Merge branch 'tizen' into yaca

[platform/core/test/security-tests.git] / src / ckm / keys / pkcs12 / HOWTO.txt

This guideline explains how src/resource/pkcs.p12 is generated.


The certificate chain looks as follows (arrow denotes the signing):

SERVER <-- CA_INT <-- CA

That is the CA is a root CA, CA_INT is an intermediate/1st level CA,
and SERVER is a final/2nd level CA.


Files:
- ca.key, CA's private key used to sign CA_INT certificate
- ca.crt, CA's certificate used to verify a certificate chain (it's
  the last certificate in the chain)
- ca-int.key, CA_INT's private key used to sign SERVER certificate
- ca-int.csr, CA_INT's certificate signing request (to be signed with
  ca.key)
- ca-int.crt, CA_INT's certificate signed by CA
- server.key, SERVER's private key used to sign client certificates
- server.csr, SERVER's certificate signing request (to be signed with
  ca-int.key)
- server.crt, SERVER's certificate signed by CA_INT
- chain.pem, chain of CA, CA_INT and SERVER certificates in PEM format
  (can be used for validation)


Keys should be left untouched. In case they are lost they can be
regenerated with:

 openssl genrsa -out ca.key 1024 (or any other lenght)


Certificate signing requests

 Each certificate must have a different Common Name (CN). The command
 for CSR generation will prompt you for it (and for other fields).


Openssl ca setup

 Openssl 1.1.1 requires root and intermediate CA certficates (that is
 all 3 of above) to have a 'CA' set to 'true' in basicConstraints
 extension. It applies to trusted certificates as well. The 'openssl
 ca' tool allows that with proper configuration. Modifications in
 /etc/ssl/openssl.cnf in [ CA_default ] section:
 - set 'x509_extensions' to 'v3_ca' to add the v3 CA extension,
 - set 'policy' to 'policy_anything' to get rid of strict CSR field
 matching rules.

 Before 'openssl ca' can be used you have to provide a proper
 directory structure for it. By default it needs a following hierarchy
 in ./demoCA (paths can be modified in /etc/ssl/openssl.cnf):
 - demoCA/
   - private/
     - cakey.pem - The private key used to sign the certificate. For
       ca-int.csr it will be ca.key.
   - cacert.pem - The certificate of the signing CA. For ca-int.csr it
     will be ca.crt.
   - index.txt - Empty file (touch index.txt)
   - serial - A file with serial number (echo 1000 > serial)


Certificate generation

- CA:

 Generate a self signed certificate (root ca):

  openssl req -key ca.key -new -x509 -days 3650 -sha256 -out ca.crt

- CA_INT:

 Generate a signing request:

  openssl req -new -key ca.key -out ca-int.csr

 Sign the certificate using CA:

  openssl ca -days 3650 -notext -md sha256 -in ca-int.csr -out \
  ca-int.crt

- SERVER:

 Generate a signing request:

  openssl req -new -key ca-int.key -out server.csr

 Sign the certificate using CA_INT:

  openssl ca -days 3650 -notext -md sha256 -in server.csr -out \
  server.crt


Export server private key, certificate and the rest of the chain to
pkcs12:

 cat ca.crt ca-int.crt > chain.pem

 openssl pkcs12 -export -out pkcs.p12 -inkey server.key -in server.crt \
 -certfile chain.pem


Useful commands

- Display certificate info

 openssl x509 -in ca.crt -text -noout

- Display csr info

 openssl req -in ca-int.csr -text -noout

- Display pkcs12 contents in PEM format

 openssl pkcs12 -in pkcs.p12 -info

- Display certificate purpose

 openssl x509 -in ca.crt -purpose

- Sign a client's certificate with server one:

 openssl req -new -key server.key -out client.csr
 openssl x509 -req -in client.csr -CA server.crt -CAkey server.key \
 -CAcreateserial -out client.crt -days 3650

- Verify a certficate against a local chain

 openssl verify -CAfile chain.pem client.crt