プライベートクラウドでの効率的な証明書配布戦略 / Efficient Certificate Distribution Strategy in Private Cloud

&GGJDJFOU$FSUJGJDBUF%JTUSJCVUJPO4USBUFHZ JO1SJWBUF$MPVE *OGSBTUSVDUVSF(SPVQ 4FDVSJUZ1MBUGPSN%JWJTJPO 5SVTU5FDIOPMPHZ5FBN 54636%03ZPTVLF :"."(6$)*,BUTVZB

"CPVUVT *OUSPEVDUJPO

4FDVSJUZ&OHJOFFS +PJOFEUIFGPSNFS:BIPP+BQBOJO %FWFMPQT NBJOUBJOT BOEPQFSBUFTJOUFSOBM DFSUJGJDBUFJTTVBODFTZTUFNTBOE BVUIFOUJDBUJPOBVUIPSJ[BUJPOTZTUFNTUIBU VTFDFSUJGJDBUFT *BMTPXSJUFUFDIOJDBMCPPLTJONZQSJWBUF UJNFBOEIPTUBDBTVBMDIBUQPEDBTU
VODSPQKQ 8IPBN* *OUSPEVDUJPO 54636%03ZPTVLF

YAMAGUCHI Katsuya • Career • Joined Yahoo Japan Corporation as
a new graduate in 2017 • Engaged in the development of security infrastructure and key management systems • Involved in the construction of certificate management infrastructure • Focused on improving security using certificate-related mechanisms as a team leader 8IPBN* *OUSPEVDUJPO

5IF/VNCFSPG$FSUJGJDBUFTJO0VS1SJWBUF$MPVE • "TJHOJGJDBOUOVNCFSPGTFSWFSDFSUJGJDBUFTBSFJOVTFXJUIJOPVS JOGSBTUSVDUVSF • 8FTUSJWFUPTFDVSFBMMJOUFSOBMDPNNVOJDBUJPOTXJUI5-4 1SJWBUF$"$FSUT 1VCMJD$"$FSUT

)PXTIPVMEBOJEFBMQSJWBUFDMPVEBQQFBS SFHBSEJOHDFSUJGJDBUFNBOBHFNFOU

"4FDVSFCZ%FGBVMU8PSME

4USBUFHZ $FSUJGJDBUF 0XOFSTIJQ "DDFTT$POUSPM .VMUJ$" 4VQQPSU $FSUJGJDBUF *TTVBODF1PMJDZ "VUPNBUJD 6QEBUF
"VUPNBUJD 1MBDFNFOU

$FSUJGJDBUF*TTVBODF1PMJDZ

&OGPSDFBCBTFMJOFPGTFDVSJUZBOERVBMJUZGPSFWFSZDFSUJGJDBUF JTTVFE

1PMJDZ$SZQUPHSBQIJD3FRVJSFNFOUT FH 34"CJU &$%4" 1 ,FZ"MHPSJUIN 4J[F FH 4)"PSTUSPOHFS 4JHOBUVSF
"MHPSJUIN FH 'PSCJE4)"GPS TJHOBUVSFT PSBOZLFZ UZQFTXJUILOPXO XFBLOFTTFT 1SPIJCJUFE 4UBOEBSET

1PMJDZ$FSUJGJDBUF1SPGJMF$POUFOUT FH -JNJUXJMEDBSEEFQUI TVCFYBNQMFDPN POMZ SFTUSJDUUIFOVNCFSPG 4"/T %PNBJO 4DPQF$POUSPM
FH #MPDLJTTVBODFGPS EPNBJOTMJLFTFSWFSMPDBM PSECJOUFSOBMOFUXPSL *OGPSNBUJPO -FBLBHF 1SFWFOUJPO FH 3FRVJSFTQFDJGJD 0SHBOJ[BUJPO$PVOUSZ GJFMETMJNJU&YUFOEFE,FZ 6TBHFUP4FSWFS "VUIFOUJDBUJPO $POUFOU 6TBHF 4UBOEBSEJ[BUJPO

