Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #
- ##::[[--- Windows OpenSSL Config ---]]::##
- #####################################################################
- ##----- Notes -----##
- #####################################################################
- # All commands required can be found beginning on line 430
- # BSD/Linux/Mac users:
- # Replace all single/double backslashes with forward slashes. You may also wish to utilize lowercase only,
- # and if utilizing spaces in names, ensure utilization of proper break format, i.e. './Sophos\ UTM\ CA.crt'
- # Ensure EOLs are LF, not CRLF
- # Windows uses CRLF, UNIX utilizes LF
- # Sophos users:
- # If not using SANs, prior to generating user certs, ensure 'x509_extensions = usr_cert_not_dn'
- # This results with 'RFC822 Name = user@email.com' in the SubjectAlternativeName of the certificate.
- # Without this, it will be impossible to authenticate to VPNs on Sophos.
- # Intermediate CAs & Intermediate CA client certs CANNOT be utilized on Sophos UTM due to how Sophos authenticates.
- # Only exception is the WebAdmin certificate, which can be signed by a Public ICA authority for a FQDN.
- # For chain of trust to be maintained, CA & ICA must be installed on devices accessing the WebAdmin/User Portal.
- #####################################################################
- ##----- Establish Build Variables -----##
- #####################################################################
- dir = .
- cnf = /etc/ssl/openssl.cnf
- CNF = $dir\\openssl.cnf
- #####################################################################
- ##----- Establish CA Profile and Policy -----##
- #####################################################################
- [ default ]
- UTM = "Sophos UTM CA"
- WRT = "Router 2 ICA"
- VPN = "Router 2 VPN ICA"
- [ ca ]
- default_ca = CA_default
- #####################################################################
- [ CA_default ]
- certs = $dir\\cert
- new_certs_dir = $dir
- database = $dir\\index
- RANDFILE = $dir\\rand
- serial = $dir\\serial
- crldir = $dir\\crl
- crlnumber = $crldir\\crlnumber
- crl = $crldir\\ca.crl.pem
- default_crl_days = 3650
- certificate = "$dir\\ca\\$UTM.crt.pem"
- private_key = "$dir\\ca\\$UTM.key.pem"
- default_days = 3650
- preserve = no
- default_md = sha512
- x509_extensions = usr_cert_not_dn
- copy_extensions = copy
- unique_subject = yes
- policy = policy_match
- name_opt = esc_2253,esc_ctrl,esc_msb,sep_comma_plus_space,ignore_type
- cert_opt = ca_default
- #####################################################################
- [ policy_match ]
- countryName = match
- stateOrProvinceName = match
- organizationName = match
- organizationalUnitName = match
- commonName = supplied
- emailAddress = optional
- [ policy_supply ]
- countryName = match
- stateOrProvinceName = match
- organizationName = match
- organizationalUnitName = match
- commonName = optional
- emailAddress = optional
- #####################################################################
- ##----- Establish Certificate Options -----#
- #--------------------------------------------------------------------
- # If you plan on using TLS ECDHE or ECDH, the bits and hash must exceed the value you wish to have.
- # For example, if one wants 2048bit encryption with a SHA256 hash, encryption value must be
- # greater than 2048 (3072 or 4096) with a hash greater than SHA256 (SHA384 or SHA512).
- # x64 machines can almost always process SHA512 faster than SHA256.
- # If you're not planning on using TLS ECDHE or ECDH, a key larger than 2048bit isn't necessary.
- # Encrypt key is not currently commmented out; however, as one does not want a server's key to have
- # an encrypted password, when creating the key for the server, add -nodes to the Request command.
