Generating X509 Version 2 certificate

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Generating X509 Version 2 certificate

Varun Rapelly
Hi,

I would like to create a self signed certificate with X509 version 2.

I know that we need to configure "Issuer and subject unique identifiers" for X509 v2 format certificate, but not able to find the configuration required (in openssl.conf) to enable it.

Please let me know how to enable the above mentioned extensions for creating X509v2 format certificate?

Following below steps to create the certificate:
    mkdir newcerts
    touch index.txt
    echo '01' > serial
    cp ~/TLS_Cert/X509v2/ca.key .
    cp ~/TLS_Cert/X509v2/ca.crt .
    cp ~/TLS_Cert/X509v2/ca.cnf .
     read answer
    openssl ca -config ca.cnf -out example.org.crt -infiles request.csr
    cat example.org.crt

Attached ca.cnf file. 

Thanks in advance.  
Varun Rapelly






ca.cnf (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Generating X509 Version 2 certificate

Viktor Dukhovni
On Fri, Jul 10, 2020 at 05:46:44PM +0530, Varun Rapelly wrote:

> I would like to create a self signed certificate with X509 version 2.

Why exactly "version 2".  Are you per chance confused by the wire
encoding of X509 versions?

    X.509 version 1 <-> 0 in certificate version field  /* original specification */
    X.509 version 2 <-> 1 in certificate version field  /* largely unused */
    X.509 version 3 <-> 2 in certificate version field  /* modern specification */

    https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/keytoolDocs/x509certificates.html

    X.509 Version 2 introduced the concept of subject and issuer unique
    identifiers to handle the possibility of reuse of subject and/or
    issuer names over time. Most certificate profile documents strongly
    recommend that names not be reused, and that certificates should not
    make use of unique identifiers. Version 2 certificates are not
    widely used.

> I know that we need to configure "Issuer and subject unique identifiers"
> for X509 v2 format certificate, but not able to find the configuration
> required (in openssl.conf) to enable it.

These fields are *optional*.  You do not need to set these.

OpenSSL supports X.509v3, and has minimal support v2.  You can
inspect the optional unique ids via:

    void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
                        const ASN1_BIT_STRING **psuid)
    {
        if (piuid != NULL)
            *piuid = x->cert_info.issuerUID;
        if (psuid != NULL)
            *psuid = x->cert_info.subjectUID;
    }

but there's no support for setting these, other than by parsing
an ASN.1 X.509v2 encoded object that already has them.

> Please let me know how to enable the above mentioned
> extensions for creating X509v2 format certificate?
>
> Following below steps to create the certificate:
>     mkdir newcerts
>     touch index.txt
>     echo '01' > serial
>     cp ~/TLS_Cert/X509v2/ca.key .
>     cp ~/TLS_Cert/X509v2/ca.crt .
>     cp ~/TLS_Cert/X509v2/ca.cnf .
>      read answer
>     openssl ca -config ca.cnf -out example.org.crt -infiles request.csr
>     cat example.org.crt

There is no support for encoding these deprecated fields.

--
    Viktor.