SlideShare a Scribd company logo

Build and Operate Your Own Certificate Management Center of Mediocrity

Download as PPTX, PDF
T.Rob Wyatt
T.Rob Wyatt

Building and operating a robust internal Certificate Authority is difficult and expensive. Fortunately, building a Certificate Authority Center of Mediocrity (CACOM) is *much* cheaper, and can be done in your spare time. Follow these instructions to create your own CACOM or to discover if you already have one.

Technology
1 of 44
How To Build And Operate A Certificate Authority Center of Mediocrity (CACOM) T.Rob Wyatt Managing Partner, IoPT Consulting 704-443-TROB (8762) t.rob@ioptconsulting.com https://ioptconsulting.com Capitalware's MQ Technical Conference v2.0.1.4
This presentation reflects… My current opinions regarding WMQ security The product itself continues to evolve (even in PTFs) Attacks only get better with time This version of the presentation is based on WebSphere MQ v7.1 & v7.5 This content will be revised over time so please be sure to check for the latest version at https://t-rob.net/links Your thoughts and ideas are welcome
What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
A disinterested 3rd party A stable, long-lived entity A pool of specialized and deep security skills An implementation of strict physical controls An implementation of strict human processes An investigatory service A revocation service Part of a consortium that provides a consistent set of well-defined services
Oh yeah… They sign certificates once in a while.
What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
First need to understand the certificate. Bound to An identity A key Pair = A certificate
First need to understand the certificate. The identity and key are bound using a cryptographic Identity Bound to Key Pair = Certificate signature.
First need to understand the certificate. Self-signed means that the key in the certificate is the same one used to sign the Identity Bound to Key Pair = Certificate certificate.
First need to understand the certificate. Special Note: Self-signed does NOT mean “signed with our internal CA.” Self-signed has a specific technical meaning describing the relationship between the identity and the key used to bind it. Identity Bound to Key Pair = Certificate
First need to understand the certificate. When the certificate is signed by an external key, it is Identity Bound to Key Pair = Certificate said to be CA-signed.
Signs the certificate. Validates the claimed identity. Enforce policy on the Distinguished Name fields. Ensures unique names within its namespace. Provides revocation services. Maintains key lifecycle for root, intermediate and signed certificates. Disinterested 3rd party provides bilateral trust.
Relying parties typically need much less security than the CA. Generate the cert signing requests securely. Review and approve requests at the CA. Keep the keystore files private. Most of the heavy lifting is offloaded to the CA.
What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
Cost savings. Convenience. The trick is to fully account for all of the service and security provided by the CA. Replacing those services internally is expensive. Omitting them is dangerous. How do you find the balance?
What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
SAS70 key ceremony used to generate roots. Root certs stored in an offline HSM. Dual-knowledge access controls for roots. Multiple intermediate signers. Secure, robust provisioning process for certs and revocation entries. Highly available and separate provisioning and revocation infrastructure.
ISO 21188:2006 Public key infrastructure for financial services – Practices and policy framework ETSI TS 101 456 v1.2.1 ETSI TS 102 042 V1.1.1 Webtrust Program For Certification Authorities
What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
To run a true Center of Mediocrity, one must first determine which CA Best Practices to omit. The quickest way to begin is to omit all of them right off the bat. Then add back in those that give the appearance of security at little or no cost. The CACOM is your BFF. Once you have it, you’ll never get the money to build a CACOE. Why? Because what we have seems to work just fine.
The stories you are about to hear are true. Only the names have been changed to protect the (not so) innocent. My name is T.Rob. I carry a laptop.
All of the items in the following pages were observed in Production somewhere. Banking, finance, insurance, healthcare, govt. These are your vendors!
Hundreds of thousands of entries explain which commands to issue in order to “set up a Certificate Authority.” Try to find even one that tells you the commands and describes some of the physical and procedural controls commercial CAs use and why running an internal CA without these controls is a bad idea.
