Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to get a PEM certificate from a certificate signing request ? #154

Closed
ghost opened this issue Jul 28, 2014 · 5 comments
Closed

How to get a PEM certificate from a certificate signing request ? #154

ghost opened this issue Jul 28, 2014 · 5 comments

Comments

@ghost
Copy link

ghost commented Jul 28, 2014

Hi,
First, I want to thank you for your implementation of TLS, it's very useful.

i was wondering if it is possible to transform a *.csr to a signed certificate with my CA, like openssl:

openssl x509 -req -in servwiki.csr -out servwiki.crt -CA ca.crt -CAkey ca.key

I use the function: csr.sign(keys.privateKey) and i get (it still a certificate signing request):

-----BEGIN CERTIFICATE REQUEST-----
....
....
-----END CERTIFICATE REQUEST----

it is possible to do it with forge ?
@dlongley
Copy link
Member

Hi @gh0st76,

First, I want to thank you for your implementation of TLS, it's very useful.

Thanks!

i was wondering if it is possible to transform a *.csr to a signed certificate with my CA, like openssl:

Yes, you can do this with forge. We need to add some better examples of this to the README, but the comment below should give you some details to get you started:

#57 (comment)

You should really only need to do the second half of the code there (starting with the comment "verify certification request"). Namely, verify the CSR and then use its subject and public key in a certificate that you generate and sign with your CA private key. When you're done you can export to PEM (you likely don't need the PKCS#12 stuff from the example) by just calling forge.pki.certificateToPem on the generated certificate.

@ghost
Copy link
Author

ghost commented Jul 28, 2014

Thank you for your reply,

When I try the following code:

var forge = require('node-forge');
var fs = require('fs');

// Read CSR
var csrPem = fs.readFileSync(app.get('base_directory') + "CA/csrs/8edcf9b424c90ba6442db06f884550e3.csr", 'utf8');
var csr = forge.pki.certificationRequestFromPem(csrPem);

// Read CA cert and key
var caCertPem = fs.readFileSync(app.get('base_directory') + "CA/certs/ca.pem", 'utf8');
var caKeyPem = fs.readFileSync(app.get('base_directory') + "CA/keys/ca.pem", 'utf8');
var caCert = forge.pki.certificateFromPem(caCertPem);
var caKey = forge.pki.privateKeyFromPem(caKeyPem);


if (csr.verify()) {
    console.log('Certification request (CSR) verified.');
} else {
    throw new Error('Signature not verified.');
}


console.log('Creating certificate...');
var cert = forge.pki.createCertificate();
cert.serialNumber = '02';

cert.validity.notBefore = new Date();
cert.validity.notAfter = new Date();
cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1);

/***************************************/
//Error here ??

cert.setSubject(csr.subject);

console.log(csr.subject);
console.log(cert.subject);

cert.setIssuer(caCert.subject);

/***************************************/

cert.setExtensions([{
    name: 'basicConstraints',
    cA: true
}, {
    name: 'keyUsage',
    keyCertSign: true,
    digitalSignature: true,
    nonRepudiation: true,
    keyEncipherment: true,
    dataEncipherment: true
}, {
    name: 'subjectAltName',
    altNames: [{
        type: 6, // URI
        value: 'http://example.org/webid#me'
    }]
}]);

cert.publicKey = csr.publicKey;


cert.sign(caKey);
console.log('Certificate created.');

console.log('\nWriting Certificate');

fs.writeFileSync(app.get('base_directory') + "CA/certs/test.pem", forge.pki.certificateToPem(cert));

