# Create a X.509 certificate

- This is a Jupyter Notebook using Python 3.7 and openSSl to create a X.509 self-signed certificate for authenticating the signer using the openSSL command line tool.

- This will Generate RSA256 public and private keys for signing

- Typically you will this DO THIS ONLY ONCE and reuse the certificate.

*Although self-signed certificates are used for the purpose of these examples, they are not recommended for production systems.*

### Step 1: Pre-configure the self-signed cert with a configuration file

the following Bash command writes a multiline string to a new file

Instructions:
  1. Update the output directory
  2. Update the configuration manually with your values. See [openSSl](https://www.openssl.org/) library for details

Modern standards (e.g., RFC 2818 for HTTPS) prioritize SAN( [alt_names] ) over CN (commonName)f or identity verification, as SAN supports multiple identifiers and is less ambiguous.


 - DNS or dNSName (DNS Name), which represents a fully qualified domain name (FQDN) 
   -  e.g.,  `DNS.1=www.example.org`
 - otherName (Tag [0], OtherName)  for NPI or Taxid (Most public CAs (e.g., DigiCert, Entrust) may not support custom otherName  :-()

   - define an OID
   - NPI Value as string
   -  otherName.1: Specifies the NPI with the format OID;TYPE:VALUE.
        - e.g. : `otherName.1 = 2.16.840.1.113883.4.6;UTF8:1234567890`
- URI or uniformResourceIdentifier (Tag [6], IA5String):  for FHIR resource 
  -  e.g., `URI.1 = https://example.org/fhir/Practitioner/123`


In [49]:
%%bash
# Define a directory variable
cat << 'EOF' | tee /tmp/vars.sh  #bash commands do not edit
DIR_PATH="example_org_cert"  #update directory with your value
EOF

DIR_PATH="example_org_cert"  #update directory with your value


In [50]:
%%bash
# =================== bash commands do not edit =======================
# Source the script to load the variable
source /tmp/vars.sh
# Create the directory if it doesn't exist
mkdir -p "$DIR_PATH"  # -p ensures no error if directory already exists

# Use here-document to write to a file in the specified directory
cat << EOF| tee "$DIR_PATH/cert.config"  # Write to newfile.txt in the directory
# ===========Configuration for healthcare certificate with NPI and FHIR endpoint ===========
# =================== update configuration manually with your values =======================
[req]
default_bit = 4096
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = v3_ca

# Subject details
[req_distinguished_name]
countryName             = US
stateOrProvinceName     = California
localityName            = Sausalito
organizationName        = Example Organization
commonName              = John Hancock, MD
emailAddress            = jhancock@example.org

[v3_ca]
basicConstraints = CA:TRUE
keyUsage=nonRepudiation, digitalSignature, keyEncipherment

# SAN extension
subjectAltName = @alt_names

# SAN entries for FHIR and NPI
[alt_names]
DNS.1 = www.example.org
otherName.1 = 2.16.840.1.113883.4.6;UTF8:9941339100
URI.1 = https://example.org/fhir/Practitioner/123
EOF
# don't edit the previous line

[req]
default_bit = 4096
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = v3_ca

# Subject details
[req_distinguished_name]
countryName             = US
stateOrProvinceName     = California
localityName            = Sausalito
organizationName        = Example Organization
commonName              = John Hancock, MD
emailAddress            = jhancock@example.org

[v3_ca]
basicConstraints = CA:TRUE
keyUsage=nonRepudiation, digitalSignature, keyEncipherment

# SAN extension
subjectAltName = @alt_names

# SAN entries for FHIR and NPI
[alt_names]
DNS.1 = www.example.org
otherName.1 = 2.16.840.1.113883.4.6;UTF8:9941339100
URI.1 = https://example.org/fhir/Practitioner/123


### Step 2: Generate the public and private keys and cert using the openSSL command line tool.

- Saved in the $DIR_PATH folder
- For the purpose of this example display the keys (normally would never share the private key)


In [51]:
%%bash
# Source the script to load the variable
source /tmp/vars.sh
# generate the private 
openssl genrsa -out "$DIR_PATH/private-key.pem" 3072
openssl rsa -in "$DIR_PATH/private-key.pem" -pubout -out "$DIR_PATH/public-key.pem"
openssl req -new -x509 -key "$DIR_PATH/private-key.pem" -outform DER -out "$DIR_PATH/cert.der" -days 720 -config "$DIR_PATH/cert.config"
echo  "********* normally you would never share this! ***********"
cat "$DIR_PATH/private-key.pem"
echo  "********* you only share this! ***********"
cat "$DIR_PATH/public-key.pem"