Hardware Security Modules are so expensive! And vaults? Don’t even go there! Most CACOM’s today store the root cert on an administrator’s workstation or laptop. If you start out this way, eventually moving it to a server in a locked datacenter will appear very secure by comparison and nobody will ask about an HSM, a vault or a key signing ceremony. Booyah!
Certificate provisioning and revocation must be highly available to support critical business apps. So if the CA is run off of administrator’s workstations, it stands to reason that each administrator must be able to manage certs independently. Give each admin their own copy of the root cert. Or if a central server is used, give a copy of the root to each admin for emergencies.
Intermediate signers provide classes of service, isolation, higher security for the root cert, etc. But someone has to manage those things, and we do that with Notepad. We plan to evaluate several PKI products someday and we will start using intermediate certs then.
Certificate extensions can specify policies that control the ways that a certificate can be used. Understanding and checking certificate policies requires deep skill. Certs with no policies set can be used for many purposes, such as encryption, code signing or signing other certificates. These are very versatile. What could go wrong?
Security certified administrators who understand X.509 certificates, TLS/SSL and all of the PKCS standards are expensive! Formally building skills in house is less expensive, but takes time. Fortunately, your average administrator can pick up all they need to know with a few Google searches! Certifications and formal training are SO overrated, right?
A certificate represents an identity. Because the Center of Mediocrity is concerned mainly with cost, it is common to re-use the same personal certificate across multiple, even unrelated, systems. A QMgr is a QMgr is a QMgr, right? Generate a single cert called QMgr and be done with it.
Anyone who can read the configuration files and keystores can use your personal cert. Fortunately, only authorized admins ever have access to the filesystem in a CACOM so filesystem controls are redundant. What’s that you say? Layered defense is good? Not when aspiring to mediocrity!
Credentials need to be both provisioned and revoked. Sometimes they need to be revoked prior to their natural expiry. A primary characteristic of a mediocre CA is that a revocation responder service is planned for later. A revocation service that is not highly available is just as bad, possibly worse.
Ideally, personal certs are generated where they will be used and not moved. Central management and key backup is possible but difficult to do securely. In a CACOM, centrally generated certs are distributed over FTP, email, shared drives, etc.
Sometimes it isn’t your CA that places you at risk, but rather your business partner’s CA. A CACOM will assume the partner’s certificates are trustworthy without question. The next slides are examples of this.
The root cert is the thing that controls who can bind an identity to a key pair. Any trusted root can generate a cert claiming any identity. Now that the internal CE Center of Mediocrity has become so popular, you will have occasion to trust the internal root CA certificates of your business partners. Go ahead and drop these right into the trust store. What could go wrong?
If you are using AMS with Privacy (encryption) then you will need to trust the personal cert of the app, user or business partner. A commercial CA will have set the IsCA=No and PathLength=0 flags to ensure that personal certificates cannot also sign other certificates. The typical CACOM does not know or care about such things and will place any certificate from any source into the trust store. What could go wrong?
What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
Baseline S e c u r i t y L e v e l Skill Level Best!
Baseline S e c u r i t y L e v e l Skill Level Best! Worse than doing nothing
Possibly, yes! Because… • People take more risks when they believe it is safe to do so. • Poor implementation can make it easier Baseline S e c u r i t y L e v e l • You rarely get a second chance to implement security. Skill Level Best! to break in. Wore than doing nothing
What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
Running a robust internal CA is expensive. Can be cost justified, given enough certs. Cost savings almost always correspond to some loss of effective security. Know what you are omitting and the offsetting risk. Deep skill is essential! Formal training is highly recommended. Beware of other people’s CACOM!
Capitalware's MQ Technical Conference v2.0.1.4 Questions & Answers
Thank you! T.Rob Wyatt Managing Partner, IoPT Consulting 704-443-TROB (8762) t.rob@ioptconsulting.com https://ioptconsulting.com

