Dg B wrote:
>
> Hello!
>
> I have been fiddling with OpenSSL now for over a week, and cannot make
> sense of this thing. :(
> I desperately need to create an Object signing certificate for my work at
> hand. However, all of my attempts are not working.
>
> Is there a step-by-step instruction (with explanations, preferably) on how
> to make an object signing certificate? I can make one with signtool, but it
> will only last 3 months (not good enough).
>
> Any help you can provide would be much appreciated. What's left of my hair
> (after all the pulling out this week) will be appreciated as well.
>
> Regards,
> Dennis
You must create a CA certificate with the Netscape Object Signing CA
extension, then deliver certificates (maybe got by a Netscape browser)
with the Netscape Object Signing extension.
I attach the templates for the CA and for the end user certificates.
I have created a demo certification authority - based on OpenSSL, that
delivers Netscape Object signing certificates. The SW is freely
available at http://web.interpuntonet.it/mariofb
Unfortunately (for you) all the web pages and the related documentation
are written in Italian. However, if you can translate the documentation,
you can find also instructions on how to build object signing
certificates for Netscape, and a simple demo applet which need to be
signed to work.
The SW is written in Perl, and all the messages are put in parametric
files. If you can translate from Italian to English (or whatever
language you like) you can easily get a web based demo CA in your own
language.
Ciao
--
Mario
#
# SSLeay example configuration file.
# This is mostly being used for generation of certificate requests.
#
# Certificato con identificazione
#
#RANDFILE = $ENV::HOME/.rnd
# N.B.: Path completa necessaria quando la shell non si sa
# quale sia, ad esempio quando da PHP si lancia il demone.
#
RANDFILE = /home/ca/.rnd
oid_file = /home/ca/.oid
#oid_section = new_oids
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /home/ca/demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext # Extensions to add to CRLdefault_days
= 365 # how long to certify for
default_days = 1085 # how long to certify for
default_crl_days= 7 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_anything ]
countryName = supplied
stateOrProvinceName = optional
localityName = supplied
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = IT
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
# stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = The INCA Org
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = The INCA org
0.organizationalUnitName = Organizational Unit Name 1 (eg, section)
# 0.organizationalUnitName_default = Home
1.organizationalUnitName = Organizational Unit Name 2 (eg, section)
1.organizationalUnitName_default = Tihuanaco
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ v3_ca]
# Extensions for a typical CA
# It's a CA certificate
#basicConstraints = CA:true
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
basicConstraints = critical,CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
keyUsage = cRLSign, keyCertSign
# Include email address in subject alt name: another PKIX recommendation
subjectAltName=email:copy
# Copy issuer details
issuerAltName=issuer:copy
# RAW DER hex encoding of an extension: beware experts only!
# 1.2.3.5=RAW:02:03
# You can even override a supported extension:
# basicConstraints= critical, RAW:30:03:01:01:FF
crlDistributionPoints=URI:https://aurora.space.worlds/ca-bin/crypt/c01crl.pl?a
#certificatePolicies = "I"
# Some might want this also
nsCertType = sslCA, emailCA, objCA
nsBaseUrl = https://aurora.space.worlds/ca-bin/
nsCaRevocationUrl = crypt/c01crl.pl?a
nsRevocationUrl = crl/check-rev.pl?
nsCaPolicyUrl = CPS/cps.pl?CPS=ca
nsComment = "Certification Authority: firma crl, e certificati
client, email, e objsign. Le CPS si trovano alla URL:
http://aurora.space.worlds/ca/CPS/ca.html"
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
#issuerAltName=issuer:copy
# Commentare, se no non funziona il comando:
# openssl ca -gencrl -config /home/ca/etc/ident.cnf
authorityKeyIdentifier=keyid:always,issuer:always
#
# SSLeay example configuration file.
# This is mostly being used for generation of certificate requests.
#
# Certificato con identificazione
#
#RANDFILE = $ENV::HOME/.rnd
# N.B.: Path completa necessaria quando la shell non si sa
# quale sia, ad esempio quando da PHP si lancia il demone.
#
RANDFILE = /home/ca/.rnd
oid_file = /home/ca/.oid
oid_section = new_oids
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
Userid=0.9.2342.19200300.100.1.1
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /home/ca/demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext # Extensions to add to CRLdefault_days
= 365 # how long to certify for
default_days = 365 # how long to certify for
default_crl_days= 7 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_ident
# For the CA policy
[ policy_ident ]
countryName = supplied
stateOrProvinceName = optional
localityName = optional
organizationName = match
organizationalUnitName = optional
description = optional
commonName = supplied
emailAddress = supplied
UID = supplied
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = IT
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
# stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = The INCA Org
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = The INCA org
0.organizationalUnitName = Organizational Unit Name 1 (eg, section)
# 0.organizationalUnitName_default = Home
1.organizationalUnitName = Organizational Unit Name 2 (eg, section)
1.organizationalUnitName_default = Tihuanaco
description = Description (eg, whatever you want)
description_max = 255
commonName = Common Name (eg, YOUR name)
commonName_max = 64
UID = Uniq ID
UID_max = 20
#Userid = User Id
#Userid_max = 20
emailAddress = Email Address
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# For normal client use this is typical
nsCertType = client, email, objsign
nsBaseUrl = https://aurora.space.worlds/ca-bin/
nsCaRevocationUrl = crypt/c01crl.pl?a
nsRevocationUrl = crl/check-rev.pl?
nsCaPolicyUrl = CPS/cps.pl?CPS=ident
nsComment = "Certificato con identificazione. Le CPS si trovano
alla URL:\012 http://aurora.space.worlds/ca/CPS/ident.html"
#nsCertExt
#nsDataType
# This is typical also; ident policy allows nonRepudiation
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage=clientAuth,emailProtection,codeSigning
# PKIX recommendations
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# Import the email address.
subjectAltName=email:copy
# Copy subject details
issuerAltName=issuer:copy
#issuerAltName="Tihuanaco"
crlDistributionPoints=URI:https://aurora.space.worlds/ca-bin/crypt/c01crl.pl?a
#certificatePolicies=ia5org,1.3.5.87.2,@polsect
certificatePolicies=ia5org,@polsect
[polsect]
policyIdentifier = 1.3.5.87.2
CPS.1="http://aurora.space.worlds/ca-bin/CPS/cps.pl?CPS=ident"
#CPS.2="http://aurora.space.worlds/ca-bin/CPS/cps.pl?CPS=ident"
userNotice.1=@notice
[notice]
explicitText="Certificato con identificazione per browser e email clients"
organization="The INCA Org"
noticeNumbers=1,2
[ v3_ca]
# Extensions for a typical CA
# It's a CA certificate
basicConstraints = CA:true
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
#keyUsage = cRLSign, keyCertSign
# Some might want this also
#nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
subjectAltName=email:copy
# Copy issuer details
issuerAltName=issuer:copy
# RAW DER hex encoding of an extension: beware experts only!
# 1.2.3.5=RAW:02:03
# You can even override a supported extension:
# basicConstraints= critical, RAW:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
#issuerAltName=issuer:copy
# Commentare, se no non funziona il comando:
# openssl ca -gencrl -config /home/ca/etc/ident.cnf
authorityKeyIdentifier=keyid:always,issuer:always
