Embed Size (px)
Citation preview
digital.Media.Solutions
© AMAN Media GmbH – Jens Rosenthal
digital.Media.Solutions
Munich, May 2018
PKI AUTOMATION IN THE CLOUD
digital.Media.Solutions
© AMAN Media GmbH – Jens Rosenthal
digital.Media.Solutions
PKI - THE INFRASTRUCTURE
Online - AWS Cloud
Server EU
Server EU
OCSP Integ.
Server EU
Server EU
OCSP US
Server EU
Server EU
OCSP EU
Offline - inaccesible Offline
Root CA
TLS CA
Backend CA
Client CA
TLS EU CA
TLS US CA
TLS Integ. CA
Client EU CA
Client US CA
Client Integ. CA
Server EU
Server EU
Server EU
Server US
Server US
Server US
Server AP
Server AP
Server Integ.
digital.Media.Solutions
© AMAN Media GmbH – Jens Rosenthal
digital.Media.Solutions
CHALLENGES & RISKS
Challenges:
● Multiple environments
○ Multiple CAs
○ DN naming structure
○ Overview
● Multiple suppliers
● Scaling of instances
● CRL maintenance
Risks:
● Human factor
○ CSRs with wrong DNs
○ CSRs with identical keys
○ CRTs from wrong CA
○ CRTs from wrong CSR
● Response time
○ manual effort during scaling
digital.Media.Solutions
© AMAN Media GmbH – Jens Rosenthal
digital.Media.Solutions
SOLUTION: AUTOMATION
Semi-automated workflow:Provisioning of a new container
(CA, OCSP, Server)
Automated PKI setup(generate Key and CSR)
Automated CSR submission(PKI Proxy)
Manual CSR submission(PKI Proxy)
Offline signing(with validation)
Manual CRT submission
Automated CRT download(PKI Proxy)
Manual CRT download(PKI Proxy)
digital.Media.Solutions
© AMAN Media GmbH – Jens Rosenthal
digital.Media.Solutions
STEP-BY-STEP: UPLOAD CSR
digital.Media.Solutions
© AMAN Media GmbH – Jens Rosenthal
digital.Media.Solutions
STEP-BY-STEP: UPLOADED CSR
digital.Media.Solutions
© AMAN Media GmbH – Jens Rosenthal
digital.Media.Solutions
STEP-BY-STEP: ADD DETAIL INFORMATION
digital.Media.Solutions
© AMAN Media GmbH – Jens Rosenthal
digital.Media.Solutions
STEP-BY-STEP: ADD VALIDATION INFORMATION
digital.Media.Solutions
© AMAN Media GmbH – Jens Rosenthal
digital.Media.Solutions
STEP-BY-STEP: VALIDATE AND SIGN CSR
digital.Media.Solutions
© AMAN Media GmbH – Jens Rosenthal
digital.Media.Solutions
STEP-BY-STEP: DOWNLOAD SIGNED CRT
digital.Media.Solutions
© AMAN Media GmbH – Jens Rosenthal
digital.Media.Solutions
SOLUTION: AUTOMATION
Benefits:
● Validation○ of DNs in CSRs○ of signed CRTs
● Assistance○ automated assignment of signing CAs○ automated assignment of certificate purpose○ documentation○ overview
● Self-Service○ semi automated process○ authentication / authorization○ faster
digital.Media.Solutions
© AMAN Media GmbH – Jens Rosenthal
digital.Media.Solutions
QUESTIONS?
Time for questions
JENS ROSENTHALSoftware Architect
AMAN digital media solutionswww.aman.de / [email protected]
![[MS-OCSP]: Online Certificate Status Protocol …...The Online Certificate Status Protocol (OCSP) Extensions provide the Microsoft implementation of the Lightweight Online Certificate](https://img.pdfslide.net/doc/110x75/5f0d84e97e708231d43ac2e5/ms-ocsp-online-certificate-status-protocol-the-online-certificate-status.jpg)
![IBM Education Assistance for z/OS V2R2...DNS name or IP address of the OCSP proxy server – gsk_attribute_[sg]et_buffer() - Default: NULL GSK_OCSP_PROXY_SERVER_PORT [1 – 65535]](https://img.pdfslide.net/doc/110x75/5f9a58f8a6ce72614c544eca/ibm-education-assistance-for-zos-dns-name-or-ip-address-of-the-ocsp-proxy-server.jpg)
![[MS-OCSP]: Online Certificate Status Protocol (OCSP) Extensions · 2017-09-06 · [MS-OCSP]: Online Certificate Status Protocol (OCSP) Extensions ... If you have access to Microsoft](https://img.pdfslide.net/doc/110x75/5fb0183def3074633e691cf9/ms-ocsp-online-certificate-status-protocol-ocsp-extensions-2017-09-06-ms-ocsp.jpg)
![[MS-OCSP]: Online Certificate Status Protocol (OCSP ...download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D... · [MS-OCSP]: Online Certificate Status Protocol (OCSP)](https://img.pdfslide.net/doc/110x75/5b8483987f8b9aea498c7a92/ms-ocsp-online-certificate-status-protocol-ocsp-ms-ocsp-online-certificate.jpg)