Recommended

Smart Hotel Solution Proposal to Hoteliers
Smart Hotel Solution Proposal to HoteliersSmart Hotel Solution Proposal to Hoteliers
Smart Hotel Solution Proposal to HoteliersBlynk Systems Pvt Ltd
 
Magento
MagentoMagento
MagentoScreen Pages
 
Trademarks, the Metaverse, and NFTs, Oh My!
Trademarks, the Metaverse, and NFTs, Oh My!Trademarks, the Metaverse, and NFTs, Oh My!
Trademarks, the Metaverse, and NFTs, Oh My!Knobbe Martens - Intellectual Property Law
 
nft-explained.pptx
nft-explained.pptxnft-explained.pptx
nft-explained.pptxVaibhavSingh707313
 
AWS Customer Presentation - Twilio
AWS Customer Presentation - TwilioAWS Customer Presentation - Twilio
AWS Customer Presentation - TwilioAmazon Web Services
 
Blockchain Technology ppt project.pptx
Blockchain Technology ppt project.pptxBlockchain Technology ppt project.pptx
Blockchain Technology ppt project.pptxSahilBansal648873
 
Write smart contract with solidity on Ethereum
Write smart contract with solidity on EthereumWrite smart contract with solidity on Ethereum
Write smart contract with solidity on EthereumMurughan Palaniachari
 
Blockchain Study(1) - What is Blockchain?
Blockchain Study(1) - What is Blockchain?Blockchain Study(1) - What is Blockchain?
Blockchain Study(1) - What is Blockchain?Fermat Jade
 

Recommended

Smart Hotel Solution Proposal to Hoteliers
Smart Hotel Solution Proposal to HoteliersSmart Hotel Solution Proposal to Hoteliers
Smart Hotel Solution Proposal to HoteliersBlynk Systems Pvt Ltd
 
Magento
MagentoMagento
MagentoScreen Pages
 
Trademarks, the Metaverse, and NFTs, Oh My!
Trademarks, the Metaverse, and NFTs, Oh My!Trademarks, the Metaverse, and NFTs, Oh My!
Trademarks, the Metaverse, and NFTs, Oh My!Knobbe Martens - Intellectual Property Law
 
nft-explained.pptx
nft-explained.pptxnft-explained.pptx
nft-explained.pptxVaibhavSingh707313
 
AWS Customer Presentation - Twilio
AWS Customer Presentation - TwilioAWS Customer Presentation - Twilio
AWS Customer Presentation - TwilioAmazon Web Services
 
Blockchain Technology ppt project.pptx
Blockchain Technology ppt project.pptxBlockchain Technology ppt project.pptx
Blockchain Technology ppt project.pptxSahilBansal648873
 
Write smart contract with solidity on Ethereum
Write smart contract with solidity on EthereumWrite smart contract with solidity on Ethereum
Write smart contract with solidity on EthereumMurughan Palaniachari
 
Blockchain Study(1) - What is Blockchain?
Blockchain Study(1) - What is Blockchain?Blockchain Study(1) - What is Blockchain?
Blockchain Study(1) - What is Blockchain?Fermat Jade
 
NFTs and Their Role in The Metaverse
NFTs and Their Role in The MetaverseNFTs and Their Role in The Metaverse
NFTs and Their Role in The Metaverse101 Blockchains
 
NFTs explained
NFTs explainedNFTs explained
NFTs explainedarunchatterjee14
 
Netflix MSA and Pivotal
Netflix MSA and PivotalNetflix MSA and Pivotal
Netflix MSA and PivotalVMware Tanzu Korea
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
How To Embed SlideShare Shows Into WordPress.com
How To Embed SlideShare Shows Into WordPress.comHow To Embed SlideShare Shows Into WordPress.com
How To Embed SlideShare Shows Into WordPress.comKathy Gill
 
Introduction to Blockchain-as-a-Service (BaaS)
Introduction to Blockchain-as-a-Service (BaaS)Introduction to Blockchain-as-a-Service (BaaS)
Introduction to Blockchain-as-a-Service (BaaS)Cygnet Infotech
 
Gary B. Rodrigue - What is Blockchain? IBM Food Trust Overview
Gary B. Rodrigue - What is Blockchain? IBM Food Trust OverviewGary B. Rodrigue - What is Blockchain? IBM Food Trust Overview
Gary B. Rodrigue - What is Blockchain? IBM Food Trust OverviewJohn Blue
 
[AWS Innovate 온라인 컨퍼런스] 수백만 사용자 대상 기계 학습 서비스를 위한 확장 비법 - 윤석찬, AWS 테크 에반젤리스트
[AWS Innovate 온라인 컨퍼런스] 수백만 사용자 대상 기계 학습 서비스를 위한 확장 비법 - 윤석찬, AWS 테크 에반젤리스트[AWS Innovate 온라인 컨퍼런스] 수백만 사용자 대상 기계 학습 서비스를 위한 확장 비법 - 윤석찬, AWS 테크 에반젤리스트
[AWS Innovate 온라인 컨퍼런스] 수백만 사용자 대상 기계 학습 서비스를 위한 확장 비법 - 윤석찬, AWS 테크 에반젤리스트Amazon Web Services Korea
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Order management, provisioning and activation
Order management, provisioning and activationOrder management, provisioning and activation
Order management, provisioning and activationVijayIndra Shekhawat
 
Headless Commerce
Headless Commerce Headless Commerce
Headless Commerce Bournemouth University
 
