Skip to content

Instantly share code, notes, and snippets.

@pzb
Last active August 29, 2015 14:17
Show Gist options
  • Save pzb/944899d82543272c92f0 to your computer and use it in GitHub Desktop.
Save pzb/944899d82543272c92f0 to your computer and use it in GitHub Desktop.
Bytes: 409
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, O=Eggman, OU=Root CA 1
Validity
Not Before: Jan 1 00:00:01 2004 GMT
Not After : Dec 31 23:59:59 2028 GMT
Subject: C=US, O=Eggman, OU=Root CA 1
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:79:6c:81:c4:08:46:3f:04:bf:5d:88:b7:5d:f5:
44:7e:f4:e0:49:40:11:4c:8b:f3:1b:1d:02:00:ce:
35:1e:6a:22:ed:88:1a:1a:82:c2:d5:e5:94:df:da:
f2:b8:2c:8e:f9:02:a3:05:f3:65:46:20:1a:91:db:
7b:fe:21:e8:20
ASN1 OID: prime256v1
X509v3 extensions:
X509v3 Subject Key Identifier:
B1:2A:1D:FD:F1:05:DF:79:1C:11:D4:E5:17:B8:68:DB:5E:D0:1B:90
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:36:d4:a1:29:a6:13:b0:2f:71:d3:60:38:2c:70:
bb:5d:b8:7c:9a:c0:64:e4:8c:79:4c:09:58:0c:d6:31:c3:29:
02:21:00:b1:87:f1:a6:db:11:d3:d5:b2:21:e5:13:c2:71:f7:
c5:bb:25:0f:20:5a:fe:13:34:1e:5f:ea:92:c9:81:e5:30
-----BEGIN CERTIFICATE-----
MIIBlTCCATugAwIBAgIBATAKBggqhkjOPQQDAjAyMQswCQYDVQQGEwJVUzEPMA0G
A1UEChMGRWdnbWFuMRIwEAYDVQQLEwlSb290IENBIDEwHhcNMDQwMTAxMDAwMDAx
WhcNMjgxMjMxMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEPMA0GA1UEChMGRWdnbWFu
MRIwEAYDVQQLEwlSb290IENBIDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR5
bIHECEY/BL9diLdd9UR+9OBJQBFMi/MbHQIAzjUeaiLtiBoagsLV5ZTf2vK4LI75
AqMF82VGIBqR23v+Ieggo0IwQDAdBgNVHQ4EFgQUsSod/fEF33kcEdTlF7ho217Q
G5AwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwID
SAAwRQIgNtShKaYTsC9x02A4LHC7Xbh8msBk5Ix5TAlYDNYxwykCIQCxh/Gm2xHT
1bIh5RPCcffFuyUPIFr+EzQeX+qSyYHlMA==
-----END CERTIFICATE-----
Bytes: 586
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7 (0x7)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, O=Eggman, OU=Root CA 1
Validity
Not Before: Jan 1 00:00:01 2011 GMT
Not After : Dec 31 23:59:59 2020 GMT
Subject: C=US, O=Eggman, OU=Internet CA 1B
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d3:5f:f3:dc:8f:cb:f8:3b:0c:55:a1:a9:6d:65:
ea:ce:da:8e:f9:96:42:9c:48:7c:eb:c6:64:48:76:
5a:18:0b:87:74:d4:80:66:c9:de:ea:7a:e1:d2:c3:
30:b4:6b:47:ba:fb:73:20:6a:fd:dc:6a:3c:22:e2:
77:bf:a6:61:78
ASN1 OID: prime256v1
X509v3 extensions:
X509v3 Subject Key Identifier:
D6:31:BA:63:B9:EC:F8:A0:6B:E9:4A:39:13:36:BD:B1:82:6F:91:01
X509v3 Authority Key Identifier:
keyid:B1:2A:1D:FD:F1:05:DF:79:1C:11:D4:E5:17:B8:68:DB:5E:D0:1B:90
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Authority Information Access:
CA Issuers - URI:http://a.b.cd/r4.cer
OCSP - URI:http://a.b.cd
X509v3 CRL Distribution Points:
Full Name:
URI:http://a.b.cd/r4.crl
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:19:15:7a:95:65:22:ca:b5:1e:9d:94:63:7e:4b:
92:fb:b1:29:4f:2d:bc:82:fe:0e:6c:d4:32:2a:ca:8b:c1:f4:
02:20:7d:a2:9f:44:0f:59:0b:6e:4f:68:8d:d2:82:22:0f:18:
d0:ad:e3:a6:b4:ef:81:55:b3:6c:c3:28:6c:48:53:0a
-----BEGIN CERTIFICATE-----
MIICRjCCAe2gAwIBAgIBBzAKBggqhkjOPQQDAjAyMQswCQYDVQQGEwJVUzEPMA0G
A1UEChMGRWdnbWFuMRIwEAYDVQQLEwlSb290IENBIDEwHhcNMTEwMTAxMDAwMDAx
WhcNMjAxMjMxMjM1OTU5WjA3MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGRWdnbWFu
MRcwFQYDVQQLEw5JbnRlcm5ldCBDQSAxQjBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABNNf89yPy/g7DFWhqW1l6s7ajvmWQpxIfOvGZEh2WhgLh3TUgGbJ3up64dLD
MLRrR7r7cyBq/dxqPCLid7+mYXijge4wgeswHQYDVR0OBBYEFNYxumO57Piga+lK
ORM2vbGCb5EBMB8GA1UdIwQYMBaAFLEqHf3xBd95HBHU5Re4aNte0BuQMBEGA1Ud
IAQKMAgwBgYEVR0gADASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIB
hjBLBggrBgEFBQcBAQQ/MD0wIAYIKwYBBQUHMAKGFGh0dHA6Ly9hLmIuY2QvcjQu
Y2VyMBkGCCsGAQUFBzABhg1odHRwOi8vYS5iLmNkMCUGA1UdHwQeMBwwGqAYoBaG
FGh0dHA6Ly9hLmIuY2QvcjQuY3JsMAoGCCqGSM49BAMCA0cAMEQCIBkVepVlIsq1
Hp2UY35LkvuxKU8tvIL+DmzUMirKi8H0AiB9op9ED1kLbk9ojdKCIg8Y0K3jprTv
gVWzbMMobEhTCg==
-----END CERTIFICATE-----
Bytes: 593
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 11783754281972655554 (0xa3884e162177e5c2)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, O=Eggman, OU=Internet CA 1B
Validity
Not Before: Feb 26 16:00:00 2015 GMT
Not After : Feb 28 15:59:59 2016 GMT
Subject: serialNumber=A3884E162177E5C2
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:bd:b0:fe:8b:a5:83:53:aa:88:1b:47:52:00:3e:
5c:5d:e4:39:01:9b:f3:d9:6c:84:05:b6:d1:8e:b2:
4a:a2:a6:aa:57:b9:4f:65:9c:8e:f9:d0:a7:8e:b5:
78:3e:16:b5:cc:bb:60:77:ba:c3:49:ae:21:ed:8e:
b8:9a:39:88:65
ASN1 OID: prime256v1
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:B1:2A:1D:FD:F1:05:DF:79:1C:11:D4:E5:17:B8:68:DB:5E:D0:1B:90
X509v3 Certificate Policies:
Policy: 1.3.187.1
X509v3 Subject Alternative Name:
DNS:*.example.org, DNS:example.org
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://a.b.cd/1b.crl
Authority Information Access:
CA Issuers - URI:http://a.b.cd/1b.cer
OCSP - URI:http://a.b.cd
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:f2:1a:fe:7d:36:cd:4c:0e:45:4f:32:2f:f1:
9c:61:84:a1:53:db:ce:39:7c:95:a9:01:4d:6e:6c:bc:72:cf:
7e:02:21:00:94:3a:00:1f:5b:72:9e:63:e6:97:fc:34:ac:60:
1a:a6:1b:7e:c2:c4:fc:1d:27:45:74:49:a7:87:d9:33:75:d9
-----BEGIN CERTIFICATE-----
MIICTTCCAfKgAwIBAgIJAKOIThYhd+XCMAoGCCqGSM49BAMCMDcxCzAJBgNVBAYT
AlVTMQ8wDQYDVQQKEwZFZ2dtYW4xFzAVBgNVBAsTDkludGVybmV0IENBIDFCMB4X
DTE1MDIyNjE2MDAwMFoXDTE2MDIyODE1NTk1OVowGzEZMBcGA1UEBRMQQTM4ODRF
MTYyMTc3RTVDMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL2w/oulg1OqiBtH
