Preface.

The X509-based Public Key Infrastructure is a basic component used to provide secure network communication. Among other things, it's used as part of secure web server transactions (SSL,TSL), IP transport security (IPSec), encrypted and signed e-mail traffic (S/MIME), authentication of software packages (Java applets, active X controls), smartcart-based authentication, and many more..

The purpose of the EUR X.509 public key infrastructure is to provide identification and authentication services to entities affiliated with the Erasmus University Rotterdam.

Certificate authority.

The introduction of a PKI into an organisation requires a certificate issuing authority which defines all trust relationships that are established between applications using the PKI.

The EUR Certificate Authority (CA) assumes this role for EUR intranet purposes. It uses a self-signed CA certificate that is the root of a certificate hierarchy constructed in support of PKI-enabled services managed by the EUR. To increase flexibility and manageability, the EUR Root certificate is only used to sign subsidiary CA certificates that are designated for more specific purposes. Currently, four such specific purposes have been identified and implemented:

  • certificates for services: e.g. authenticated/secured infrastructure management systems secure IMAP service
  • certificates for users: e.g. used for authentication and authorization purposes to EUR-internal services
  • certificates for computers: e.g. to be used to secure remote sessions, setup VPN connections, etc.
  • certificates for signing software packages
    • The reason for using different CAs for these purposes is that the mechanisms used for management of issued certificates will be different for each category. For instance, the certificate authority that issues machine certificates may elect to implement an automatic enrollment scheme with the understanding that identity verification is out-sourced to other systems (e.g. Active Directory)

    Certificate Practice Statement.

    The EUR Root CA certificate is the trust anchor point of the EUR PKI and is used only to certify the public keys of a limited number of (subsidiary) certificate authority services each serving a different class of entities within the organization.
    1. This Certificate Practice Statement limits the applicability of certificates issued by any of the EUR Certificate Authorities.
    2. Certificates issued by the EUR CA only apply to services, equipment and employees associated with the Erasmus University Rotterdam.
    3. The EUR CA will only issue certificates with subject names that fall within the distinguished name space associated with and managed by the EUR.
    4. Certificates issued to services are used to setup secure communication channels to services provided by EUR servers.
    5. Certificates issued to users are used for authentication purposes when setting up communication with EUR services.

    The following applies to all certificates issued by the EUR PKI framework:

    1. all distinguished names bound to public keys end in 'DC=EUR,DC=NL'.

    Several sub-ordinate CA services are currently deployed that certify public keys of entities in these three classes:

    1. services; public keys are bound to names representing services offered by and under direct control of the EUR. As such, certificates issued to these services can held to be completely authoritative for identification and authentication purposes.
    2. users; public key are bound to names representing persons employed as a member of staff by the EUR. A user certificate is issued after establishing the requestor's identity and verifying employee status with the EUR personnel department.
    3. machines; public keys are bound to names representing computers. These certificates are issued in an automated fashion using mechanisms that verify the machine's deployment status within the EUR network administrative domain.

    Chains.

    The EUR certificate chains currently look like this:
  • Root CA certificate subject name: CN=EUR Root CA,DC=EUR,DC=NL
  • Services CA certificate subject name: CN=Services CA,DC=EUR,DC=NL
  • User CA certificate subject name: CN=User CA,DC=EUR,DC=NL
  • Machine CA certificate subject name: CN=Machine CA,DC=EUR,DC=NL
  • Campus Active Directory sub-ordinate CA certificate subject name: CN=AE Services CA,DC=campus,DC=EUR,DC=NL. This sub-ordinate CA is run as part of the CAMPUS.EUR.NL forest Active Directory services and is dedicated to supply auto-enrollment PKI services based on AD trust relationships.

    • The CA certificates (including public key info) and CA revocation lists are available at http://pki.eur.nl/. Note: the CA revocation lists must be renewed periodically lest clients complain about unverifyable certificate chains. Refer to the script /usr/local/etc/ssl/crlcron renew to assist with the renewal process.

    Downloads.

    The current EUR root certificate's SHA1 fingerprint is 3A:6B:72:AA:82:9A:06:73:D1:91:4C:40:43:61:FB:55:F8:0F:A6:DD. The certificate can be retrieved using the following links in DER format or in PEM format.

    Intermediate CA certificates are also available for download:
    Services in PEM format
    Machine in PEM format
    CAMPUS Active Directory auto-enroll services in DER format
    TEST CAMPUS Active Directory auto-enroll services in DER format

    Informational References.

  • http://www.cs.auckland.ac.nz/~pgut001/links.html
  • http://www.nsa.gov
  • http://www.microsoft.com/security/tech/certificates/structuring.asp
  • http://www.rsasecurity.com/rsalabs/pkcs/
  • http::/www.openssl.org
  • http://www.modssl.org
  • http://www.ealaddin.com (USB tokens)