Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to add certificate policies to intermediate certificate? #962

Closed
skitale-design opened this issue Jan 15, 2019 · 1 comment
Closed

How to add certificate policies to intermediate certificate? #962

skitale-design opened this issue Jan 15, 2019 · 1 comment

Comments

@skitale-design
Copy link

skitale-design commented Jan 15, 2019
edited

Can't find any instructions how to add policies to the intermediate certificate through configuration file.
When i pass the command:
cfssl gencert -ca root.crt -ca-key root.key -config="config.json" -profile="intermediate" intermediate.json| cfssljson -bare intermediate -

It generates intermediate certificate without "Certificate Policies" line at all.

config.json:

{
  "auth_keys": {
    "AST": {
      "type": "standard",
      "key": "a3423aB3423BF123"
    }
  },
  "signing": {
    "default": {
      "ocsp_url": "http://addr.com",
      "crl_url": "http://addr.com/list.crl",
      "expiry": "10944h",
      "auth_key": "AST",
      "usages": [
        "signing",
        "key encipherment",
        "client auth"
      ]
    },
    "profiles": {
      "ocsp": {
        "expiry": "87600h",
        "usages": [
          "digital signature",
          "ocsp signing"
        ]
      },
      "intermediate": {
        "expiry": "43800h",
        "usages": ["digital signature","cert sign","crl sign"
        ],
        "ca_constraint": {
          "is_ca": true,
          "max_path_len": 0,
          "max_path_len_zero": true
        }
      },
      "server": {
        "expiry": "10944h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth"
        ]
      },
      "client": {
        "expiry": "10944h",
        "usages": [
          "signing",
          "key encipherment",
          "client auth"
        ]
      },
      "peer": {
        "expiry": "10944h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ]
      }
    }
  }
}
@skitale-design skitale-design changed the title How to add certificate policies to the intermediate? How to add certificate policies to intermediate certificate? Jan 15, 2019
@skitale-design
Copy link
Author

The basic configuration, evidently, doesn't support reading Policies from json-file. To add such opportunity some minor source-code changes are needed:
config/config.go - add `json:"CertificatePolicy"`

type SigningProfile struct {
	Usage               []string     `json:"usages"`
	IssuerURL           []string     `json:"issuer_urls"`
	OCSP                string       `json:"ocsp_url"`
	CRL                 string       `json:"crl_url"`
	CAConstraint        CAConstraint `json:"ca_constraint"`
	OCSPNoCheck         bool         `json:"ocsp_no_check"`
	ExpiryString        string       `json:"expiry"`
	BackdateString      string       `json:"backdate"`
	AuthKeyName         string       `json:"auth_key"`
	RemoteName          string       `json:"remote"`
	NotBefore           time.Time    `json:"not_before"`
	NotAfter            time.Time    `json:"not_after"`
	NameWhitelistString string       `json:"name_whitelist"`
	AuthRemote          AuthRemote   `json:"auth_remote"`
	CTLogServers        []string     `json:"ct_log_servers"`
	AllowedExtensions   []OID        `json:"allowed_extensions"`
	CertStore           string       `json:"cert_store"`

	Policies                    []CertificatePolicy `json:"CertificatePolicy"`
	Expiry                      time.Duration
	Backdate                    time.Duration
	Provider                    auth.Provider
	RemoteProvider              auth.Provider
	RemoteServer                string
	RemoteCAs                   *x509.CertPool
	ClientCert                  *tls.Certificate
	CSRWhitelist                *CSRWhitelist
	NameWhitelist               *regexp.Regexp
	ExtensionWhitelist          map[string]bool
	ClientProvidesSerialNumbers bool
}

Add to config.json block with Policy options:]

      "CertificatePolicy":[{
        "ID": "2.23.140.1.2.1.1",
        "Qualifiers": [{
          "Type": "id-qt-unotice",
          "Value": "json type = id-qt-unotice"
        }, {
          "Type": "id-qt-cps",
          "Value": "type = id-qt-cps"
        }]
      }]

In my config.json this section placed in "signing"-section:

{
  "auth_keys": {
    "AST": {
      "type": "standard",
      "key": "a3423aB3423BF123"
    }
  },
  "signing": {
    "default": {
      "ocsp_url": "http://addr.com",
      "crl_url": "http://addr.com/list.crl",
      "expiry": "10944h",
      "auth_key": "AST",
      "usages": [
        "signing",
        "key encipherment",
        "client auth"
      ],
      "CertificatePolicy":[{
        "ID": "2.23.140.1.2.1.1",
        "Qualifiers": [{
          "Type": "id-qt-unotice",
          "Value": "json type = id-qt-unotice"
        }, {
          "Type": "id-qt-cps",
          "Value": "type = id-qt-cps"
        }]
      }]
    },
    "profiles": {
      "ocsp": {
        "expiry": "87600h",
        "usages": [
          "digital signature",
          "ocsp signing"
        ]
      },
      "intermediate": {
        "expiry": "43800h",
        "usages": ["digital signature","cert sign","crl sign"
        ],
        "ca_constraint": {
          "is_ca": true,
          "max_path_len": 0,
          "max_path_len_zero": true
        }
      },
      "server": {
        "expiry": "10944h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth"
        ]
      },
      "client": {
        "expiry": "10944h",
        "usages": [
          "signing",
          "key encipherment",
          "client auth"
        ]
      },
      "peer": {
        "expiry": "10944h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ]
      }
    }
  }
}

I hope it helps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@skitale-design