- [ req ]
- default_bits = 2048
- default_keyfile = private.key.pem
- preserve = no
- default_md = sha512
- string_mask = utf8only
- utf8 = yes
- distinguished_name = req_distinguished_name
- attributes = req_attributes
- req_extensions = v3_req
- x509_extensions = v3_ca
- copy_extensions = copy
- encrypt_key = yes
- [ req_attributes ]
- challengePassword =
- challengePassword_min = 12
- challengePassword_max = 40
- #####################################################################
- [ req_distinguished_name ]
- countryName = Country
- countryName_max = 2
- stateOrProvinceName = State
- localityName = Locality
- 0.organizationName = Organization
- organizationalUnitName = Organizational Unit
- commonName = Common Name
- commonName_max = 64
- emailAddres = Email
- emailAddress_max = 64
- countryName_default = xx
- stateOrProvinceName_default = State
- localityName_default = Locality
- 0.organizationName_default = Sophos UTM
- organizationalUnitName_default = LAN
- #####################################################################
- ##----- Establish SubjectAltName (SAN) Profiles -----##
- #####################################################################
- # All server certs with WebUIs should have their loopback IP specified in their SAN profile
- # This prevents certificate errors if connecting to the device, router, or server via an SSH tunnel
- # Certain OS CA certs must have the loopback IP specified in SAN profile (i.e. Sophos UTM's CA)
- # Provided one utilizes the SAN profile, Common Names can be whatever one wishes (i.e. not the DNS or IP)
- # SANs can be: email (an email address), URI (a uniform resource indicator), DNS (a DNS domain name),
- # RID (a registered ID: OBJECT IDENTIFIER), IP (an IP address), dirName (a distinguished name), and otherName.
- #--------------------------------------------------------------------
- ##----- Certificate Authorities -----##
- #--------------------------------------------------------------------
- # Main #
- [ alt_ca_main ]
- DNS.1 = Router.1
- IP.1 = 127.0.0.1
- # Router 2 #
- [ alt_ica_router2 ]
- DNS.1 = Router.2
- IP.1 = 127.0.0.1
- # Code Signing #
- [ alt_signing_ica ]
- DNS.1 = Code-Signing
- #--------------------------------------------------------------------
- ##----- Certificate Authority Clients -----##
- #--------------------------------------------------------------------
- # Main #
- # Servers #
- [ alt_sophos ]
- IP.1 = 192.168.2.1
- IP.2 = 127.0.0.1
- DNS.1 = UTM.LEDE
- DNS.2 = your.ddns.com
- [ alt_freenas ]
- IP.1 = 192.168.2.13
- IP.2 = 192.168.2.130
- IP.3 = 127.0.0.1
- DNS.1 = Free.LEDE
- DNS.2 = your-fqdn.com
- [ alt_vpn_server1 ]
- IP.1 = 10.0.0.1
- DNS.1 = your.ddns.com
- # Clients #
- [ alt_vpn1_user1 ]
- email.1 = user1@email.com
- DNS.1 = VPN1-Client1-Device-Hostname1
- DNS.2 = VPN1-Client1-Device-Hostname2
- #--------------------------------------------------------------------
- ##----- Intermediate Certificate Authority Clients -----##
- #--------------------------------------------------------------------
- # Router 2 #
- # Servers #
- [ alt_lede ]
- IP.1 = 192.168.2.2
- IP.2 = 127.0.0.1
- DNS.1 = LAN.LEDE
- [ alt_vpn_server2 ]
- IP.1 = 10.0.1.1
- DNS.1 = your.ddns.com
- # Clients #
- [ alt_vpn2_user1 ]
- DNS.1 = VPNserver-Client1-Device-Hostname
- email.1 = user1@email.com
- [ alt_vpn2_user2 ]
- DNS.1 = VPN2-Client2-Device-Hostname1
- DNS.2 = VPN2-Client2-Device-Hostname2
- email.1 = user2@email.com
- # Code Signing #
- # Cert1 #
- [ alt_codesign ]
- email.1 = user@email.com
- #####################################################################
- ##----- Establish Certificate Authority V3 Profiles -----##
- #--------------------------------------------------------------------
- # These V3 CA profiles must not be modified to contain any more, or any less, KUs
- # These have been configured specifically for security & its imperative no other keyUsages are set
- # For an ICA to be capable of signing additional CAs/ICAs, pathlen number must mirror number of CAs/ICAs
- # it can sign. By default, all ICAs are set to 0, meaning they can sign certs, but not other CAs/ICAs.