*NQSPWJOHUIF%FWFMPQFS&YQFSJFODF • &MJNJOBUF(VFTTXPSLBOE"NCJHVJUZ • 3FNPWFUIF'FBSPG.BLJOH.JTUBLFT • *NQSPWF4FSWJDF3FMJBCJMJUZ &OTVSJOHBDPOTJTUFOU IJHITUBOEBSEPGRVBMJUZGPSFWFSZDFSUJGJDBUF
BVUPNBUJDBMMZ #FOFGJUTGPS%FWFMPQFST

&OGPSDF$FSUJGJDBUF*TTVBODF1PMJDZJO 0VS1SJWBUF$MPVE Certificate Management System Handling all issue requests •
"MMJTTVBODFSFRVFTUTBSFDFOUSBMJ[FEUISPVHIUIJTTZTUFN • 1PMJDJFTBSFFNCFEEFEJOUIFTZTUFNBOEBVUPNBUJDBMMZFOGPSDFEPOFWFSZ SFRVFTU • 3FHVMBSSFWJFXTFOTVSFUIFTFQPMJDJFTTUBZBMJHOFEXJUIDVSSFOUTFDVSJUZ TUBOEBSET CA (Certificate Authority) Enforce Our Certificate Issuance Policies Issue request

$FSUJGJDBUF 0XOFSTIJQ

• &OTVSFUIFDFSUJGJDBUFTPXOFS JT BMXBZTJEFOUJGJBCMF • 8IP • 8IJDIPSHBOJ[BUJPO • 8IJDIUFBN
• 8IJDIQSPKFDU • "MXBZTBTTJHODFSUJGJDBUF NBOBHFNFOUUPBTJOHMFHSPVQ 8IBUJT$FSUJGJDBUF0XOFSTIJQ

• "NCJHVPVT3FTQPOTJCJMJUZGPS$SJUJDBM5BTLT • 8IPIBOEMFTDFSUJGJDBUFFYQJSBUJPOT • 8IPSFTQPOETUPLFZDPNQSPNJTFTPSMFBLT 8IZ$FSUJGJDBUF0XOFSTIJQ.BUUFST

• "NCJHVPVT3FTQPOTJCJMJUZGPS$SJUJDBM5BTLT • 8IPIBOEMFTDFSUJGJDBUFFYQJSBUJPOT • 8IPSFTQPOETUPLFZDPNQSPNJTFTPSMFBLT • %JGGJDVMUZJO5SBDLJOHBOE"MMPDBUJOH$PTUT • *OBCJMJUZUPBDDVSBUFMZCJMMEFQBSUNFOUTPSQSPKFDUTGPSDFSUJGJDBUFJTTVBODF
8IZ$FSUJGJDBUF0XOFSTIJQ.BUUFST

• .BJOUBJOJOH0XOFSTIJQ5ISPVHI0SHBOJ[BUJPOBM$IBOHFT • )PXUPNBOBHFPXOFSTIJQXIFOBENJOTMFBWFPSUFBNTBSFSFPSHBOJ[FE 8IZ$FSUJGJDBUF0XOFSTIJQ.BUUFST

• .BJOUBJOJOH0XOFSTIJQ5ISPVHI0SHBOJ[BUJPOBM$IBOHFT • )PXUPNBOBHFPXOFSTIJQXIFOBENJOTMFBWFPSUFBNTBSFSFPSHBOJ[FE • $PNQMFYJUZJO$SPTT'VODUJPOBM1SPKFDUT • %JGGJDVMUZBTTJHOJOHBTJOHMFPXOFSXIFONVMUJQMFEFQBSUNFOUTBOEUFBNTBSF JOWPMWFE 8IZ$FSUJGJDBUF0XOFSTIJQ.BUUFST