UgA+XF3kOQGb89lshAW20Y6ySqKmqle5T2WcjvnQp461eD4Wtcy7YHe6w0muIe2O
uJo5iGWjggEBMIH+MB8GA1UdIwQYMBaAFLEqHf3xBd95HBHU5Re4aNte0BuQMBEG
A1UdIAQKMAgwBgYEK4E7ATAlBgNVHREEHjAcgg0qLmV4YW1wbGUub3JnggtleGFt
cGxlLm9yZzAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMCUGA1UdHwQeMBwwGqAYoBaGFGh0dHA6Ly9hLmIuY2QvMWIuY3JsMEsG
CCsGAQUFBwEBBD8wPTAgBggrBgEFBQcwAoYUaHR0cDovL2EuYi5jZC8xYi5jZXIw
GQYIKwYBBQUHMAGGDWh0dHA6Ly9hLmIuY2QwCgYIKoZIzj0EAwIDSQAwRgIhAPIa
/n02zUwORU8yL/GcYYShU9vOOXyVqQFNbmy8cs9+AiEAlDoAH1tynmPml/w0rGAa
pht+wsT8HSdFdEmnh9kzddk=
-----END CERTIFICATE-----
Code that generated this chain follows.
#!/usr/bin/env ruby
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
require 'openssl'
# Monkey patch to make EC keys work
class OpenSSL::PKey::EC
def private?
private_key?
end
end
NIST_P256 = OpenSSL::PKey::EC::Group.new('prime256v1')
# Set up Names and Keys for all the certs
ROOT = [
["C", "US", 19],
["O", "Eggman", 19],
["OU", "Root CA 1", 19]
]
root_key = OpenSSL::PKey::EC.new(NIST_P256)
root_key.generate_key
SUBORDINATE = [
["C", "US", 19],
["O", "Eggman", 19],
["OU", "Internet CA 1B", 19]
]
subordinate_key = OpenSSL::PKey::EC.new(NIST_P256)
subordinate_key.generate_key
END_ENTITY_SANS = "DNS:*.example.org, DNS:example.org"
end_entity_key = OpenSSL::PKey::EC.new(NIST_P256)
end_entity_key.generate_key
# Generate all the certs
root_cert = OpenSSL::X509::Certificate.new
root_cert.version = 0x2
root_cert.serial = 0x1
root_cert.not_before = Time.new(2004,01,01,00,00,01)
root_cert.not_after = Time.new(2028,12,31,23,59,59)
root_cert.subject = OpenSSL::X509::Name.new(ROOT)
root_cert.issuer = root_cert.subject
root_cert.public_key = root_key
ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = root_cert
ef.issuer_certificate = root_cert
root_cert.add_extension(ef.create_extension("subjectKeyIdentifier", "hash", false))
root_cert.add_extension(ef.create_extension("basicConstraints", "CA:TRUE", true))
# DigitalSignature is needed to sign OCSP responses (http://goo.gl/DExis9)
root_cert.add_extension(ef.create_extension("keyUsage","digitalSignature, keyCertSign, cRLSign", true))
root_cert.sign(root_key, OpenSSL::Digest::SHA256.new)
puts "Bytes: #{root_cert.to_der.length}"
puts root_cert.to_text
puts root_cert.to_pem
puts ""
issuer_cert = OpenSSL::X509::Certificate.new
issuer_cert.version = 0x2
issuer_cert.serial = 0x7
issuer_cert.not_before = Time.new(2011,01,01,00,00,01)
issuer_cert.not_after = Time.new(2020,12,31,23,59,59)
issuer_cert.subject = OpenSSL::X509::Name.new(SUBORDINATE)
issuer_cert.issuer = root_cert.subject
issuer_cert.public_key = subordinate_key
ef = OpenSSL::X509::ExtensionFactory.new
ef.config = OpenSSL::Config.new
ef.subject_certificate = issuer_cert
ef.issuer_certificate = root_cert