- [ v3_ca ]
- basicConstraints = critical, CA:TRUE
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always, issuer:always
- subjectAltName = @alt_ca_main
- keyUsage = critical, cRLSign, digitalSignature, keyCertSign
- [ v3_ica_router2 ]
- basicConstraints = critical, CA:TRUE, pathlen:0
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always, issuer:always
- subjectAltName = @alt_ica_router2
- keyUsage = critical, cRLSign, digitalSignature, keyCertSign
- [ v3_signing_ica ]
- basicConstraints = critical, CA:TRUE, pathlen:0
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always, issuer:always
- keyUsage = critical, cRLSign, digitalSignature, keyCertSign
- subjectAltName = @alt_signing_ica
- [ crl_ext ]
- issuerAltName = issuer:copy
- authorityKeyIdentifier = keyid:always, issuer:always
- #####################################################################
- ##----- Establish Generalized V3 Certificate Profiles -----##
- #--------------------------------------------------------------------
- [ v3_req ]
- basicConstraints = critical, CA:FALSE
- subjectKeyIdentifier = hash
- [ usr_cert_dn ]
- basicConstraints = critical, CA:FALSE
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always, issuer:always
- keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
- extendedKeyUsage = critical, clientAuth, emailProtection
- [ usr_cert_not_dn ]
- basicConstraints = critical, CA:FALSE
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always, issuer:always
- subjectAltName = email:copy
- keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
- extendedKeyUsage = critical, clientAuth, emailProtection
- #####################################################################
- ##----- Establish Client Certificate V3 Profiles -----##
- #--------------------------------------------------------------------
- # These V3 profiles should not be modified to contain less than what they are currently configured with.
- # These have been specifically configured with security in mind.
- # All servers capable of TLS should contain all keyUsages, except for dataEncipherment
- # VPN and file servers should not have less than digitalSignature, keyEncipherment, keyAgreement
- # All servers must contain EKU serverAuth
- # All server [VPN] clients must contain EKU clientAuth
- #--------------------------------------------------------------------
- ##----- Certificate Authority Clients -----##
- #--------------------------------------------------------------------
- # Main #
- # Servers #
- [ v3_sophos ]
- basicConstraints = critical, CA:FALSE
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always, issuer:always
- keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
- extendedKeyUsage = critical, serverAuth
- subjectAltName = @alt_sophos
- [ v3_freenas ]
- basicConstraints = critical, CA:FALSE
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always, issuer:always
- keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
- extendedKeyUsage = critical, serverAuth
- subjectAltName = @alt_freenas
- [ v3_vpn_server1 ]
- basicConstraints = critical, CA:FALSE
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always, issuer:always
- keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
- extendedKeyUsage = critical, serverAuth
- subjectAltName = @alt_vpn_server1
- # Clients #
- [ v3_vpn1_user1 ]
- basicConstraints = critical,CA:FALSE
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always, issuer:always
- keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
- extendedKeyUsage = critical, clientAuth
- subjectAltName = @alt_vpn1_user1
- #--------------------------------------------------------------------
- ##----- Intermediate Certificate Authority Clients -----##
- #--------------------------------------------------------------------
- # Router 2 #
- # Servers #
- [ v3_lede ]
- basicConstraints = critical, CA:FALSE
