BEgrid CA info

From Begrid Wiki
Revision as of 09:11, 9 June 2021 by Maintenance script (talk | contribs) (Created page with " == BEGrid CA homepage == Contact: gridca@belnet.beNOSPAM === BEGrid Certification Authority === ***The full BEgrid CA policies and procedures: [http://grid.belnet.be...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

BEGrid CA homepage

Contact: gridca@belnet.beNOSPAM

BEGrid Certification Authority

crl_url=http://gridra.belnet.be/pub/crl/cacrl.pem

CA Alias: BEGrid Hash: 03aa0ecb

Info on differences between the certificates formats *.pfx *.p12*.cer *.crt *.spc *.p7b

pfx, p12

These are PKCS #12 container files, DER encoded. They contain not only certificates, but also private keys in encrypted form. More information on PKCS: http://www.rsasecurity.com/rsalabs/. You can find there an introduction to BER/DER also.

CER

This is an X.509 certificate in binary form, DER encoded. [Distinguished Encoding Rules (DER), is a message transfer syntax specified by the ITU in X.690. It is a method for encoding a data object such as an X.509 certificate, to be digitally signed or to have its signature verified.]

CRT

This is a binary X.509 certificate, encapsulated in text (base-64) encoding.

p7b

This is a PKCS #7 file. PKCS #7 is a container which may contain plain data, signed data, encrypted data, or combination of these. It may also contain set of certificates needed to validate the certification chain. One of possible uses of PKCS #7 is, for example, recertification request -- PKCS #10 certification request encapsulated as plain data in PKCS #7 Signed Data.

Convert between key types

Quattor Client certificate (p12 with passphrase to p12 without passphrase)

When you requested a new certificate for your QC, your browser will generate a private key. When the request has been authorized, you can import the certificate in your browser, and use the browser's functionality to export (or backup) to a p12 file. We name this file quattor_browser.p12 - a passphrase of minimal length of 4 characters will be required...

Copy the file to your Quattor Client in CB6/keys, to process (remove the passphrase):

  • openssl pkcs12 -in quattor_browser.p12 -out quattor.pem -nodes
  • openssl pkcs12 -export -in quattor.pem -inkey quattor.pem -out quattor.p12

Et voila!

Known issues with certificates requests

April 2008: IE7 in Vista

Changes in the way Microsoft enrolls certificates in their latest operating systems (including Vista) lead to an incompatibility when using the OpenCA software that is currently used by BELNET to issue the BEgrid certificates.

More details can be found in this article by Microsoft's TechNet division: http://technet2.microsoft.com/WindowsVista/en/library/73bdca07-a9f0-40d7-a26e-6f4f11759e4c1033.mspx?mfr=true

The BEgrid CA recommend to users to use a different web browser on their Windows Vista machine, namely Firefox 3.

May 2008: Warning: possible weak keys due to vulnerability in Debian PseudoRandom Number Generator

The random number generator in Debian's openssl is annouced to be predictable. This could lead to cryptographic key material being guessable through a brute-force attack given minimal knowledge of the system [ http://metasploit.com/users/hdm/tools/debian-openssl/]. The BEgrid CA recommend to users to use non-Debian based operating system to request their user or host certificates.


Template:TracNotice