issuer_cert.add_extension(ef.create_extension("subjectKeyIdentifier", "hash", false))
issuer_cert.add_extension(ef.create_extension("authorityKeyIdentifier", "keyid:always", false))
issuer_cert.add_extension(ef.create_extension("certificatePolicies","2.5.29.32.0"))
issuer_cert.add_extension(ef.create_extension("basicConstraints", "CA:TRUE, pathlen:0", true))
# DigitalSignature is needed to sign OCSP responses (http://goo.gl/DExis9)
issuer_cert.add_extension(ef.create_extension("keyUsage","digitalSignature, keyCertSign, cRLSign", true))
issuer_cert.add_extension(ef.create_extension("authorityInfoAccess","caIssuers;URI:http://a.b.cd/r4.cer,OCSP;URI:http://a.b.cd"))
issuer_cert.add_extension(ef.create_extension("crlDistributionPoints","URI:http://a.b.cd/r4.crl"))
issuer_cert.sign(root_key, OpenSSL::Digest::SHA256.new)
puts "Bytes: #{issuer_cert.to_der.length}"
puts issuer_cert.to_text
puts issuer_cert.to_pem
puts ""
ee_cert = OpenSSL::X509::Certificate.new
ee_cert.version = 0x2
ee_cert.serial = OpenSSL::BN.rand(64, -1, 0)
ee_cert.not_before = Time.new(2015,02,26,16,00,00)
ee_cert.not_after = Time.new(2016,02,28,15,59,59)
# http://tools.ietf.org/html/rfc4519#section-2.31
# serialNumber can only be a printableString
ee_cert.subject = OpenSSL::X509::Name.new([
["serialNumber", ee_cert.serial.to_s(16), OpenSSL::ASN1::PRINTABLESTRING]
])
ee_cert.issuer = issuer_cert.subject
ee_cert.public_key = end_entity_key
ef = OpenSSL::X509::ExtensionFactory.new
ef.config = OpenSSL::Config.new
ef.subject_certificate = issuer_cert
ef.issuer_certificate = root_cert
# Python skips the first extension when trying to find the SAN
# extension, so ensure SAN is not the first extension
# http://bugs.python.org/issue13034
ee_cert.add_extension(ef.create_extension("authorityKeyIdentifier", "keyid:always", false))
ee_cert.add_extension(ef.create_extension("certificatePolicies","1.3.187.1"))
ee_cert.add_extension(ef.create_extension("subjectAltName",END_ENTITY_SANS))
# EC keys in certificates are used for ECDSA, so we only need digitalSignature
ee_cert.add_extension(ef.create_extension("keyUsage","digitalSignature", true))
ee_cert.add_extension(ef.create_extension("extendedKeyUsage", "serverAuth, clientAuth"))
ee_cert.add_extension(ef.create_extension("crlDistributionPoints","URI:http://a.b.cd/1b.crl"))
ee_cert.add_extension(ef.create_extension("authorityInfoAccess","caIssuers;URI:http://a.b.cd/1b.cer,OCSP;URI:http://a.b.cd"))
ee_cert.sign(subordinate_key, OpenSSL::Digest::SHA256.new)
puts "Bytes: #{ee_cert.to_der.length}"
puts ee_cert.to_text
puts ee_cert.to_pem
# Print ourself
puts "\nCode that generated this chain follows.\n"
puts File.read($0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment