Raconte-moi X.509 : anatomie d'une autorité de certification
•
0 likes•33 views
Une plongée dans le monde merveilleux des certificats et des autorités de certification. Comment fonctionne une autorité de certification ? Puis-je avoir confiance et pourquoi ? Comment créer la mienne ?
More Related Content
What's hot
What's hot (20)
Similar to Raconte-moi X.509 : anatomie d'une autorité de certification
Similar to Raconte-moi X.509 : anatomie d'une autorité de certification (20)
Recently uploaded
Recently uploaded (20)
Raconte-moi X.509 : anatomie d'une autorité de certification
- 1. #DevoxxFR Raconte-moi X.509 Anatomie d'une autorité de certification Jean-Christophe Sirot @jcsirot Charles Sabourdin @kanedafromparis 1
- 2. #DevoxxFR 2 Jean-Christophe Sirot Tech lead chez Weborama Charles Sabourin Architecte chez Ippon
- 3. #DevoxxFR Attention ce tlak n’est pas un tlak sur le cyclimse Merci de votre compréhension 3
- 6. #DevoxxFR Hiérarchie 6 Autorité Racine Autorité Intermédiaire 1 End Entity Autorité Intermédiaire 2 Autorité Intermédiaire 3 End Entity
- 7. #DevoxxFR Hiérarchie 7 Autorité Racine Autorité Intermédiaire End Entity Liste de certificats révoqués Liste de certificats révoqués
- 8. #DevoxxFR Et si on commençait par une démo ? 8
- 9. #DevoxxFR Comment est émis un certificat ? 9 Autorité de certification CSRCSR
- 10. #DevoxxFR Et si on continuait avec une autre démo ? 10
- 11. #DevoxxFR Basiquement 11 $ sudo certbot --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):csabourdin@parisjug.org ------------------------------------------------------------------------ Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------- (Y)es/(N)o: Y
- 12. #DevoxxFR Basiquement 12 No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):sample.parisjug.net Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for sample.parisjug.net We were unable to find a vhost with a ServerName or Address of sample.parisjug.net. Which virtual host would you like to choose? (note: conf files with multiple vhosts are not yet supported) ------------------------------------------------------------------------- 1: ssl.conf | | HTTPS | Enabled ------------------------------------------------------------------------- Press 1 [enter] to confirm the selection (press 'c' to cancel): 1 Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
- 13. #DevoxxFR Basiquement 13 We were unable to find a vhost with a ServerName or Address of sample.parisjug.net. Which virtual host would you like to choose? (note: conf files with multiple vhosts are not yet supported) ------------------------------------------------------------------------- 1: ssl.conf | | HTTPS | Enabled ------------------------------------------------------------------------- Press 1 [enter] to confirm the selection (press 'c' to cancel): 1 Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf Please choose whether HTTPS access is required or optional. ------------------------------------------------------------------------- 1: Easy - Allow both HTTP and HTTPS access to these sites 2: Secure - Make all requests redirect to secure HTTPS access ------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
- 14. #DevoxxFR Basiquement 14 Created redirect file: le-redirect-sample.parisjug.net.conf Rollback checkpoint is empty (no changes made?) ------------------------------------------------------------------------- Congratulations! You have successfully enabled https://sample.parisjug.net You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=sample.parisjug.net ------------------------------------------------------------------------- IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/sample.parisjug.net/fullchain.pem. Your cert will expire on 2017-07-01. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
- 15. #DevoxxFR Donc, en pratique 15 $sudo openssl x509 -in /etc/letsencrypt/live/sample.parisjug.net/fullchain.pem -text -noout | less (1/1) -- Certificate: Data: Version: 3 (0x2) Serial Number: 03:d8:db:0f:01:17:b4:c5:3a:fe:dc:c5:96:88:8d:55:f8:3f Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Apr 2 18:51:00 2017 GMT Not After : Jul 1 18:51:00 2017 GMT Subject: CN=sample.parisjug.net Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d9:f9:21:77:6e:08:4e:e6:87:b8:0d:ce:43:62: a0:6d:8b:d0:7e:30:90:4c:6d:f5:19:0c:30:de:01: … Émetteur Validité début - fin Sujet
- 16. #DevoxxFR Donc, en pratique 16 $sudo openssl x509 -in /etc/letsencrypt/live/sample.parisjug.net/fullchain.pem -text -noout | less (1/1) -- ed:0b:6e:8f:72:f7:19:e1:d3:3f:27:ea:a6:32:ce: 02:bf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: F0:33:2F:F4:87:C3:24:F8:F2:DF:95:42:09:8C:00:A3:32:52:AD:D5 X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org/ CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ Extensions Informations sur l’autorité de certification
- 17. #DevoxxFR Donc, en pratique 17 $sudo openssl x509 -in /etc/letsencrypt/live/sample.parisjug.net/ fullchain.pem -text -noout | less (1/1) -- X509v3 Subject Alternative Name: DNS:sample.parisjug.net X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org User Notice:Explicit Text: This Certificate may …. Signature Algorithm: sha256WithRSAEncryption 14:bb:2b:5d:56:20:fb:ad:3b:3a:6c:c9:de:33:01:a5:1d:86: a1:c5:b1:94:d6:82:b4:a9:71:2e:63:b9:e4:b8:7f:d4:93:5d: 0c:ed:f7:08:18:53:53:76:31:46:90:ce:34:25:ce:57:b2:0a: a8:9f:fc:33:c9:fb:8f:83:a0:89:49:ab:7c:29:92:d8:e2:ad: … Signature Extensions
- 18. #DevoxxFR Une AC est un tiers de confiance 18
- 19. #DevoxxFR Comment créer la confiance ? 19
- 21. #DevoxxFR Composants d’une IGC (PKI) 21 L’autorité de certification (AC) L’autorité d’enregistrement (AE) Le dépôt
- 22. #DevoxxFR Autorité de Certification 22 • Boîte à signer • Initialisée lors d’une « Cérémonie des clés »
- 23. #DevoxxFR Autorité d’Enregistrement 23 • Composant « administratif » • Reçoit et archive les demandes de certification et les demandes de révocation • S’assure du lien entre le porteur de certificat et la clé publique
- 24. #DevoxxFR Dépôt 24 • Publie les documents liés au fonctionnement de l’IGC • Publie les informations de révocation
- 25. #DevoxxFR 25 Et si je montais mon AC ?
- 26. #DevoxxFR Politique de Certification 26 • Deux documents : Politique de certification (PC) et Déclaration des pratiques de certification (DPC) • Expliquent le fonctionnement de l’AC : gabarits de certificats, cycle de vie des certificats, génération des clés, hébergement des infrastructures... • Références • RFC 3647 « Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework » • En France : Politiques types du Référentiel Général de Sécurité
- 27. #DevoxxFR Mon AC dans Firefox ? 27 • Programme d’inclusion https://www.mozilla.org/en-US/about/governance/policies/ security-group/certs/policy/ • Nécessite (entre autres) un audit de l’autorité de certification ETSI EN 319 411, ETSI TS 102 042, WebTrust… • Processus discrétionnaire