certificates
PKI components...
Juanjo Amor CACert
23. PKI concepts
PKI meaning...
PKI = Public Key Infrastructure
a set of hardware, software, people, policies, and procedures
needed to create, manage, distribute, use, store, and revoke
digital certificates
PKI components...
CA = Certification Authority
Juanjo Amor CACert
24. PKI concepts
PKI meaning...
PKI = Public Key Infrastructure
a set of hardware, software, people, policies, and procedures
needed to create, manage, distribute, use, store, and revoke
digital certificates
PKI components...
CA = Certification Authority
RA = Registration Authority
Juanjo Amor CACert
25. PKI concepts
PKI meaning...
PKI = Public Key Infrastructure
a set of hardware, software, people, policies, and procedures
needed to create, manage, distribute, use, store, and revoke
digital certificates
PKI components...
CA = Certification Authority
RA = Registration Authority
VA = Validation Authority
Juanjo Amor CACert
26. PKI concepts
PKI meaning...
PKI = Public Key Infrastructure
a set of hardware, software, people, policies, and procedures
needed to create, manage, distribute, use, store, and revoke
digital certificates
PKI components...
CA = Certification Authority
RA = Registration Authority
VA = Validation Authority
Public keys (person, server and authority certificates)
Juanjo Amor CACert
27. PKI concepts
PKI meaning...
PKI = Public Key Infrastructure
a set of hardware, software, people, policies, and procedures
needed to create, manage, distribute, use, store, and revoke
digital certificates
PKI components...
CA = Certification Authority
RA = Registration Authority
VA = Validation Authority
Public keys (person, server and authority certificates)
Policies and procedures
Juanjo Amor CACert
29. PKI example 1: Standard CA
Standard CAs such as Thawte, Verisign...
Juanjo Amor CACert
30. PKI example 1: Standard CA
Standard CAs such as Thawte, Verisign...
CA: Joins the CA, RA, VA.
Juanjo Amor CACert
31. PKI example 1: Standard CA
Standard CAs such as Thawte, Verisign...
CA: Joins the CA, RA, VA.
Our navigator trusts in signed certificates by that CA
Juanjo Amor CACert
32. PKI example 1: Standard CA
Standard CAs such as Thawte, Verisign...
CA: Joins the CA, RA, VA.
Our navigator trusts in signed certificates by that CA
The certificate chain informs browser about VA
Juanjo Amor CACert
33. PKI example 1: Standard CA
Standard CAs such as Thawte, Verisign...
CA: Joins the CA, RA, VA.
Our navigator trusts in signed certificates by that CA
The certificate chain informs browser about VA
Example: Try to get certificate information by using Thawte SSL
Ca
Juanjo Amor CACert
34. PKI example 2: The FNMT CA
Spanish FNMT CA
Juanjo Amor CACert
35. PKI example 2: The FNMT CA
Spanish FNMT CA
CA: Joins CA and VA.
Juanjo Amor CACert
36. PKI example 2: The FNMT CA
Spanish FNMT CA
CA: Joins CA and VA.
RA: Delegated to other institutions such as AEAT, city
councils...
Juanjo Amor CACert
37. PKI example 2: The FNMT CA
Spanish FNMT CA
CA: Joins CA and VA.
RA: Delegated to other institutions such as AEAT, city
councils...
CA certificate is not directly recognized by standard browsers
Juanjo Amor CACert
38. PKI example 2: The FNMT CA
Spanish FNMT CA
CA: Joins CA and VA.
RA: Delegated to other institutions such as AEAT, city
councils...
CA certificate is not directly recognized by standard browsers
so we should import CA certificates into it.
Juanjo Amor CACert
39. PKI example 2: The FNMT CA
Spanish FNMT CA
CA: Joins CA and VA.
RA: Delegated to other institutions such as AEAT, city
councils...
CA certificate is not directly recognized by standard browsers
so we should import CA certificates into it.
This is one of first certificates acknowledged for legally
identifying people or enterprises in Spain.
Juanjo Amor CACert
40. PKI example 2: The FNMT CA
Spanish FNMT CA
CA: Joins CA and VA.
RA: Delegated to other institutions such as AEAT, city
councils...
CA certificate is not directly recognized by standard browsers
so we should import CA certificates into it.
This is one of first certificates acknowledged for legally
identifying people or enterprises in Spain.
Example: Import FNMT certificate and then get its information.
