The Open–source PKI Book

A guide to PKIs and Open–source Implementations

Symeon (Simos) Xenitellis

OpenCA Team

This document describes Public Key Infrastructures, the PKIX standards, practical PKI functionality and gives an overview of available open–source PKI implementations. Its aim is foster the creation of viable open–source PKI implementatations.

The latest version of this document can be found at the OSPKI Book WWW site at http://ospkibook.sourceforge.net/.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the Invariant Sections being the chapters Chapter 13 ("Contributions") and the Colophon ("About this document"), with Front-Cover Texts being the text "The Open–source PKI Book, A guide to PKIs and Open–source Implementations" and with Back-Cover Texts being the text "The author's studies are funded by State's Scholarship Foundation (SSF) of Greece". A copy of the license is included in Appendix E entitled "GNU Free Documentation License".


Table of Contents
1. Purpose of this document
2. Introduction to Cryptography
Cryptographic Algorithms
Message Digests
Digital Signatures
Certificates
Certification Authority
3. Basic functionality of a Public Key Infrastructure[TODO]
Creation of the key–pair and the certificate request
Signing of the certificate request by the Certification Authority
Certification Authority chains
Typical uses of public key cryptography
4. General implementation overview
Prerequisites
Useful open–source software
Initialisation of the Certification Authority
Generate the RSA key–pair for the CA
Create a self–signed CA Certificate
User/Server key generation and signing
Generate the RSA key–pair for a user/server
Generate a certificate request
Ask the CA to sign the certificate request
5. PKI standards and specifications
Internet X.509 Public Key Infrastructure (PKIX)
Architecture for Public-Key Infrastructure (APKI)
The NIST Public Key Infrastructure Program
6. Internet X.509 Public Key Infrastructure (PKIX)
Abbreviations
Concepts
Certificate–using Systems and PKIs
Certificate–using Systems and PMIs
Overview of the PKIX approach
PKIX standardisation areas
Public–key infrastructure functionality
Public–Key Infrastructure (PKI)
Privilege Management Infrastructure (PMI)
7. Open-Source Implementations
The pyCA Certification Authority
The OpenCA Project[TODO]
OpenCA Layout
OpenCA Abbreviations
Software packages
Functionality of the CA Server (CAServer)
Functionality of the RA Server (RAServer)
Functionality of the RA Operators (RAOperators)
Status of the OpenCA Project
Future OpenCA work
The Oscar Public Key Infrastructure Project
Jonah: Freeware PKIX reference implementation
Mozilla Open Source PKI projects
Personal Security Manager (PSM)
Network Security Services (NSS)
JavaScript API for Client Certificate Management
MISPC Reference Implementation
8. How to get software support
9. Supported Crypto hardware and Software architectures
TrustWay Crypto PCI 2000
PowerCrypt Encryption Accelerator
CryptoSwift eCommerce Accelerator
Movement for the Use of Smart Cards in a Linux Environment (MUSCLE)
Linux Smart Card Starter's Kit from Schlumberger
The gpkcs11 PKCS#11 open–source implementation
Common Data Security Architecture (CDSA)
Single Sign–on
The KeyMan PKI Management Tool
Distributed Audit Service (XDAS)
Generic Security Service API (GSS-API)
Simple Network Time Protocol (SNTP)
Lightweight Directory Access Protocol (LDAP)
S/MIME CMS [TODO]
10. Critical discussion[TODO]
11. Benefits of an Open–Source PKI implementation[TODO]
12. Trademarks
13. Contributions
A. Perl modules
Locating Perl modules
Installing Perl modules
B. Sample Certificate Documents
Sample Encrypted Private Key in PEM format (2048 bits)
Sample Private Key in PEM format (2048 bits)
Sample Private Key in TXT format (2048 bits)
Sample CA Certificate in PEM format
Sample CA Certificate in TXT format
Sample certificate request in PEM format
Sample certificate request in TXT format
C. Description of Public Key Algorithms
How does RSA work?
Description
Practical example
How does El Gamal work?
Description
Example
D. OpenCA Installation details
Software installation sequence
Installation of Perl modules
Installation of OpenCA–specific modules
Installation of OpenCA
WWW Server installation
LDAP installation
openssl.cnf configuration for OpenCA
E. License
GNU Free Documentation License
PREAMBLE
APPLICABILITY AND DEFINITIONS
VERBATIM COPYING
COPYING IN QUANTITY
MODIFICATIONS
COMBINING DOCUMENTS
COLLECTIONS OF DOCUMENTS
AGGREGATION WITH INDEPENDENT WORKS
TRANSLATION
TERMINATION
FUTURE REVISIONS OF THIS LICENSE
Colophon
Glossary
Bibliography
List of Tables
6-1. PKIX Terms
6-2. Table of RFCs for PKIX documents
6-3. PKI functionality
6-4. PKI components
6-5. PMI components
7-1. OpenCA Abbreviations
7-2. Current Versions of OpenCA prerequisite software
8-1. WWW Support Locations
D-1. Software installation matrix
D-2. CAServer installation parameters
D-3. RAServer WWW Server installation parameters
D-4. RAServer installation parameters
D-5. RAServer WWW Server installation parameters
D-6. RAOperator WWW Server installation parameters
D-7. openssl.cnf default values
List of Figures
6-1. PKI Entities
6-2. Attribute Certificate Exchanges
7-1. Current OpenCA Layout