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always, issuer:always
- keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
- extendedKeyUsage = critical, serverAuth
- subjectAltName = @alt_lede
- [ v3_vpn_server2 ]
- basicConstraints = critical, CA:FALSE
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always, issuer:always
- keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
- extendedKeyUsage = critical, serverAuth
- subjectAltName = @alt_vpn_server2
- # Clients #
- [ v3_vpn2_user1 ]
- basicConstraints = critical,CA:FALSE
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always, issuer:always
- keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
- extendedKeyUsage = critical, clientAuth
- subjectAltName = @alt_vpn2_user1
- [ v3_vpn2_user2 ]
- basicConstraints = critical,CA:FALSE
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always, issuer:always
- keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
- extendedKeyUsage = critical, clientAuth
- subjectAltName = @alt_vpn2_user2
- # Code Signing #
- # Certificates #
- [ v3_codesign ]
- basicConstraints = critical, CA:FALSE
- subjectKeyIdentifier = hash
- authorityKeyIdentifier = keyid:always, issuer:always
- keyUsage = critical, nonRepudiation, digitalSignature
- extendedKeyUsage = critical, codeSigning, msCodeInd, msCodeCom, mcCTLSign, timeStamping
- subjectAltName = @alt_codesign
- #####################################################################
- #--------------------------------------------------------------------
- ##----- OpenSSL Commands -----##
- #--------------------------------------------------------------------
- #####################################################################
- # Prerequisistes:
- # 1. Create 'serial' file: echo 00 > serial
- # This file maintains the serial for the most recent cert, in order to know what serial to next assign.
- # Serial is in hex, not dec[imal] format, & one can choose whichever number one wishes to start at.
- # 2. Create 'crlnumber' file: mkdir crl && echo 01 > crl\crlnumber
- # This file maintains the current serial for the CRL [Certificate Revocation List] certificate
- # A CRL should be generated, but will not be used until one revokes a certificate via one's CA or ICA
- # 3. Create 'index' file (leave blank): echo > index
- # This file maintains an index of all certificates issued and is covered under the Index Section below
- # Maintains a record of all certs issued, and is extremely important if one has revoked a certificate.
- # 4. Create 'rand' file (leave blank): echo > rand
- # File is utilized by for random characters & is querried by openssl during certificate/key creation.
- # ENCRYPT_KEY [Establish Certificate Options] is not currently commented out; Server cert keys should not
- # be created with encryption, so add the additional command option to key creation: -nodes
- # Encrypting a server key will result in the server requiring the passkey every time it's started/restarted;
- # in other words, a massive inconvenience, and potentially destrimental.
- # Provided you utilize the SubjectAltName (SAN) section [highly recommended], the Common Name is not required
- # to be the IP/DNS/FQDN, and can be whatever name you wish it to be
- #####################################################################
- #--------------------------------------------------------------------
- #####################################################################
- # For VPN Server certs:
- # When creating a VPN server cert using 'extendedKeyUsage = serverAuth', in your VPN client config you must
- # change "remote-cert-tls server" to "remote-cert-eku 'TLS Web Server Authentication'" ( see https://www.v13.gr/blog/?p=386 )
- # For BSD/*nix OSes:
- # Certificates should have 644 permissions
- # chmod 644 ./certificate.crt.pem
- # Keys should have 600 permissions
- # chmod 600 ./certificate.key
- #--------------------------------------------------------------------
