CUC 2004 / New Frontiers / New Techhnologies for New Needs
CARNet logo
Implementation of open-source PKI solution / A2
Author: Damir Regvart, CARNet, Croatia
| Full paper | Presentation |


The CARNet was always looking for better ways of secure data flow, and improving secure authentication and authorization procedures, so the PKI infrastructure implemented in CARNet network was a step of following that goal.

The aim of this paper is presenting non-commercial (free) open-source tool for establishing Public Key Infrastructure, and experience in integration of open-source PKI solution (OpenCA) in heterogeneous environments with Windows and Linux Operation systems and integration with smart cards for secure keeping of digital certificate and private keys.


In secure world of Public Key Infrastructure identity of a user is represented with his digital ID, called digital certificate. This digital certificate is an entrance key for authentication and authorization, signing documents, e-mail etc. and also a cryptographic (encryption) tool for secure point-to-point and point-to-multi-point communications. The digital certificate holds users details (information) like: persons name, e-mails (for selfsigning), the organization unit that issue digital certificate (root CA) and also a public key (so called v3 format).The private key, being very important pair of PKI structure is unique
for every user, and placed on security devices.

Certificate authority (CA) is a service that manages a certificate request by verifying and issuing digital certificate, and also a distribution point of valid certificates and revoked certificates. Hierarchy of PKI is strongly topologically implemented using hierarchy-tree topology. Root CA is a self signed authority, and must be trusted by other side (user that verifies sender signature). To be trusted, the root CA and whole PKI infrastructure in implemented area must be made by high security standards (X.509 [3]: RFC 2459 & updated RFC 3280). Basically anyone who finds this CA trustworthy will acknowledge
sender’s identity when you present them with your digital certificate.

1. PKI
PKI is a shortcut for Public Key Infrastructure and is generally a term used to describe the policies, standards, and software requirements that regulate or manipulate digital certificates and private and public pairs of keys. In practice, it is a system of digital certificates, certification authorities (CA), and other registration authorities (RA) that verify and authenticate the validity of each party involved in an electronic transaction.


A credit card-sized device used to securely store public and private keys, passwords, and other types of personal information. To use a smart card, user need a smart card reader attached to the computer and a personal PIN & PUK number for the smart card entrance.

The CARNet was always looking for better ways of secure data flow, and improving secure authentication and authorization procedures, so the PKI infrastructure implemented in CARNet network is a step of following that goal.

The PKI solution in CARNet was based on open source PKI solution named OpenCA [1]. OpenCA is a free non-government project, based on RFC 2459 and RFC 3280 also known as X.509 format. The OpenCA PKI Development Project is a collaborative effort to develop a robust, full-featured and Open Source out-of-the-box Certification Authority implementing the most used protocols with full-strength cryptography world-wide. OpenCA is based on many Open-Source Projects. Among the supported software is OpenLDAP, OpenSSL, Apache Project, Apache mod_ssl. The topology of OpenCA in CARNet network is implemented on two servers: one offline root CA, for issuing and revoking certificate request, and self signed certificate authority, and one online server, on witch RA was installed, that checks persons who are applying for digital certificate, and after approving request, sending it to the CA for finale conformation. On the online side was also implemented the public web portal, on which the user can make request for his digital ID, and it is also used as a publishing point of valid, revoked and suspended certificates. On the user side, the use of CARNet PKI open source solution can be seen in digital certificate of every CARNet employees, who can use his digital certificate, safely store on smart card (along with his private key), used it as authentication tools for next implemented services:
- as digital ID for signing e-documents,
- under Windows OS, as a tool for logging on Windows network domain,
- under Linux OS, as a tool for logging on a personal computer,
- use for https web login,
- use for VPN authentication connection, etc.

Although the PKI infrastructure in CARNet network was made using open-source tools, which can not be by default administered as an admissible in a Court of Low (because of open-source), OpenCA solution is a good example of practical use in academic environments because it fulfills all requirements: it is free, it can be upgraded and customized for every need of academic society (like students ID card, etc.).

[1] OpenCA projects
[2] M.U.S.C.L.E.
[3] Public-Key Infrastructure (X.509) (pkix) charter

Damir Regvart is a CARNet (Croatian Academic and Research Network) employee working in R&D department. Damir received his BSc degree in Electrical Engineering from the University of Zagreb,
Faculty of Electrical Engineering and Computing in 2002. Damir received his CCNA certificate in 2004. With his colleagues he started working on implementation of PKI solution and integration with smart cards in CARNet network in September 2003. Work on the first phase of PKI project ended in May 2004. His research interests are in the field of secure network communication, implementation of new network protocols and WANs technology.

Copyright © 1991- 2004. CARNet. All rights reserved. / Mail to / Legal notes / Impressum