$FSUJGJDBUF0XOFSTIJQ JO0VS1SJWBUF $MPVE 1SPKFDU" 1SPKFDU#

$FSUJGJDBUF0XOFSTIJQ JO0VS1SJWBUF $MPVE $PEFNBTUFS 1SPKFDU" 1SPKFDU# 1SPKFDU"TZTUFNDPEF 1SPKFDU#TZTUFNDPEF 4FQBSBUFDFSUJGJDBUFNBOBHFNFOUCZQSPKFDUBOEEFMFHBUF PWFSTJHIUUPBVOJGJFEDPEFNBTUFS

.VMUJ$"4VQQPSU

• $PTU&GGJDJFODZ • *OJUJBMTFUVQDPTUTPGGTFUCZMPOHUFSNTBWJOHT • *OUFSOBM5SVTU*OGSBTUSVDUVSF • &OTVSFTTFDVSFDPNNVOJDBUJPOCFUXFFOJOUFSOBMBQQMJDBUJPOTBOETFSWJDFT • 'BTUFS*TTVBODF
• *TTVFTDFSUJGJDBUFTJONJOVUFT VOMJLFMFOHUIZQSPDFTTFTXJUIQVCMJD$"T • 1SPUFDUJPOPG*OUFSOBM%PNBJOT • ,FFQTJOUFSOBMEPNBJOTDPOGJEFOUJBMCZBWPJEJOH1VCMJD$"JTTVBODF XIJDI FYQPTFTEFUBJMTJO$FSUJGJDBUF5SBOTQBSFODZMPHT #FOFGJUTPG1SJWBUF$"

.VMUJ$"4VQQPSUJO0VS1SJWBUF$MPVE Project A Project B Issue request Issue request Project
A’s certs Project B’s certs Certificate Management System Handling all issue requests Public CA Private CA Public CA

.VMUJ$"4VQQPSUJO0VS1SJWBUF$MPVE Project A Project B Issue request Issue request Project
A’s certs Project B’s certs Certificate Management System Handling all issue requests Handling differences between CAs Public CA Private CA Public CA

.VMUJ$"4VQQPSUJO0VS1SJWBUF$MPVE .VMUJ$"4VQQPSU Project A Project B Project A’s certs Project
B’s certs Certificate Management System Handling all issue requests Offloading the domain validation task from users Public CA Fetch certificates DNS Domain verification using DNS Setting the challenge token in a DNS TXT record

"DDFTT$POUSPM

"DDFTT$POUSPMGPS$FSUJGJDBUF.BOBHFNFOU Project A Project A’s certs Project B’s certs Certificate
Management System Project B Grant Grant Deny

• 8FVTF"UIFO[ BTPVSTUBOEBSE QMBUGPSNGPSBVUIFOUJDBUJPOBOE BVUIPSJ[BUJPO • 0VSQSJWBUFDMPVETBDDFTTDPOUSPMJT CVJMUFOUJSFMZPO"UIFO[ • 5IJTQSPWJEFTBVOJGJFETZTUFNGPS
QSPKFDUCBTFEBDDFTTDPOUSPM JOUFHSBUJOHTFBNMFTTMZXJUIPVS XPSLGMPX "DDFTT$POUSPMGPS$FSUJGJDBUF.BOBHFNFOU *O0VS1SJWBUF$MPVE "UIFO[ MPHPCZIUUQTHJUIVCDPN"UIFO;BUIFO[ "UIFO[IUUQTXXXBUIFO[JP ˞"UIFO[ JTBSFDPHOJ[FE$/$' $MPVE/BUJWF $PNQVUJOH'PVOEBUJPO 4BOECPYQSPKFDU

Project A Project A’s certs Project B’s certs Certificate Management
System Grant Deny "DDFTT$POUSPMGPS$FSUJGJDBUF.BOBHFNFOU *O0VS1SJWBUF$MPVE

"VUPNBUJD 1MBDFNFOU

"VUPNBUJD QMBDFNFOU

8IBUUPEFQMPZ "VUPNBUJDQMBDFNFOU -FBGDFSUJGJDBUF $FSUJGJDBUF 4FUXJUIDFSUJGJDBUF 1SJWBUF ,FZ "TOFFEFE
*OUFSNFEJBUF $FSUJGJDBUF

*OUFSNFEJBUF $FSUJGJDBUF %FQMPZFWFSZUIJOHOFFEFEUPVTF BDFSUJGJDBUF

"VUPNBUJDQMBDFNFOU &YQFDUFE0VUDPNFT

&YQFDUFE0VUDPNFT "VUPNBUJDQMBDFNFOU #'VODUJPO "%# 4FSWJDF "'VODUJPO 6TFS #%#

&YQFDUFE0VUDPNFT "VUPNBUJDQMBDFNFOU #'VODUJPO 4FSWJDF "'VODUJPO 6TFS

&YQFDUFE0VUDPNFT "VUPNBUJDQMBDFNFOU #'VODUJPO "%# 4FSWJDF "'VODUJPO 6TFS #%#

&YQFDUFE0VUDPNFT "VUPNBUJDQMBDFNFOU $FSUJGJDBUFSFOFXBMQSPDFEVSF GPS4FSWJDF" )PHF GVHB
$FSUJGJDBUFSFOFXBMQSPDFEVSF GPS4FSWJDF# )PHF GVHB $FSUJGJDBUFSFOFXBMQSPDFEVSF GPS%# )PHF GVHB $FSUJGJDBUFSFOFXBMQSPDFEVSF GPS-# )PHF GVHB

.BOVBMMZEFQMPZJOHDFSUJGJDBUFTUPBXJEFWBSJFUZPG DPNQPOFOUTJOEVDFTFSSPST &YQFDUFE0VUDPNFT 3FEVDFPQFSBUJPOBMFSSPST "VUPNBUJDQMBDFNFOU *UJTWFSZUFEJPVTUPVOEFSTUBOEUIFQSPDFEVSFTGPS FBDIUBSHFUTZTUFNBOEFYFDVUFUIFNFWFSZUJNFB OFXDFSUJGJDBUFJTJTTVFEPSSFOFXFE 3FEVDFUIFPQFSBUJPOBMCVSEFO #'VODUJPO
4FSWJDF "'VODUJPO 6TFS $FSUJGJDBUFSFOFXBM QSPDFEVSF GPS4FSWJDF" )PHF GVHB $FSUJGJDBUFSFOFXBM QSPDFEVSF GPS4FSWJDF# )PHF GVHB $FSUJGJDBUFSFOFXBM QSPDFEVSF GPS%# )PHF GVHB $FSUJGJDBUFSFOFXBM QSPDFEVSF GPS-# )PHF GVHB

.BOVBMMZEFQMPZJOHDFSUJGJDBUFTUPBXJEFWBSJFUZPG DPNQPOFOUTJOEVDFTFSSPST &YQFDUFE0VUDPNFT 3FEVDFPQFSBUJPOBMFSSPST "VUPNBUJDQMBDFNFOU *UJTWFSZUFEJPVTUPVOEFSTUBOEUIFQSPDFEVSFTGPS FBDIUBSHFUTZTUFNBOEFYFDVUFUIFNFWFSZUJNFB OFXDFSUJGJDBUFJTJTTVFEPSSFOFXFE 3FEVDFUIFPQFSBUJPOBMCVSEFO #'VODUJPO
4FSWJDF "'VODUJPO 6TFS $FSUJGJDBUFSFOFXBM QSPDFEVSF GPS4FSWJDF" )PHF GVHB $FSUJGJDBUFSFOFXBM QSPDFEVSF GPS4FSWJDF# )PHF GVHB $FSUJGJDBUFSFOFXBM QSPDFEVSF GPS%# )PHF GVHB $FSUJGJDBUFSFOFXBM QSPDFEVSF GPS-# )PHF GVHB &MJNJOBUFJODJEFOUTBTTPDJBUFEXJUI DFSUJGJDBUFSFOFXBMUBTLT