- ## ----- Certificate Authority ----- ##
- #--------------------------------------------------------------------
- # Generate CA:
- # CA key should have a secure password of at least 20 characters, containing at least:
- # 2 uppercase letters, 2 lowercase letters, 2 numbers, and 2 symbols
- # Request:
- # openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout CA.key.pem -out CA.crt.pem -config .\openssl.cnf -extensions v3_ca
- # Generate CA CRL Cert:
- # openssl ca -gencrl -keyfile CA.key.pem -cert CA.crt.pem -out CA.crl.pem -config .\openssl.cnf
- # Convert CA CRL Cert to DER CRL:
- # openssl crl -inform PEM -in '.\CA.crl.pem' -outform DER -out '.\CA.crl'
- #--------------------------------------------------------------------
- ## ----- Intermediate Certificate Authority ----- ##
- #--------------------------------------------------------------------
- # Gernerate Intermediate CA:
- # Intermediate CA key should have a secure password of at least 20 characters, containing at least:
- # 2 uppercase letters, 2 lowercase letters, 2 numbers, and 2 symbols
- # Request:
- # openssl req -out '.\VPN-ICA.csr' -new -days 3650 -sha512 -newkey rsa:4096 -keyout VPN-ICA.key -config .\openssl.cnf -extensions v3_intermediate_ca
- # Sign Intermediate CA with CA:
- # openssl x509 -req -sha512 -days 3650 -in '.\VPN-ICA.csr' -CA CA.crt.pem -CAkey CA.key -CAserial .\serial -out VPN-ICA.crt.pem -extfile .\openssl.cnf -extensions v3_intermediate_ca
- # Generate Intermediate CA CRL Cert:
- # openssl ca -config .\openssl.cnf -gencrl -keyfile VPN-ICA.key -cert VPN-ICA.crt.pem -out '.\VPN-ICA.crl.pem'
- # Convert Intermediate CA CRL Cert to DER CRL:
- # openssl crl -inform PEM -in '.\VPN-ICA.crl.pem' -outform DER -out '.\VPN-ICA.crl'
- #--------------------------------------------------------------------
- # Create Concatenated CA - Intermediate CA Certificate Chain:
- # Windows:
- # cmd /c type '.\Router 2 ICA.crt.pem' '.\Sophos UTM CA.crt.pem' > '.\Sophos VPN CA Chain.pem'
- # Linux/BSD:
- # cat './Router 2 ICA.crt.pem' './Sophos UTM CA.crt.pem' > './Sophos VPN CA Chain.pem'
- #--------------------------------------------------------------------
- # Export VPN Client with an Intermediate CA:
- # openssl pkcs12 -export -out '.\VPN Client1.p12' -inkey '.\VPN Client1.key.pem' -in '.\VPN Client1.crt.pem' -certfile '.\Sophos VPN CA Chain.crt.pem'
- # The Intermediate CA is still used to sign the certs it issues, however, the CA - Intermediate CA chain cert must
- # be exported with the client cert & key to maintain the chain of trust of Certificate -> Intermediate CA -> CA.
- # The certificate path of the client cert should show a hierarchy of CA -> Intermediate CA -> Client.
- #--------------------------------------------------------------------
- ## ----- Client Certificate ----- ##
- #--------------------------------------------------------------------
- # For Server certs, add to end of the Request command: -nodes
- # If a server cert is created with an encrypted key, one will need to manually type in the encryption password
- # whenever starting or restarting the server (inconvenient and impractical for VPN and Web Servers).
- # Request:
- # openssl req -out '.\NextCloud.csr' -new -days 3650 -sha512 -newkey rsa:3072 -keyout '.\NextCloud.key.pem' -config .\openssl.cnf -extensions v3_nextcloud -nodes
- # With multiple common names:
- # openssl req -out '.\Sophos-UTM-VPN-client.csr' -new -days 3650 -sha512 -newkey rsa:3072 \
- # -subj '/C=US/ST=ST/L=Locality/O=Sophos UTM/OU=LAN/CN=UserName/CN=User.Name/CN=User_Name/emailAddress=whatever@whichever.com' \
- # -keyout '.\Sophos-UTM-VPN-client.key.pem' -config .\openssl.cnf -extensions v3_vpn_client
- # Sign:
- # openssl x509 -req -sha512 -days 3650 -in '.\WRT1900ac.csr' -CA '.\Sophos UTM CA.crt.pem' -CAkey '.\Sophos UTM CA.key.pem' -CAserial .\serial -out '.\crt\WRT1900ac.crt.pem' -extfile .\openssl.cnf -extensions v3_nextcloud
