Flexible Certificate Management for Secure HTTPS Client/Server Communication

Zhang, Jing

January 2005

<p>Certificate management is a crucial element in PKI implementations, which includes certificate generation, distribution, storage, and revocation. Most of the existing research has been focusing on the security aspect or the functionality and the structure of certificate management systems. Very little has looked at the actual user requirements for the system and how users can use the system conveniently and practically, which is actually a very important factor for the whole security system to work properly and to be widely accepted.</p><p>In this thesis we have designed a framework that provides a flexible certificate management for different security levels according to user requirements and situations, and with a user-friendly interface. A certificate management system CSA (Certificate Server Adapter) is implemented for HP OpenView Operations for Windows (OVO/Windows), which is a management software product provided by Hewlett-Packard. The CSA helps OVO/Windows to provide secure HTTPS client/server communication. Tests show that it offers a good enough security for all situations without compromise and, at the same time, the best convenience and flexibility are achieved. However, the CSA can be further improved to have a lifetime management of the created certificates, an enhanced user interface, and an API to plug-in other PKI solutions.</p>

Certificate Management

PKI

HTTPS

Computer science

Datavetenskap

Flexible Certificate Management for Secure HTTPS Client/Server Communication

Zhang, Jing

January 2005

Certificate management is a crucial element in PKI implementations, which includes certificate generation, distribution, storage, and revocation. Most of the existing research has been focusing on the security aspect or the functionality and the structure of certificate management systems. Very little has looked at the actual user requirements for the system and how users can use the system conveniently and practically, which is actually a very important factor for the whole security system to work properly and to be widely accepted. In this thesis we have designed a framework that provides a flexible certificate management for different security levels according to user requirements and situations, and with a user-friendly interface. A certificate management system CSA (Certificate Server Adapter) is implemented for HP OpenView Operations for Windows (OVO/Windows), which is a management software product provided by Hewlett-Packard. The CSA helps OVO/Windows to provide secure HTTPS client/server communication. Tests show that it offers a good enough security for all situations without compromise and, at the same time, the best convenience and flexibility are achieved. However, the CSA can be further improved to have a lifetime management of the created certificates, an enhanced user interface, and an API to plug-in other PKI solutions.

Certificate Management

PKI

HTTPS

Computer science

Datavetenskap

Survey of domains and CAs re-garding certificate managementand certificate revocations : Ananalysis of certificate management and certificate revocation / Undersökning av domäner och CAs angående certifikathantering och certifikatåterkallelser

Nilsén, Hanna, Bergström, Matilda

January 2024

This document presents the findings and methodology of a bachelor’s thesis project that aimed to understand the challenges and strategies associated with certificate manage- ment practices and revocation processes among domains and certificate authorities (CAs). Initially, the goal was to gain insights into the intricacies of certificate management through a comprehensive survey. To achieve this, a survey comprising relevant questions was designed and distributed to both CAs and domains. The survey focused on four main areas: issuance, certificate management and revocation, and other. The top 30 CAs were identified using Tranco’s list, and 20 domains associated with each CA were selected to receive the survey, which was then sent out by email. After reviewing the responses, it became evident that the project encountered chal- lenges in attracting sufficient participation from both CAs and domains. Despite our efforts to engage participants, the low response rate was anticipated and provides insight into the level of engagement and transparency within the industry. Consequently, the report also investigates the reasons behind the low response rate and the various types of non-answers received from domains. The report explores various factors contributing to the low response frequency and ex- amines the implications of this limitation on the study’s original objectives. The responses received from CAs still provide valuable insights into certificate management practices and highlight the need for improved communication strategies for future surveys. In conclusion, while the primary aim of the project was to understand certificate man- agement challenges and strategies, the report evolved to include a discussion on the im- plications of the low response rate and the potential for redesigning surveys to enhance participation. Additionally, the findings suggest avenues for future research, such as ex- ploring certificate transparency, certificate authority accountability, and the influence of emerging technologies on certificate management.

Certificate Management

Certificate Authorities (CAs)

Revocation Processes

Digital Certificates

Certificate Issuance

Survey Participation

Computer Sciences

Datavetenskap (datalogi)

Public certificate management : An analysis of policies and practices used by CAs / Offentlig certifikathantering : En analys av policys och praxis som används av CAs

Bergström, Anna, Berghäll, Emily

January 2021

Certificate Authorities (CAs) carry a huge responsibility in today's internet security landscape as they issue certificates that establish secure end-to-end connections. This thesis conducts a policy review and survey of CAs' Certificate Policies and Certificate Practice Statements to find similarities and differences that could lead to possible vulnerabilities. Based on this, the thesis then presents a taxonomy-based analysis as well as comparisons of the top CAs to the Baseline Requirements. The main areas of the policies that were focused on are the issuance, revocation and expiration practices of the top 30 CAs as determined by the use of Tranco's list. We also determine the top CA groups, meaning the CAs whose policies are being used by the most other CAs as well as including a top 100 CAs list. The study suggests that the most popular CAs hold such a position because of two main reasons: they are easy to acquire and/or because they are connected to several other CAs.  The results suggest that some of the biggest vulnerabilities in the policies are what the CAs do not mention in any section as it puts the CA at risk for vulnerabilities. The results also suggest that the most dangerous attacks are social engineering attacks, as some of the stipulations for issuance and revocations make it possible to pretend to be the entity of subscribes to the certificate rather than a malicious one.

Certificate

Issuance

Revocation

Expiration

Certificate Authority

Certificate Policy

Certificate Practice Statement

Certificate Management

Policy review

Social engineering

CA/Browser forum

Baseline Requirements

Computer Sciences

Datavetenskap (datalogi)