Juanjo Amor CACert
41. PKI example 3: The DGP CA
Spanish DGP (Police) CA
Juanjo Amor CACert
42. PKI example 3: The DGP CA
Spanish DGP (Police) CA
CA: At DGP headquarters
Juanjo Amor CACert
43. PKI example 3: The DGP CA
Spanish DGP (Police) CA
CA: At DGP headquarters
RA: At DGP DNIe offices
Juanjo Amor CACert
44. PKI example 3: The DGP CA
Spanish DGP (Police) CA
CA: At DGP headquarters
RA: At DGP DNIe offices
VA: Delegated to third parties (FNMT, for example)
Juanjo Amor CACert
45. PKI example 3: The DGP CA
Spanish DGP (Police) CA
CA: At DGP headquarters
RA: At DGP DNIe offices
VA: Delegated to third parties (FNMT, for example)
This is the CA for spanish electronic ID (DNIe). Also
acknowledged for legally identifying people.
Juanjo Amor CACert
46. PKI example 3: The DGP CA
Spanish DGP (Police) CA
CA: At DGP headquarters
RA: At DGP DNIe offices
VA: Delegated to third parties (FNMT, for example)
This is the CA for spanish electronic ID (DNIe). Also
acknowledged for legally identifying people.
Example: Import DGP certificate and then get its information.
Juanjo Amor CACert
48. Web of Trust
Web of trust
Concept created by PGP creator.
Juanjo Amor CACert
49. Web of Trust
Web of trust
Concept created by PGP creator.
Instead of having a “central” CA, we can build a trust
network of signed public keys.
Juanjo Amor CACert
50. Web of Trust
Web of trust
Concept created by PGP creator.
Instead of having a “central” CA, we can build a trust
network of signed public keys.
If A signs B, and C trust A, then C could trust B.
Juanjo Amor CACert
51. Web of Trust
Web of trust
Concept created by PGP creator.
Instead of having a “central” CA, we can build a trust
network of signed public keys.
If A signs B, and C trust A, then C could trust B.
CACert uses a variant of trust network...
Juanjo Amor CACert
54. CACert PKI
What is CACERT?
A community-driven certificate authority.
Juanjo Amor CACert
55. CACert PKI
What is CACERT?
A community-driven certificate authority.
CACERT issues public key certificates to public (server,
people) freely.
Juanjo Amor CACert
56. CACert PKI
What is CACERT?
A community-driven certificate authority.
CACERT issues public key certificates to public (server,
people) freely.
Robot CA:
Juanjo Amor CACert
57. CACert PKI
What is CACERT?
A community-driven certificate authority.
CACERT issues public key certificates to public (server,
people) freely.
Robot CA: Certificates are automatically signed.
Juanjo Amor CACert
58. CACert PKI
What is CACERT?
A community-driven certificate authority.
CACERT issues public key certificates to public (server,
people) freely.
Robot CA: Certificates are automatically signed. These
certificates are considered weak because CAcert does not emit
any information in the certificates other than the domain
name or email address (the CommonName field in X.509
certificates).
Juanjo Amor CACert
59. CACert PKI
What is CACERT?
A community-driven certificate authority.
CACERT issues public key certificates to public (server,
people) freely.
Robot CA: Certificates are automatically signed. These
certificates are considered weak because CAcert does not emit
any information in the certificates other than the domain
name or email address (the CommonName field in X.509
certificates).
Web of trust:
Juanjo Amor CACert
60. CACert PKI
What is CACERT?
A community-driven certificate authority.
CACERT issues public key certificates to public (server,
people) freely.
Robot CA: Certificates are automatically signed. These
certificates are considered weak because CAcert does not emit
any information in the certificates other than the domain
name or email address (the CommonName field in X.509
certificates).
Web of trust: Meetings, Assurance points, Prospective
Assurers and Assures.
Juanjo Amor CACert
61. CACert PKI
What is CACERT?
A community-driven certificate authority.
CACERT issues public key certificates to public (server,
people) freely.
Robot CA: Certificates are automatically signed. These
certificates are considered weak because CAcert does not emit
any information in the certificates other than the domain
name or email address (the CommonName field in X.509
certificates).
Web of trust: Meetings, Assurance points, Prospective
Assurers and Assures.
Assured users can get, for example, email certificates with a
complete CommonName field.
Juanjo Amor CACert
63. CACert inclusion status
Can we use CACert server certificates with some browser?
Yes, we can import CA certificate and go. . .
Juanjo Amor CACert
64. CACert inclusion status
Can we use CACert server certificates with some browser?
Yes, we can import CA certificate and go. . .
Yes, my Linux distro (Debian, etc) includes CA certificate in
ca-certificates package.
Juanjo Amor CACert
65. CACert inclusion status
Can we use CACert server certificates with some browser?
Yes, we can import CA certificate and go. . .
Yes, my Linux distro (Debian, etc) includes CA certificate in
ca-certificates package.
No, my browser does not recognize the certificates and I
cannot trust to a strange CA.crt file! (Like a self-signed
certificate)
Juanjo Amor CACert
66. CACert inclusion status
Can we use CACert server certificates with some browser?