********* normally you would never share this! ***********
-----BEGIN PRIVATE KEY-----
MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQCjH5km+I+96qNw
BBLxtEYq3QCkY8jngDbjpPxD0WElWXWicB4gr8e9pHa6AA3pQc4MpBiQvVnUs7Dm
fmjNcolvqizvsgWZCODQm4pCbADNaO/0cDVagHXBsDgdmAxFRxHPMneUadwLa0po
kRhAWd1hyz0xXTbdES1VjhYgOEB098Uq2shIzvIfc4dIFTPSy8Et+EpQAZo3+D68
NAfWF9n4QyEVg8TH5YyqPUaQoEUKFr2Zm4+KFjVW9Xw3siVuV0wV2dGcU2L9QgDo
xOX812t+UoLXuXFOXf9sRRsZb2unmV1RXXERCEmhHMnBb4owx3muNl7oqLMgF9HI
JOo340IMgbdnMNsY/vS7E/oFFzgQNCF1ymeZxmawBDf84hJ123mz9fn2JKu0wWgc
putSu3WgAFE/2+ilM8eOIhpMDbI9d4BOlLIidWvh3/uD6yfm7+ScWXGMcP4ZQB9U
C2Wm9jSOOsYaWEYfj+gGdI1bhV2sPfpwDTGqVNJ9KOWEAhyOu7ECAwEAAQKCAYAK
hRao6z3F5zRsHG8mVFR0HjWU5HSH7X5ctv6n1wB3WqoZ9DYVMJDmm40mmKtNADfs
G8cTyopZC8+cRcm3eiv/3g8w1B/FS0vIWEeV2gZBOQPElVnzgLZXa+hqjCw6aYdt
/9izYxJUUDKHxNe2CrWawXMsVFEd96YfTt8Ba+9IO9Rk26AwBdyah6ZRUUC61vYZ
41nTiA7sjh9pnsdkmLwvZRDkpM9TfuvP7My4tgVNzcKjfeNHagA9n+5HXz9Huuxs
Px000Q/SV/N7XBQN9NX899GQtik2kMq3aFoYT6ysnF87VWTXDlGH2bb0PHqKaTzY
G6q

writing RSA key


#### Show the Certificate in DER Format  

In [52]:
%%bash
# Source the script to load the variable
source /tmp/vars.sh
openssl x509 -in "$DIR_PATH/cert.der" -inform DER -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            24:43:76:d4:e0:b5:13:8b:e6:41:6f:cc:4b:b8:6f:f2:ca:16:06:0b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = California, L = Sausalito, O = Example Organization, CN = "John Hancock, MD", emailAddress = jhancock@example.org
        Validity
            Not Before: Jun 20 22:14:55 2025 GMT
            Not After : Jun 10 22:14:55 2027 GMT
        Subject: C = US, ST = California, L = Sausalito, O = Example Organization, CN = "John Hancock, MD", emailAddress = jhancock@example.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    00:a3:1f:99:26:f8:8f:bd:ea:a3:70:04:12:f1:b4:
                    46:2a:dd:00:a4:63:c8:e7:80:36:e3:a4:fc:43:d1:
                    61:25:59:75:a2:70:1e:20:af:c7:bd:a4:76:ba:00:
                    0d:e9:41:ce:0c:a4:18:90:bd:59:d4:b3:b0:

##### Show the Certificate in PEM format

In [53]:
%%bash
# Source the script to load the variable
source /tmp/vars.sh
openssl x509 -in "$DIR_PATH/cert.der" -inform DER -outform PEM -out "$DIR_PATH/cert.pem"
cat "$DIR_PATH/cert.pem"

-----BEGIN CERTIFICATE-----
MIIFWjCCA8KgAwIBAgIUJEN21OC1E4vmQW/MS7hv8soWBgswDQYJKoZIhvcNAQEL
BQAwgZUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQH
DAlTYXVzYWxpdG8xHTAbBgNVBAoMFEV4YW1wbGUgT3JnYW5pemF0aW9uMRkwFwYD
VQQDDBBKb2huIEhhbmNvY2ssIE1EMSMwIQYJKoZIhvcNAQkBFhRqaGFuY29ja0Bl
eGFtcGxlLm9yZzAeFw0yNTA2MjAyMjE0NTVaFw0yNzA2MTAyMjE0NTVaMIGVMQsw
CQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU2F1c2Fs
aXRvMR0wGwYDVQQKDBRFeGFtcGxlIE9yZ2FuaXphdGlvbjEZMBcGA1UEAwwQSm9o
biBIYW5jb2NrLCBNRDEjMCEGCSqGSIb3DQEJARYUamhhbmNvY2tAZXhhbXBsZS5v
cmcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCjH5km+I+96qNwBBLx
tEYq3QCkY8jngDbjpPxD0WElWXWicB4gr8e9pHa6AA3pQc4MpBiQvVnUs7DmfmjN
colvqizvsgWZCODQm4pCbADNaO/0cDVagHXBsDgdmAxFRxHPMneUadwLa0pokRhA
Wd1hyz0xXTbdES1VjhYgOEB098Uq2shIzvIfc4dIFTPSy8Et+EpQAZo3+D68NAfW
F9n4QyEVg8TH5YyqPUaQoEUKFr2Zm4+KFjVW9Xw3siVuV0wV2dGcU2L9QgDoxOX8
12t+UoLXuXFOXf9sRRsZb2unmV1RXXERCEmhHMnBb4owx3muNl7oqLMgF9HIJOo3
40IMgbdnMNsY/vS7E/oFFzgQNCF1ymeZxmawBDf84hJ123mz9fn2JKu0wWgcpu