- # Export:
- # openssl pkcs12 -export -out '.\NextCloud.p12' -inkey '.\NextCloud.key.pem' -in '.\NextCloud.crt.pem' -certfile CA.crt.pem
- #--------------------------------------------------------------------
- ## ----- Verification of Certificates ----- ##
- #--------------------------------------------------------------------
- # Verify Certificate Signing Request (CSR):
- # openssl req -text -noout -verify -in CSR.csr
- # Verify Private Key:
- # openssl rsa -check -in private.key
- # Verify Certificate:
- # openssl x509 -text -noout -in certificate.crt
- # Verify PKCS12 Certificate [.pfx/.p12]:
- # openssl pkcs12 -info -in certificate.p12
- #--------------------------------------------------------------------
- ## ----- Intermediate CA Android Build Certificates ----- ##
- #--------------------------------------------------------------------
- # This will apply to the following six certificates: media, platform, releasekeys, shared, superuser, testkey
- # the following steps will need to be repeated for each of the six
- # Generate Individual intermediate Build CA Request:
- # openssl req -out '.\media.csr' -new -days 3650 -sha512 -config .\openssl.cnf -extensions v3_intermediate_ca -newkey rsa:4096f4 -ouform PEM -keyout '.\media.key.pem'
- # Convert PEM key to PK8:
- # openssl pkcs8 -in media.key.pem -topk8 -outform DER -out media.pk8 -nocrypt
- # Sign Individual intermediate Build CA Request:
- # openssl x509 -req -sha512 -days 3650 -in '.\media.csr' -CA CA.crt.pem -CAkey CA.key -CAserial .\serial -out '.\media.x509.pem' -extfile .\openssl.cnf -extensions v3_intermediate_ca
- # Generate Individual intermediate Build CA CRL Cert:
- # openssl ca -config .\openssl.cnf -gencrl -keyfile '.\media.key.pem' -cert '.\media.x509.pem' -out '.\media.crl.pem' -extfile '.\openssl.cnf' -extensions crl_ext
- # Convert Individual intermediate Build CA CRL Cert to DER crl:
- # openssl crl -inform PEM -in '.\media.crl.pem' -outform DER -out '.\media.crl'
- #--------------------------------------------------------------------
- # Concatenated Intermediate Build CA - CA PEM Certificate:
- # Windows:
- # cmd /c type 'media.x509.pem' 'Sophos UTM CA.crt.pem' > 'Android-Media-CA-Chain.pem'
- # Linux/BSD:
- # cat './media.x509.pem' './Sophos UTM CA.crt.pem' > './Android-Media-CA-Chain.pem'
- #--------------------------------------------------------------------
- # Create PKCS12 for Import into Keystore:
- # openssl pkcs12 -export -out .\media.p12 -inkey .\media.key.pem -in .\media.x509.pem -certfile '.\Android-Media-CA-Chain.pem' -password pass:media -name media
- # The Intermediate CA is still used to sign packages/images, however, the CA - Intermediate CA chain cert
- # must be exported with the client cert & key to maintain the certificate chain of trust of: Package/Image -> Intermediate CA -> CA
- # Copy the following files into your build directory (location will vary depending on ROM):
- # For each of the six: *.x509.pem, *.pk8, Android-*-CA-Chain.pem, *.p12
- # i.e. media.x509.pem, media.pk8, Android-Media-CA-Chain.pem, media.p12
- # One example of how to import into keystore prior to build:
- # Source: http://stackoverflow.com/questions/22212869/how-can-i-generate-an-android-keystore-from-a-key-pk8-and-certificate-pem
- # keytool -importkeystore -deststorepass password -destkeystore .keystore -srckeystore media.p12 -srcstoretype PKCS12 -srcstorepass media
- # keytool -list -v -keystore .keystore
- #####################################################################
- #--------------------------------------------------------------------
- #####################################################################
- ##---- Index File -----##
- #--------------------------------------------------------------------
- # If you wish to maintain the index file automatically, you'll need to use 'openssl ca' to sign certs.