"VUPNBUJDQMBDFNFOU )PXTIPVMEXFEP

)PXTIPVMEXFEP "VUPNBUJDQMBDFNFOU 3&45"1*"$.& 1VCMJTIJOH BO"1* "VUIFOUJDBUJPOBOE"VUIPSJ[BUJPO &TUBCMJTIJOH "VUI
$FOUSBMJ[FENBOBHFNFOU #VJMEJOHBO FDPTZTUFN

• "UPPMUPBVUPNBUFUIFNBOBHFNFOUPG DFSUJGJDBUFTXJUIJOB,VCFSOFUFTDMVTUFS • *UBVUPNBUJDBMMZPCUBJOT DFSUJGJDBUFTGSPN BDFSUJGJDBUFBVUIPSJUZ • *UNPOJUPSTDFSUJGJDBUFFYQJSBUJPOEBUFT BOEBVUPNBUJDBMMZQFSGPSNTSFOFXBM
QSPDFTTJOHCFGPSFUIFZFYQJSF • :PVEFGJOFUIFSFRVJSFEDFSUJGJDBUFTJOB ,VCFSOFUFTNBOJGFTUGJMF 1VCMJTIJOHBO"1* "VUPNBUJDSFOFXBM DFSUNBOBHFS cert-manager project logo (c) by Jetstack Ltd.

• "DPNNVOJDBUJPOQSPUPDPMGPSBVUPNBUJOH UBTLTTVDIBTDFSUJGJDBUFJTTVBODF SFOFXBM BOESFWPDBUJPO • "O"$.&DMJFOUJOTUBMMFEPOBXFCTFSWFS DPNNVOJDBUFTXJUIUIF$" •
*UBVUPNBUJDBMMZWFSJGJFTEPNBJOPXOFSTIJQ UPDPNQMFUFDFSUJGJDBUFBDRVJTJUJPOBOE SFOFXBMXJUIPVUNBOVBMJOUFSWFOUJPO 1VCMJTIJOHBO"1* "VUPNBUJDSFOFXBM "$.& "VUPNBUJD$FSUJGJDBUF.BOBHFNFOU&OWJSPONFOU

&TUBCMJTIJOH"VUI "VUPNBUJDQMBDFNFOU 1SPKFDU" $FSUJGJDBUF 1SPKFDU# . . . $FSUJGJDBUF $FSUJGJDBUF
$FSUJGJDBUF

$FOUSBMJ[FENBOBHFNFOU "VUPNBUJDQMBDFNFOU $FOUSBMJ[FE NBOBHFNFOUTZTUFN -# %# 7. . . .
$" $" $"

*OUFSNFEJBUF $FSUJGJDBUF

"VUPNBUJD 1MBDFNFOU

"VUPNBUJDVQEBUF

8IBUUPVQEBUF "VUPNBUJDVQEBUF #FGPSFJUFYQJSFT $FSUJGJDBUF %POPUSFVTF 1SJWBUF ,FZ

8IBUUPVQEBUF "VUPNBUJDVQEBUF #FGPSFJUFYQJSFT $FSUJGJDBUF %POPUSFVTF 1SJWBUF ,FZ .BLFUIFDFSUJGJDBUFSFOFXBM
QSPDFTTTFBNMFTT

"VUPNBUJDVQEBUF &YQFDUFE0VUDPNFT

&YQFDUFE0VUDPNFT "VUPNBUJDVQEBUF d d d d d

&YQFDUFE0VUDPNFT "VUPNBUJDVQEBUF EBZT $VSSFOU https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/bvWh5RN6tYI

&YQFDUFE0VUDPNFT "VUPNBUJDVQEBUF EBZT EBZT EBZT EBZT $VSSFOU
https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/bvWh5RN6tYI

