Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QUESTION: commands to generate new certificates #83

Open
warren-gallagher opened this issue Jan 15, 2024 · 2 comments
Open

QUESTION: commands to generate new certificates #83

warren-gallagher opened this issue Jan 15, 2024 · 2 comments

Comments

@warren-gallagher
Copy link

warren-gallagher commented Jan 15, 2024
edited
Loading

What openssl (or other) commands are required to generate new files:
issuer-cert.pem
issuer-key.pem
device_key.b64

Here is my best guess for issuer-cert and issuer-key:

openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -sha256 -subj "/CN=Issuer" -nodes -days 365 -out issuer-cert.pem -keyout issuer-private-key.pem
@warren-gallagher
Copy link
Author

UPDATE:
The following commands cause generation of issuer-cert.pem and issuer-key.pem that can be successfully used with isomdl. Still don't know what is required for device_key.b64.

generate EC Key

openssl ecparam -name prime256v1 -genkey -noout -out issuer-ec-key.pem

convert the ec format pem from traditional pem to PKCS8 pem format

openssl pkcs8 -topk8 -in issuer-ec-key.pem -nocrypt -out issuer-key.pem

generate the certificate using the generated key

openssl req -new' -x509 '-key' issuer-key.pem -subj '/CN=Issuer' -out issuer-cert.pem

@justAnIdentity
Copy link
Contributor

Hi Warren,

certificates are used for issuer authentication upon presentation of an mDL. This allows a verifier to establish that the mDL comes from a valid authority.
An issuing authority creates a root certificate, which signs a signer certificate. The private key associated with the signer certificate is used to sign mDLs.
You do not need the device key to generate a certificate.

Creating certificates that comply with the ISO 18013-5 specification requires a specific configuration, which is detailed in this document:
https://www.iso.org/standard/69084.html
We are unfortunately not free to provide copies of this specification.

Nevertheless, here is a sequence of commands that you can use to create a root certificate and use that to sign a signer certificate that you can use with isomdl.

Preparation

$ touch ca.cnf
$ touch signer.cnf

-> fill in your configuration files

Root Certificate

Create an EC key pair 'ca.key':
openssl ecparam -name prime256v1 -genkey -noout -out ca.key

Generate a 'root' certificate that is valid for one year:
openssl req -new -x509 -days 365 -config ca.cnf -key ca.key -out ca.pem

Verify the contents:
$openssl x509 -text -noout -in ca.pem

Signer Certificate

Create an EC key pair 'signer.key:
$openssl ecparam -name prime256v1 -genkey -noout -out signer.key

Generate a Certificate Signing Request (.csr):
$openssl req -config signer.cnf -new -key signer.key -out signer.csr

Generate certificate:
$openssl x509 -req -days 365 -in signer.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out signer.pem -sha256 -extensions signer_v3_ca -extfile signer.cnf

Verify the contents:
$openssl x509 -text -noout -in signer.pem

Certificate support in this crate is definitely something we are looking to work on. Until that time, I hope this helps!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@warren-gallagher @justAnIdentity