Non-fungible tokens (nfts)
Non-fungible tokens (nfts)Non-fungible tokens (nfts)
Non-fungible tokens (nfts)Gene Leybzon
 
Infrestructura pki
Infrestructura pkiInfrestructura pki
Infrestructura pkiCecyCueva
 
今更聞けない電子認証入門 -OAuth 2.0/OIDCからFIDOまで- <改定2版>
今更聞けない電子認証入門 -OAuth 2.0/OIDCからFIDOまで- <改定2版>今更聞けない電子認証入門 -OAuth 2.0/OIDCからFIDOまで- <改定2版>
今更聞けない電子認証入門 -OAuth 2.0/OIDCからFIDOまで- <改定2版>Naoto Miyachi
 
Blockchain
BlockchainBlockchain
BlockchainLiam Moore
 
Introducción a los contratos inteligentes
Introducción a los contratos inteligentesIntroducción a los contratos inteligentes
Introducción a los contratos inteligentesCentro de Desarrollo de Competencias Digitales de Castilla-La Mancha
 
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...Blockchain Worx
 
Lightning Experience with Visualforce Best Practices
Lightning Experience with Visualforce Best PracticesLightning Experience with Visualforce Best Practices
Lightning Experience with Visualforce Best PracticesSalesforce Developers
 
414: Build an agile CI/CD Pipeline for application integration
414: Build an agile CI/CD Pipeline for application integration414: Build an agile CI/CD Pipeline for application integration
414: Build an agile CI/CD Pipeline for application integrationTrevor Dolby
 
Block Chain
Block ChainBlock Chain
Block ChainMd.Noman Hasan
 
Let’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal CloudsLet’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal CloudsT.Rob Wyatt
 
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows T.Rob Wyatt
 

More Related Content

What's hot

NFTs and Their Role in The Metaverse
NFTs and Their Role in The MetaverseNFTs and Their Role in The Metaverse
NFTs and Their Role in The Metaverse101 Blockchains
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
How To Embed SlideShare Shows Into WordPress.com
How To Embed SlideShare Shows Into WordPress.comHow To Embed SlideShare Shows Into WordPress.com
How To Embed SlideShare Shows Into WordPress.comKathy Gill
 
Introduction to Blockchain-as-a-Service (BaaS)
Introduction to Blockchain-as-a-Service (BaaS)Introduction to Blockchain-as-a-Service (BaaS)
Introduction to Blockchain-as-a-Service (BaaS)Cygnet Infotech
 
Gary B. Rodrigue - What is Blockchain? IBM Food Trust Overview
Gary B. Rodrigue - What is Blockchain? IBM Food Trust OverviewGary B. Rodrigue - What is Blockchain? IBM Food Trust Overview
Gary B. Rodrigue - What is Blockchain? IBM Food Trust OverviewJohn Blue
 
[AWS Innovate 온라인 컨퍼런스] 수백만 사용자 대상 기계 학습 서비스를 위한 확장 비법 - 윤석찬, AWS 테크 에반젤리스트
[AWS Innovate 온라인 컨퍼런스] 수백만 사용자 대상 기계 학습 서비스를 위한 확장 비법 - 윤석찬, AWS 테크 에반젤리스트[AWS Innovate 온라인 컨퍼런스] 수백만 사용자 대상 기계 학습 서비스를 위한 확장 비법 - 윤석찬, AWS 테크 에반젤리스트
[AWS Innovate 온라인 컨퍼런스] 수백만 사용자 대상 기계 학습 서비스를 위한 확장 비법 - 윤석찬, AWS 테크 에반젤리스트Amazon Web Services Korea
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Order management, provisioning and activation
Order management, provisioning and activationOrder management, provisioning and activation
Order management, provisioning and activationVijayIndra Shekhawat
 
Non-fungible tokens (nfts)
Non-fungible tokens (nfts)Non-fungible tokens (nfts)
Non-fungible tokens (nfts)Gene Leybzon
 
Infrestructura pki
Infrestructura pkiInfrestructura pki
Infrestructura pkiCecyCueva
 
今更聞けない電子認証入門 -OAuth 2.0/OIDCからFIDOまで- <改定2版>
今更聞けない電子認証入門 -OAuth 2.0/OIDCからFIDOまで- <改定2版>今更聞けない電子認証入門 -OAuth 2.0/OIDCからFIDOまで- <改定2版>
今更聞けない電子認証入門 -OAuth 2.0/OIDCからFIDOまで- <改定2版>Naoto Miyachi
 