&YQFDUFE0VUDPNFT "VUPNBUJDVQEBUF "VUPNBUJDVQEBUF "VUPNBUJDQMBDFNFOU

&YQFDUFE0VUDPNFT "VUPNBUJDVQEBUF "VUPNBUJDVQEBUF "VUPNBUJDQMBDFNFOU 5PBOFOWJSPONFOUXIFSF EFWFMPQFSTEPOUIBWFUPCF BXBSFPGDFSUJGJDBUFT

&YQFDUFE0VUDPNFT "VUPNBUJDVQEBUF

&YQFDUFE0VUDPNFT "VUPNBUJDVQEBUF .JUJHBUJOHDPNQSPNJTFTBOE SFEVDJOHUIFTDPQFPGJNQBDU XIFOUIFZPDDVS

"VUPNBUJDVQEBUF )PXTIPVMEXFEP

$FOUSBMJ[FENBOBHFNFOU "VUPNBUJDVQEBUF $FOUSBMJ[FE NBOBHFNFOUTZTUFN $" $" $"

$FOUSBMJ[FENBOBHFNFOU "VUPNBUJDVQEBUF $FOUSBMJ[FE NBOBHFNFOUTZTUFN $" $" $" $FSUJGJDBUF"d $FSUJGJDBUF#d $FSUJGJDBUF$d
$FSUJGJDBUF%d $FSUJGJDBUF&d

$FOUSBMJ[FENBOBHFNFOU "VUPNBUJDVQEBUF $FOUSBMJ[FE NBOBHFNFOUTZTUFN $" $" $" $FSUJGJDBUF"d $FSUJGJDBUF#d $FSUJGJDBUF$d
$FSUJGJDBUF%d $FSUJGJDBUF&d 3FOFX"# 3FOFX$

$FOUSBMJ[FENBOBHFNFOU "VUPNBUJDVQEBUF

8IBUUPVQEBUF "VUPNBUJDVQEBUF #FGPSFJUFYQJSFT $FSUJGJDBUF %POPUSFVTF 1SJWBUF ,FZ

"VUPNBUJD 1MBDFNFOU

4PNFUIJOHMJLFUIFBOOPVODFNFOUTGSPNUIF$"#SPXTFS'PSVN 4USBUFHZCBTFEPOUIFDVSSFOUTJUVBUJPO

5IFOFFEGPSQSPBDUJWF JOGPSNBUJPOHBUIFSJOH

1SPWJEJOHBTFBNMFTTMZTFDVSFFOWJSPONFOU 5IFOFFEGPSQSPBDUJWFJOGPSNBUJPOHBUIFSJOH 4FDVSJUZ&OHJOFFS 8FCEFWFMPQFS "QQMJDBUJPOEFWFMPQFS #BDLFOEEFWFMPQFS . . .

1SPWJEJOHBTFBNMFTTMZTFDVSFFOWJSPONFOU 5IFOFFEGPSQSPBDUJWFJOGPSNBUJPOHBUIFSJOH 4FDVSJUZ&OHJOFFS 8FCEFWFMPQFS "QQMJDBUJPOEFWFMPQFS #BDLFOEEFWFMPQFS . . . 8FDPOUJOVPVTMZTUSJWFUPNBLF
PVSQSJWBUFDMPVENPSFTFDVSF

&GGJDJFOU$FSUJGJDBUF%JTUSJCVUJPO4USBUFHZ JO1SJWBUF$MPVE *OGSBTUSVDUVSF(SPVQ 4FDVSJUZ1MBUGPSN%JWJTJPO 5SVTU5FDIOPMPHZ5FBN 54636%03ZPTVLF :"."(6$)*,BUTVZB

プライベートクラウドでの効率的な証明書配布戦略 / Efficient Certificate...

プライベートクラウドでの効率的な証明書配布戦略 / Efficient Certificate Distribution Strategy in Private Cloud

More Decks by LINEヤフーTech (LY Corporation Tech)

Other Decks in Technology

Featured

Transcript