Creacion de una ca un server certificates and client certificates
Con esto creamos una ca y uno o varios client certificates. Podemos crear tambien un server certificate
CODIGO NODE EXPRESS PARA DETECTAR EL CLIENT CERTIFICATE
const express = require("express")
const https = require("https")
const fs = require("fs")
const app = express();
https.createServer({
key: fs.readFileSync("key.pem"),
cert: fs.readFileSync("cert.pem"),
requestCert: true,
rejectUnauthorized: false,
}, app).listen(3000);
app.use(function (req, res, next) {
var cert = req.socket.getPeerCertificate();
if (cert.subject) {
req.cert = cert
next();
} else {
res.send({"error": "no cert"}).status(500)
}
});
app.get("/", (req, res) => {
console.log("hola")
// res.send(Buffer.from(JSON.stringify(req.cert)).toString("base64"))
res.send(JSON.stringify(req.cert, null, 4))
})
app.get("/vc", async (req, res) =>{
res.send("mas adelant")
//console.log(JSON.stringify(signedVC, null, 2));
})
Invocation via curl passing a client certificate
clientcertificates curl --request GET \
--url https://cert.jvh.kfs.es:3000/ \
--cert client-cert.pem \
--key client-key.pem \
--header 'Content-Type: application/json' \
--verbose \
-d @- \
<< EOF
{
"hello": "world"
}
EOF
* Trying 79.150.186.236:3000...
* Connected to cert.jvh.kfs.es (79.150.186.236) port 3000 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Request CERT (13):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Certificate (11):
* (304) (OUT), TLS handshake, CERT verify (15):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server accepted http/1.1
* Server certificate:
* subject: CN=cert.jvh.kfs.es
* start date: Sep 15 08:58:59 2023 GMT
* expire date: Dec 14 08:58:58 2023 GMT
* subjectAltName: host "cert.jvh.kfs.es" matched cert's "cert.jvh.kfs.es"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* using HTTP/1.1
> GET / HTTP/1.1
> Host: cert.jvh.kfs.es:3000
> User-Agent: curl/8.1.2
> Accept: */*
> Content-Type: application/json
> Content-Length: 20
>
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Content-Type: text/html; charset=utf-8
< Content-Length: 19506
< ETag: W/"4c32-SjNwpvj239IXXnylhHNg6RK9qFI"
< Date: Sat, 16 Sep 2023 08:28:02 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
<
{
"subject": {. // Datos del subject
"C": "AU",
"ST": "Some-State",
"O": "Internet Widgits Pty Ltd",
"CN": "client"
},
"issuer": { // DATOS DE LA CA
"C": "AU",
"ST": "Some-State",
"O": "Internet Widgits Pty Ltd",
"CN": "ca"
},
"ca": false,
"modulus": "B2FBF932E97B518B33961928DE99ADFC313156F3D8E284E52892200C878FCEA94F06BBA60E1F0C978333FCC652E8CC4D09C22BC7A7384242BC2281A26648721C9A0118FE715008991B118DD82147BCE1F6835E4FAD3F97C4E41F3BC9AD352F28A8FE6BCBFFCED3F2B2416258993CE56DA6ADB0476FD689B1C44165DE9C29CF3BB9730EC338756791AD1A688AFD1C50F98EC23965E25C82FF963BFCC9C8A6105E2581ABBFA2EB155E5601C3989C79F2498E9D200A7AB1CC177B9721723757ACB4B6AD63C638D67029CA92FE5849FAC7B4CBA8EEBE6FC2A23D3C13A12790F5F7FB85E8E8C5DA2B0B8445C84DFF53BF8EC0C8458DCB3B0845F26A742BB36DA811F1",
"bits": 2048,
"exponent": "0x10001",
"pubkey": {
"type": "Buffer",
"data": [
48,
130,
1,
34,
48,
13,
6,
9,
(to be continued)