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...Blockchain Worx
 
Lightning Experience with Visualforce Best Practices
Lightning Experience with Visualforce Best PracticesLightning Experience with Visualforce Best Practices
Lightning Experience with Visualforce Best PracticesSalesforce Developers
 
414: Build an agile CI/CD Pipeline for application integration
414: Build an agile CI/CD Pipeline for application integration414: Build an agile CI/CD Pipeline for application integration
414: Build an agile CI/CD Pipeline for application integrationTrevor Dolby
 

What's hot (20)

NFTs and Their Role in The Metaverse
NFTs and Their Role in The MetaverseNFTs and Their Role in The Metaverse
NFTs and Their Role in The Metaverse
 
NFTs explained
NFTs explainedNFTs explained
NFTs explained
 
Netflix MSA and Pivotal
Netflix MSA and PivotalNetflix MSA and Pivotal
Netflix MSA and Pivotal
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
 
How To Embed SlideShare Shows Into WordPress.com
How To Embed SlideShare Shows Into WordPress.comHow To Embed SlideShare Shows Into WordPress.com
How To Embed SlideShare Shows Into WordPress.com
 
Introduction to Blockchain-as-a-Service (BaaS)
Introduction to Blockchain-as-a-Service (BaaS)Introduction to Blockchain-as-a-Service (BaaS)
Introduction to Blockchain-as-a-Service (BaaS)
 
Gary B. Rodrigue - What is Blockchain? IBM Food Trust Overview
Gary B. Rodrigue - What is Blockchain? IBM Food Trust OverviewGary B. Rodrigue - What is Blockchain? IBM Food Trust Overview
Gary B. Rodrigue - What is Blockchain? IBM Food Trust Overview
 
[AWS Innovate 온라인 컨퍼런스] 수백만 사용자 대상 기계 학습 서비스를 위한 확장 비법 - 윤석찬, AWS 테크 에반젤리스트
[AWS Innovate 온라인 컨퍼런스] 수백만 사용자 대상 기계 학습 서비스를 위한 확장 비법 - 윤석찬, AWS 테크 에반젤리스트[AWS Innovate 온라인 컨퍼런스] 수백만 사용자 대상 기계 학습 서비스를 위한 확장 비법 - 윤석찬, AWS 테크 에반젤리스트
[AWS Innovate 온라인 컨퍼런스] 수백만 사용자 대상 기계 학습 서비스를 위한 확장 비법 - 윤석찬, AWS 테크 에반젤리스트
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
Order management, provisioning and activation
Order management, provisioning and activationOrder management, provisioning and activation
Order management, provisioning and activation
 
Headless Commerce
Headless Commerce Headless Commerce
Headless Commerce
 
Non-fungible tokens (nfts)
Non-fungible tokens (nfts)Non-fungible tokens (nfts)
Non-fungible tokens (nfts)
 
Infrestructura pki
Infrestructura pkiInfrestructura pki
Infrestructura pki
 
今更聞けない電子認証入門 -OAuth 2.0/OIDCからFIDOまで- <改定2版>
今更聞けない電子認証入門 -OAuth 2.0/OIDCからFIDOまで- <改定2版>今更聞けない電子認証入門 -OAuth 2.0/OIDCからFIDOまで- <改定2版>
今更聞けない電子認証入門 -OAuth 2.0/OIDCからFIDOまで- <改定2版>
 
Blockchain
BlockchainBlockchain
Blockchain
 
Introducción a los contratos inteligentes
Introducción a los contratos inteligentesIntroducción a los contratos inteligentes
Introducción a los contratos inteligentes
 
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...
 