Yes, we can import CA certificate and go. . .
Yes, my Linux distro (Debian, etc) includes CA certificate in
ca-certificates package.
No, my browser does not recognize the certificates and I
cannot trust to a strange CA.crt file! (Like a self-signed
certificate)
Although Mozilla started a process to include the certificate,
an audit suspended the process, because CACert needed to
improve their management system.
Juanjo Amor CACert
67. CACert web of trust
When you create a new CACert account:
Juanjo Amor CACert
68. CACert web of trust
When you create a new CACert account:
Only your email can be verified
Juanjo Amor CACert
69. CACert web of trust
When you create a new CACert account:
Only your email can be verified
By meeting other CACert assurers you can get some points:
Juanjo Amor CACert
70. CACert web of trust
When you create a new CACert account:
Only your email can be verified
By meeting other CACert assurers you can get some points:
for including your real name to your account,
Juanjo Amor CACert
71. CACert web of trust
When you create a new CACert account:
Only your email can be verified
By meeting other CACert assurers you can get some points:
for including your real name to your account,
to generate better certificates, and finally,
Juanjo Amor CACert
72. CACert web of trust
When you create a new CACert account:
Only your email can be verified
By meeting other CACert assurers you can get some points:
for including your real name to your account,
to generate better certificates, and finally,
to be also a CACert assurer.
Juanjo Amor CACert
74. CACert web of trust
Some rules:
An assurer can issue you upto 35 points.
Juanjo Amor CACert
75. CACert web of trust
Some rules:
An assurer can issue you upto 35 points.
You need at least 50 points to have your full name assured
. . .
Juanjo Amor CACert
76. CACert web of trust
Some rules:
An assurer can issue you upto 35 points.
You need at least 50 points to have your full name assured
. . . so you need to be assured by, at least, two existing assurers
Juanjo Amor CACert
77. CACert web of trust
Some rules:
An assurer can issue you upto 35 points.
You need at least 50 points to have your full name assured
. . . so you need to be assured by, at least, two existing assurers
With 100 points you can also be an assurer
Juanjo Amor CACert
78. CACert web of trust
Some rules:
An assurer can issue you upto 35 points.
You need at least 50 points to have your full name assured
. . . so you need to be assured by, at least, two existing assurers
With 100 points you can also be an assurer
. . . but you also need to pass an “assurer challenge”
Juanjo Amor CACert
79. CACert web of trust
Some rules:
An assurer can issue you upto 35 points.
You need at least 50 points to have your full name assured
. . . so you need to be assured by, at least, two existing assurers
With 100 points you can also be an assurer
. . . but you also need to pass an “assurer challenge”
More rules:
Juanjo Amor CACert
80. CACert web of trust
Some rules:
An assurer can issue you upto 35 points.
You need at least 50 points to have your full name assured
. . . so you need to be assured by, at least, two existing assurers
With 100 points you can also be an assurer
. . . but you also need to pass an “assurer challenge”
More rules: When you are promoted to assurer:
Juanjo Amor CACert
81. CACert web of trust
Some rules:
An assurer can issue you upto 35 points.
You need at least 50 points to have your full name assured
. . . so you need to be assured by, at least, two existing assurers
With 100 points you can also be an assurer
. . . but you also need to pass an “assurer challenge”
More rules: When you are promoted to assurer:
Initially, you can issue 10 points to other people, and get 2
experience points when you assure somebody
Juanjo Amor CACert
82. CACert web of trust
Some rules:
An assurer can issue you upto 35 points.
You need at least 50 points to have your full name assured
. . . so you need to be assured by, at least, two existing assurers
With 100 points you can also be an assurer
. . . but you also need to pass an “assurer challenge”
More rules: When you are promoted to assurer:
Initially, you can issue 10 points to other people, and get 2
experience points when you assure somebody
After you got 10 experience points, then you can issue 15
points to others
Juanjo Amor CACert
83. CACert web of trust
Some rules:
An assurer can issue you upto 35 points.
You need at least 50 points to have your full name assured
. . . so you need to be assured by, at least, two existing assurers
With 100 points you can also be an assurer
. . . but you also need to pass an “assurer challenge”
More rules: When you are promoted to assurer:
Initially, you can issue 10 points to other people, and get 2
experience points when you assure somebody
After you got 10 experience points, then you can issue 15
points to others . . .
Juanjo Amor CACert
84. CACert web of trust
Some rules:
An assurer can issue you upto 35 points.
You need at least 50 points to have your full name assured
. . . so you need to be assured by, at least, two existing assurers
With 100 points you can also be an assurer
. . . but you also need to pass an “assurer challenge”
More rules: When you are promoted to assurer:
Initially, you can issue 10 points to other people, and get 2
experience points when you assure somebody
After you got 10 experience points, then you can issue 15
points to others . . .