I get this certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: 
        Validity
            Not Before: Jul 28 15:49:21 2014 GMT
            Not After : Jul 28 15:49:21 2015 GMT
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:de:72:f6:72:68:67:5f:55:bd:79:e9:68:96:9e:
                    54:73:aa:c4:dd:c0:4d:2f:42:a5:f2:f4:f1:88:a0:
                    c8:0c:73:a3:41:77:31:e3:bc:48:0c:b7:9f:e2:06:
                    48:53:64:bf:56:27:25:8d:f5:23:d6:53:25:05:03:
                    b2:ba:41:d7:d2:d6:b2:e8:da:de:1c:90:89:b1:36:
                    23:d6:f8:69:51:64:2e:5b:6f:76:ea:40:3a:f2:ad:
                    41:f2:88:2e:12:2f:6f:bc:dd:ab:67:92:8a:76:6b:
                    fb:dc:b8:5c:93:91:71:71:56:01:a3:dc:ac:1b:d8:
                    63:66:d5:41:43:a4:2f:b3:c8:72:59:b5:4f:21:60:
                    07:93:f0:92:a3:43:77:b2:bc:8b:ec:f5:cb:58:52:
                    7c:f2:f8:de:83:4f:f1:98:54:ca:72:b6:d3:19:95:
                    6c:c5:94:3e:c2:23:66:58:04:9a:ad:cd:25:fc:af:
                    4f:9e:10:bc:6c:7c:48:66:85:1c:63:d2:0e:59:4c:
                    13:07:ad:4e:38:41:ba:41:02:2e:c0:aa:79:dd:46:
                    0e:7f:19:d5:ce:8f:bd:90:93:9e:f1:f4:d5:67:4c:
                    63:97:43:bc:9c:72:20:7b:70:eb:2f:8a:4f:99:a0:
                    69:14:93:c5:a8:04:2b:73:e0:b4:1f:eb:f2:1a:86:
                    80:15
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign
            X509v3 Subject Alternative Name: 
                URI:http://example.org/webid#me
    Signature Algorithm: sha1WithRSAEncryption
         08:71:09:63:e6:fd:bd:56:c1:d4:4c:fc:3c:cf:13:35:bf:8e:
         d5:1e:3d:aa:f1:d1:7b:a1:0a:6a:8c:06:c6:94:f3:6a:18:f1:
         4f:d4:e6:2c:22:5b:38:7c:27:14:ab:83:49:8d:7e:29:30:f7:
         29:f1:fe:ab:67:d4:dd:76:43:0c:fd:82:75:ff:9a:eb:cc:80:
         2c:91:f0:d2:0b:e2:0d:08:e0:3b:b2:61:a0:01:49:88:00:2d:
         65:3b:a8:01:1f:11:13:ef:85:40:a0:c5:07:5d:12:74:3f:40:
         8d:18:20:77:c7:a2:44:2c:43:36:ed:71:47:d3:8e:5a:f2:3e:
         ca:26:f9:4a:6e:33:e5:70:aa:34:62:d5:af:39:b3:4e:14:f1:
         31:c9:dd:2e:e6:fb:8a:c0:30:f4:70:6d:8a:ef:a5:92:39:1e:
         92:0b:c1:a1:b0:70:31:80:21:bb:1d:6f:ed:5c:7b:bb:86:28:
         e5:d3:33:f1:38:91:de:aa:6c:1d:3e:a1:e5:c9:df:3b:b9:06:
         5f:14:96:39:ac:05:58:1b:ab:08:98:45:2a:67:f9:d9:73:67:
         31:cf:cc:b0:48:dd:f1:8a:68:53:39:97:35:d9:34:3c:d7:8f:
         72:9f:e1:78:5b:ad:65:5f:53:47:24:33:5c:b5:9c:2b:7d:95:
         65:62:56:b0

As you can see there is no Subject or Issuer in it.

is there an error in my code ?

@dlongley
Copy link
Member

Sorry, @gh0st76, there was an error in that comment that was later corrected in this comment:

#57 (comment)

I edited the first comment to apply the fix there so others following the link won't run into the same issue. All you need to do is access the attributes property when using the csr.subject and caCert.subject values ... the change looks like this:

// subject from CSR
cert.setSubject(csr.subject.attributes);
// issuer from CA
cert.setIssuer(caCert.subject.attributes);

@ghost
Copy link
Author

ghost commented Jul 29, 2014

Thanks a lot for your help.

@dlongley
Copy link
Member

Sure! If you got it working, you may go ahead and close this issue.

@ghost ghost closed this as completed Jul 29, 2014
@dlongley dlongley mentioned this issue Jun 5, 2015
Closed
@jrife jrife mentioned this issue Mar 29, 2016
Closed
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dlongley