Lightning Experience with Visualforce Best Practices
Lightning Experience with Visualforce Best PracticesLightning Experience with Visualforce Best Practices
Lightning Experience with Visualforce Best Practices
 
414: Build an agile CI/CD Pipeline for application integration
414: Build an agile CI/CD Pipeline for application integration414: Build an agile CI/CD Pipeline for application integration
414: Build an agile CI/CD Pipeline for application integration
 
Block Chain
Block ChainBlock Chain
Block Chain
 

Viewers also liked

Let’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal CloudsLet’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal CloudsT.Rob Wyatt
 
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows T.Rob Wyatt
 
What I did on my summer vacation (in Hursley)
What I did on my summer vacation (in Hursley)What I did on my summer vacation (in Hursley)
What I did on my summer vacation (in Hursley)T.Rob Wyatt
 
WebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changesWebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changesMorag Hughson
 
IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...
IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...
IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...T.Rob Wyatt
 
IBM MQ v8 and JMS 2.0
IBM MQ v8 and JMS 2.0IBM MQ v8 and JMS 2.0
IBM MQ v8 and JMS 2.0Matthew White
 
IBM WebSphere MQ V8 Security Features: Deep Dive
IBM WebSphere MQ V8 Security Features: Deep DiveIBM WebSphere MQ V8 Security Features: Deep Dive
IBM WebSphere MQ V8 Security Features: Deep DiveMorag Hughson
 

Viewers also liked (8)

Let’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal CloudsLet’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal Clouds
 
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
 
What I did on my summer vacation (in Hursley)
What I did on my summer vacation (in Hursley)What I did on my summer vacation (in Hursley)
What I did on my summer vacation (in Hursley)
 
IBM MQ V8 Security
IBM MQ V8 SecurityIBM MQ V8 Security
IBM MQ V8 Security
 
WebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changesWebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changes
 
IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...
IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...
IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...
 
IBM MQ v8 and JMS 2.0
IBM MQ v8 and JMS 2.0IBM MQ v8 and JMS 2.0
IBM MQ v8 and JMS 2.0
 
IBM WebSphere MQ V8 Security Features: Deep Dive
IBM WebSphere MQ V8 Security Features: Deep DiveIBM WebSphere MQ V8 Security Features: Deep Dive
IBM WebSphere MQ V8 Security Features: Deep Dive
 

Similar to Build and Operate Your Own Certificate Management Center of Mediocrity

The Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesThe Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesCheapSSLsecurity
 
The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates RapidSSLOnline.com
 
Easing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEasing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEntrust Datacard
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network securityrhassan84
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network securityrhassan84
 
Certificate Management Made Easy
Certificate Management Made EasyCertificate Management Made Easy
Certificate Management Made EasyJason Newell
 
eBook_PKI-AreYouDoingItWrong2022-f.pdf
eBook_PKI-AreYouDoingItWrong2022-f.pdfeBook_PKI-AreYouDoingItWrong2022-f.pdf
eBook_PKI-AreYouDoingItWrong2022-f.pdfHaNguyenThanh21
 
Is web security part of your annual security audit
Is web security part of your annual security auditIs web security part of your annual security audit
Is web security part of your annual security auditDianne Douglas
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebCASCouncil
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Serviceskieranjacobsen
 
TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015sllongo3
 
With-All-Due-Diligence20150330
With-All-Due-Diligence20150330With-All-Due-Diligence20150330
With-All-Due-Diligence20150330Jim Kramer
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsLuca Bongiorni
 
Understanding SSL Certificate for Apps by Symantec
Understanding SSL Certificate for Apps by SymantecUnderstanding SSL Certificate for Apps by Symantec
Understanding SSL Certificate for Apps by SymantecCheapSSLsecurity
 
Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Avirot Mitamura
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfJUSTSTYLISH3B2MOHALI
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxssuser865ecd
 
CCM_WP-9-8-16-v10__MT_GP_Final
CCM_WP-9-8-16-v10__MT_GP_FinalCCM_WP-9-8-16-v10__MT_GP_Final
CCM_WP-9-8-16-v10__MT_GP_FinalGreg Posten
 

Similar to Build and Operate Your Own Certificate Management Center of Mediocrity (20)

The Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesThe Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL Certificates
 
The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates
 
Easing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEasing the Pains of Certificate Management
Easing the Pains of Certificate Management
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
 
Certificate Management Made Easy
Certificate Management Made EasyCertificate Management Made Easy
Certificate Management Made Easy
 
eBook_PKI-AreYouDoingItWrong2022-f.pdf
eBook_PKI-AreYouDoingItWrong2022-f.pdfeBook_PKI-AreYouDoingItWrong2022-f.pdf
eBook_PKI-AreYouDoingItWrong2022-f.pdf
 
Is web security part of your annual security audit
Is web security part of your annual security auditIs web security part of your annual security audit
Is web security part of your annual security audit
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure Web
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
 
TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015
 
With-All-Due-Diligence20150330
With-All-Due-Diligence20150330With-All-Due-Diligence20150330
With-All-Due-Diligence20150330
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
 
