forked from dogtagpki/pki
-
Notifications
You must be signed in to change notification settings - Fork 0
Third Party CA Certificate Extensions
Endi S. Dewata edited this page Jul 2, 2021
·
2 revisions
Self-signed CA certificate can be created with the following NSS command:
$ mkdir nssdb $ echo Secret.123 > nssdb/password.txt $ certutil -N -d nssdb -f nssdb/password.txt $ openssl rand -out nssdb/noise.bin 2048 $ echo -e "y\n\ny\n" | \ certutil -S \ -d nssdb \ -f nssdb/password.txt \ -z nssdb/noise.bin \ -n "Root CA" \ -s "CN=Root CA,O=NSS" \ -x \ -t "CTu,CTu,CTu" \ -m $RANDOM\ -2 \ --keyUsage certSigning \ --nsCertType sslCA,smimeCA,objectSigningCA
The self-signed certificate will have the following extensions:
Signed Extensions:
Name: Certificate Type
Data: <SSL CA,S/MIME CA,ObjectSigning CA>
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.
Name: Certificate Key Usage
Usages: Certificate Signing
The self-signed certificate can be used to issue a CA certificate for PKI with the following commnad:
echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n" | \ certutil -C \ -d nssdb \ -f nssdb/password.txt \ -m $RANDOM \ -a -i ca_signing.csr \ -o ca_signing.crt \ -c "Root CA" \ -1 -2
The issued certificate will have the following extensions:
Signed Extensions:
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Non-Repudiation
Certificate Signing
CRL Signing
Self-signed CA certificate can be created with the following OpenSSL command:
$ openssl req -x509 -newkey rsa:2048 -keyout rootca.key -nodes -out rootca.pem \ -subj "/CN=Root CA/O=OpenSSL" -days 365
The self-signed certificate will have the following extensions:
X509v3 extensions:
X509v3 Subject Key Identifier:
F0:07:AF:4C:49:A9:63:F2:48:1A:4A:47:E4:63:AB:E2:BA:F8:5D:F8
X509v3 Authority Key Identifier:
keyid:F0:07:AF:4C:49:A9:63:F2:48:1A:4A:47:E4:63:AB:E2:BA:F8:5D:F8
X509v3 Basic Constraints:
CA:TRUE
The self-signed CA certificate can be used to issue a CA certificate for PKI with the following command:
$ openssl x509 -req -in ca_signing.csr -CA rootca.pem -CAkey rootca.key -CAcreateserial -out ca_signing.pem
The issued certificate will not have extensions.
By default TinyCA will generate CA certificate with the following extensions:
Using certutil command:
Signed Extensions:
Name: Certificate Subject Key ID
Data:
18:fc:ef:fd:c1:ea:2f:4d:6a:dc:6f:92:e8:df:43:94:
a1:d9:5c:d1
Name: Certificate Authority Key Identifier
Key ID:
18:fc:ef:fd:c1:ea:2f:4d:6a:dc:6f:92:e8:df:43:94:
a1:d9:5c:d1
Issuer:
Directory Name: "O=TinyCA"
Serial Number:
00:fe:dc:13:35:50:d8:c2:51
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.
Name: Certificate Type
Data: <SSL CA,S/MIME CA>
Name: Certificate Issuer Alt Name
Error: Parsing extension: Certificate extension value is invalid.
Data: Sequence {
}
Name: Certificate Comment
Comment: "TinyCA"
Name: Certificate Key Usage
Critical: True
Usages: Certificate Signing
CRL Signing
Using openssl command:
X509v3 extensions:
X509v3 Subject Key Identifier:
18:FC:EF:FD:C1:EA:2F:4D:6A:DC:6F:92:E8:DF:43:94:A1:D9:5C:D1
X509v3 Authority Key Identifier:
keyid:18:FC:EF:FD:C1:EA:2F:4D:6A:DC:6F:92:E8:DF:43:94:A1:D9:5C:D1
DirName:/O=TinyCA
serial:FE:DC:13:35:50:D8:C2:51
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA
X509v3 Issuer Alternative Name:
<EMPTY>
Netscape Comment:
TinyCA
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Note: the default configuration may generate Issuer/Subject Alternative Name extension with a blank value which is invalid for PKI.
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
2C:D5:50:41:97:15:8B:F0:8F:36:61:5B:4A:FB:6B:D9:99:C9:33:92
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
DA:BB:2E:AA:B0:0C:B8:88:26:51:74:5C:6D:03:D3:C0:D8:8F:7A:D6
X509v3 Authority Key Identifier:
keyid:DA:BB:2E:AA:B0:0C:B8:88:26:51:74:5C:6D:03:D3:C0:D8:8F:7A:D6
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Certificate Policies:
Policy: 1.2.840.113583.1.2.1
CPS: https://www.adobe.com/misc/pki/cds_cp.html
X509v3 Extended Key Usage:
1.2.840.113583.1.1.5
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.adobe.com/cds.crl
Full Name:
DirName: C = US, O = Adobe Systems Incorporated, OU = Adobe Trust Services, CN = Adobe Root CA, CN = CRL1
X509v3 Key Usage:
Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:82:B7:38:4A:93:AA:9B:10:EF:80:BB:D9:54:E2:F1:0F:FB:80:9C:DE
X509v3 Subject Key Identifier:
AB:80:59:C3:65:83:6D:1D:7D:13:BD:19:C3:EC:1A:8F:0D:47:6A:A3
1.2.840.113533.7.65.0:
0
..V6.0....
X509v3 extensions:
X509v3 Subject Key Identifier:
16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
X509v3 Authority Key Identifier:
keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
DirName:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[email protected]
serial:00
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 CRL Distribution Points:
Full Name:
URI:https://www.cacert.org/revoke.crl
Netscape CA Revocation Url:
https://www.cacert.org/revoke.crl
Netscape CA Policy Url:
http://www.cacert.org/index.php?id=10
Netscape Comment:
To get your own certificate for FREE head over to http://www.cacert.org
Subordinate CA certificate will have the following extension:
Signed Extensions:
Name: Microsoft Enrollment Cert Type Extension
Data: "SubCA"