When you got 50 experience points, then you can issue to
others the maximum per session: 35 points
Juanjo Amor CACert
85. CACert web of trust
Some rules:
An assurer can issue you upto 35 points.
You need at least 50 points to have your full name assured
. . . so you need to be assured by, at least, two existing assurers
With 100 points you can also be an assurer
. . . but you also need to pass an “assurer challenge”
More rules: When you are promoted to assurer:
Initially, you can issue 10 points to other people, and get 2
experience points when you assure somebody
After you got 10 experience points, then you can issue 15
points to others . . .
When you got 50 experience points, then you can issue to
others the maximum per session: 35 points
But in any case, you can, if you want, to issue less points than
your maximum
Juanjo Amor CACert
86. CACert web of trust
Some rules:
An assurer can issue you upto 35 points.
You need at least 50 points to have your full name assured
. . . so you need to be assured by, at least, two existing assurers
With 100 points you can also be an assurer
. . . but you also need to pass an “assurer challenge”
More rules: When you are promoted to assurer:
Initially, you can issue 10 points to other people, and get 2
experience points when you assure somebody
After you got 10 experience points, then you can issue 15
points to others . . .
When you got 50 experience points, then you can issue to
others the maximum per session: 35 points
But in any case, you can, if you want, to issue less points than
your maximum
Juanjo Amor CACert
88. CACert client certificates
A client certificate is used to:
Identify yourself to a web site
Juanjo Amor CACert
89. CACert client certificates
A client certificate is used to:
Identify yourself to a web site
Email signing
Juanjo Amor CACert
90. CACert client certificates
A client certificate is used to:
Identify yourself to a web site
Email signing
. . .
Juanjo Amor CACert
91. CACert client certificates
A client certificate is used to:
Identify yourself to a web site
Email signing
. . .
When you create a CACert account, you can get client certificates:
Juanjo Amor CACert
92. CACert client certificates
A client certificate is used to:
Identify yourself to a web site
Email signing
. . .
When you create a CACert account, you can get client certificates:
Only the email is certified (by using email-ping)
Juanjo Amor CACert
93. CACert client certificates
A client certificate is used to:
Identify yourself to a web site
Email signing
. . .
When you create a CACert account, you can get client certificates:
Only the email is certified (by using email-ping)
With 6 month expiration
Juanjo Amor CACert
94. CACert client certificates
A client certificate is used to:
Identify yourself to a web site
Email signing
. . .
When you create a CACert account, you can get client certificates:
Only the email is certified (by using email-ping)
With 6 month expiration
When you are assured (50 points) you also get
Juanjo Amor CACert
95. CACert client certificates
A client certificate is used to:
Identify yourself to a web site
Email signing
. . .
When you create a CACert account, you can get client certificates:
Only the email is certified (by using email-ping)
With 6 month expiration
When you are assured (50 points) you also get
Name and email certified
Juanjo Amor CACert
96. CACert client certificates
A client certificate is used to:
Identify yourself to a web site
Email signing
. . .
When you create a CACert account, you can get client certificates:
Only the email is certified (by using email-ping)
With 6 month expiration
When you are assured (50 points) you also get
Name and email certified
24 month expiration
Juanjo Amor CACert
98. CACert server certificates
A server certificate is used to:
Secure website: identify a server to you
Juanjo Amor CACert
99. CACert server certificates
A server certificate is used to:
Secure website: identify a server to you
When you create a CACert account, you can get server certificates:
Juanjo Amor CACert
100. CACert server certificates
A server certificate is used to:
Secure website: identify a server to you
When you create a CACert account, you can get server certificates:
With 6 month expiration
Juanjo Amor CACert
101. CACert server certificates
A server certificate is used to:
Secure website: identify a server to you
When you create a CACert account, you can get server certificates:
With 6 month expiration
When you are assured (50 points) you also get
Juanjo Amor CACert
102. CACert server certificates
A server certificate is used to:
Secure website: identify a server to you
When you create a CACert account, you can get server certificates:
With 6 month expiration
When you are assured (50 points) you also get
24 month expiration
Juanjo Amor CACert
103. CACert server certificates
A server certificate is used to:
Secure website: identify a server to you
When you create a CACert account, you can get server certificates:
With 6 month expiration
When you are assured (50 points) you also get
24 month expiration
In all cases, you need to be able to ping DNS name by receiven a
postmaster email from DNS owner, and only website DNS name is
assured, because CACert assurers are not able verify legal owner.
Juanjo Amor CACert
105. Exercises
Final exercises
1 Creating your CACert account.
2 Creating your email certificate, with browser and then with
openssl
3 Creating a web certificate, with openssl and apache
4 Want to be assured?
Juanjo Amor CACert