Understanding The World Of SSL Certificates.pdf
Understanding The World Of SSL Certificates.pdfUnderstanding The World Of SSL Certificates.pdf
Understanding The World Of SSL Certificates.pdf
 
Understanding SSL Certificate for Apps by Symantec
Understanding SSL Certificate for Apps by SymantecUnderstanding SSL Certificate for Apps by Symantec
Understanding SSL Certificate for Apps by Symantec
 
Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
 
Tech t18
Tech t18Tech t18
Tech t18
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
 
CCM_WP-9-8-16-v10__MT_GP_Final
CCM_WP-9-8-16-v10__MT_GP_FinalCCM_WP-9-8-16-v10__MT_GP_Final
CCM_WP-9-8-16-v10__MT_GP_Final
 

Recently uploaded

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 

Recently uploaded (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 

Build and Operate Your Own Certificate Management Center of Mediocrity

  • 1. How To Build And Operate A Certificate Authority Center of Mediocrity (CACOM) T.Rob Wyatt Managing Partner, IoPT Consulting 704-443-TROB (8762) t.rob@ioptconsulting.com https://ioptconsulting.com Capitalware's MQ Technical Conference v2.0.1.4
  • 2. This presentation reflects… My current opinions regarding WMQ security The product itself continues to evolve (even in PTFs) Attacks only get better with time This version of the presentation is based on WebSphere MQ v7.1 & v7.5 This content will be revised over time so please be sure to check for the latest version at https://t-rob.net/links Your thoughts and ideas are welcome
  • 3. What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
  • 4. A disinterested 3rd party A stable, long-lived entity A pool of specialized and deep security skills An implementation of strict physical controls An implementation of strict human processes An investigatory service A revocation service Part of a consortium that provides a consistent set of well-defined services
  • 5. Oh yeah… They sign certificates once in a while.
  • 6. What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
  • 7. First need to understand the certificate. Bound to An identity A key Pair = A certificate
  • 8. First need to understand the certificate. The identity and key are bound using a cryptographic Identity Bound to Key Pair = Certificate signature.
  • 9. First need to understand the certificate. Self-signed means that the key in the certificate is the same one used to sign the Identity Bound to Key Pair = Certificate certificate.
  • 10. First need to understand the certificate. Special Note: Self-signed does NOT mean “signed with our internal CA.” Self-signed has a specific technical meaning describing the relationship between the identity and the key used to bind it. Identity Bound to Key Pair = Certificate
  • 11. First need to understand the certificate. When the certificate is signed by an external key, it is Identity Bound to Key Pair = Certificate said to be CA-signed.
  • 12. Signs the certificate. Validates the claimed identity. Enforce policy on the Distinguished Name fields. Ensures unique names within its namespace. Provides revocation services. Maintains key lifecycle for root, intermediate and signed certificates. Disinterested 3rd party provides bilateral trust.
  • 13. Relying parties typically need much less security than the CA. Generate the cert signing requests securely. Review and approve requests at the CA. Keep the keystore files private. Most of the heavy lifting is offloaded to the CA.
  • 14. What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
  • 15. Cost savings. Convenience. The trick is to fully account for all of the service and security provided by the CA. Replacing those services internally is expensive. Omitting them is dangerous. How do you find the balance?
  • 16. What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
  • 17. SAS70 key ceremony used to generate roots. Root certs stored in an offline HSM. Dual-knowledge access controls for roots. Multiple intermediate signers. Secure, robust provisioning process for certs and revocation entries. Highly available and separate provisioning and revocation infrastructure.
  • 18. ISO 21188:2006 Public key infrastructure for financial services – Practices and policy framework ETSI TS 101 456 v1.2.1 ETSI TS 102 042 V1.1.1 Webtrust Program For Certification Authorities
  • 19. What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
  • 20. To run a true Center of Mediocrity, one must first determine which CA Best Practices to omit. The quickest way to begin is to omit all of them right off the bat. Then add back in those that give the appearance of security at little or no cost. The CACOM is your BFF. Once you have it, you’ll never get the money to build a CACOE. Why? Because what we have seems to work just fine.
  • 21. The stories you are about to hear are true. Only the names have been changed to protect the (not so) innocent. My name is T.Rob. I carry a laptop.
  • 22. All of the items in the following pages were observed in Production somewhere. Banking, finance, insurance, healthcare, govt. These are your vendors!
  • 23.
  • 24. Hundreds of thousands of entries explain which commands to issue in order to “set up a Certificate Authority.” Try to find even one that tells you the commands and describes some of the physical and procedural controls commercial CAs use and why running an internal CA without these controls is a bad idea.
  • 25. Hardware Security Modules are so expensive! And vaults? Don’t even go there! Most CACOM’s today store the root cert on an administrator’s workstation or laptop. If you start out this way, eventually moving it to a server in a locked datacenter will appear very secure by comparison and nobody will ask about an HSM, a vault or a key signing ceremony. Booyah!
  • 26. Certificate provisioning and revocation must be highly available to support critical business apps. So if the CA is run off of administrator’s workstations, it stands to reason that each administrator must be able to manage certs independently. Give each admin their own copy of the root cert. Or if a central server is used, give a copy of the root to each admin for emergencies.
  • 27. Intermediate signers provide classes of service, isolation, higher security for the root cert, etc. But someone has to manage those things, and we do that with Notepad. We plan to evaluate several PKI products someday and we will start using intermediate certs then.
  • 28. Certificate extensions can specify policies that control the ways that a certificate can be used. Understanding and checking certificate policies requires deep skill. Certs with no policies set can be used for many purposes, such as encryption, code signing or signing other certificates. These are very versatile. What could go wrong?
  • 29. Security certified administrators who understand X.509 certificates, TLS/SSL and all of the PKCS standards are expensive! Formally building skills in house is less expensive, but takes time. Fortunately, your average administrator can pick up all they need to know with a few Google searches! Certifications and formal training are SO overrated, right?
  • 30. A certificate represents an identity. Because the Center of Mediocrity is concerned mainly with cost, it is common to re-use the same personal certificate across multiple, even unrelated, systems. A QMgr is a QMgr is a QMgr, right? Generate a single cert called QMgr and be done with it.
  • 31. Anyone who can read the configuration files and keystores can use your personal cert. Fortunately, only authorized admins ever have access to the filesystem in a CACOM so filesystem controls are redundant. What’s that you say? Layered defense is good? Not when aspiring to mediocrity!
  • 32. Credentials need to be both provisioned and revoked. Sometimes they need to be revoked prior to their natural expiry. A primary characteristic of a mediocre CA is that a revocation responder service is planned for later. A revocation service that is not highly available is just as bad, possibly worse.
  • 33. Ideally, personal certs are generated where they will be used and not moved. Central management and key backup is possible but difficult to do securely. In a CACOM, centrally generated certs are distributed over FTP, email, shared drives, etc.
  • 34. Sometimes it isn’t your CA that places you at risk, but rather your business partner’s CA. A CACOM will assume the partner’s certificates are trustworthy without question. The next slides are examples of this.
  • 35. The root cert is the thing that controls who can bind an identity to a key pair. Any trusted root can generate a cert claiming any identity. Now that the internal CE Center of Mediocrity has become so popular, you will have occasion to trust the internal root CA certificates of your business partners. Go ahead and drop these right into the trust store. What could go wrong?
  • 36. If you are using AMS with Privacy (encryption) then you will need to trust the personal cert of the app, user or business partner. A commercial CA will have set the IsCA=No and PathLength=0 flags to ensure that personal certificates cannot also sign other certificates. The typical CACOM does not know or care about such things and will place any certificate from any source into the trust store. What could go wrong?
  • 37. What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
  • 38. Baseline S e c u r i t y L e v e l Skill Level Best!
  • 39. Baseline S e c u r i t y L e v e l Skill Level Best! Worse than doing nothing
  • 40. Possibly, yes! Because… • People take more risks when they believe it is safe to do so. • Poor implementation can make it easier Baseline S e c u r i t y L e v e l • You rarely get a second chance to implement security. Skill Level Best! to break in. Wore than doing nothing
  • 41. What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
  • 42. Running a robust internal CA is expensive. Can be cost justified, given enough certs. Cost savings almost always correspond to some loss of effective security. Know what you are omitting and the offsetting risk. Deep skill is essential! Formal training is highly recommended. Beware of other people’s CACOM!
  • 43. Capitalware's MQ Technical Conference v2.0.1.4 Questions & Answers
  • 44. Thank you! T.Rob Wyatt Managing Partner, IoPT Consulting 704-443-TROB (8762) t.rob@ioptconsulting.com https://ioptconsulting.com