- # You can manually maintain the index file, by inputting 1 cert entry per line in the following format:
- # V 261231235959Z 0a unknown /C=US/ST=State/L=Locality/O=Sophos UTM/OU=LAN/CN=Cert Common Name/emailaddress=whatever@whichever.com
- # 1 2-----------> 3-> 4-> 5-----> 6--------------------------------------------------------------------------------------------------->
- # 1. Status of Certificate:
- # V [Valid] R [Revoked] E [Expired]
- # 2. Expiration Date:
- # Format: YYMMDDHHMMSS followed by 'Z': 2026.12.31 @ 23:59:59
- # 3. Revocation Date [Format: YYMMDDHHMMSSZ,reason]
- # Certain distros error out without a whitespace for 3 in the index file
- # Empty if not revoked, otherwise valid reasons are:
- # keyCompromise
- # CACompromise
- # affiliationChanged
- # superseded
- # cessationOfOperation
- # certificateHold
- # privilegeWithdrawn
- # AACompromise
- # 4. Serial number in hex format: 0a is hex for 10
- # Windows:
- # Calculator has programmer feature which can convert dec <-> hex
- # Linux/BSD:
- # cli hex -> dec:
- # printf '%d\n' 0x0a [returns 10]
- # cli dec -> hex:
- # printf '%x\n' 10 [returns 0a]
- # 5. Certificate Filename or Literal String
- # Certificate filename or literal string 'unknown'
- # 6. Distinguished Name
- #--------------------------------------------------------------------
- #####################################################################
- ##----- Key Usage -----##
- #--------------------------------------------------------------------
- # !!! CA / ICA ONLY !!! #
- #--------------------------------------------------------------------
- # These extensions MUST ONLY be used for CA / ICA certificates
- # cRLSign:
- # Is asserted when subject public key is used for verifying signatures on certificate revocation lists.
- # keyCertSign:
- # Is asserted when subject public key is used for verifying signatures on public key certificates.
- # If keyCertSign is asserted, the CA bit in the basic constraints extension (Section 4.2.1.9) MUST also be asserted.
- # All #
- #--------------------------------------------------------------------
- # digitalSignature:
- # Certificates with this flag set can be used to apply a digital signature. Digital signatures are often used for entity
- # authentication and data origin authentication with integrity.
- # Is asserted when subject public key is used for verifying digital signatures, other than signatures on certificates
- # (bit 5) and CRLs (bit 6).
- # nonRepudiation:
- # Certificates with this flag set can be used to sign data as above but the certificate public key may be used to provide
- # non-repudiation services preventing the signing entity from falsely denying some action.
- # Is asserted when subject public key is used to verify digital signatures, other than signatures on certificates (bit 5)
- # and CRLs (bit 6).
- # NOTE: Recent editions of X.509 have renamed the nonRepudiation bit to contentCommitment.
- # keyEncipherment:
- # Certificates with this flag set may be used by the subject to encrypt a symmetric key which is then transferred to the
- # target, decrypted, and subsequently used to encrypt and decrypt data sent between the two entities.
- # Is asserted when subject public key is used for enciphering private or secret keys when an RSA public key is to be
- # used for encrypting a symmetric content-decryption key or an asymmetric private key.
- # dataEncipherment:
- # Certificates with this flag set can be used by the subject to encrypt and decrypt actual application data.
- # Is asserted when subject public key is used for directly enciphering raw user data without the use of an intermediate
- # symmetric cipher.
- # NOTE: Use of this bit extremely uncommon; all applications use key transport / key agreement to establish a symmetric key.
- # keyAgreement:
- # Certificates with this flag set enable the subject to use a key agreement protocol, such as Diffie-Hellman, to establish
- # a symmetric key with a target that may then be used to encrypt and decrypt data sent between the two entities
- # Is asserted when subject public key is used for key agreement (i.e. when a Diffie-Hellman key is used for key management).
- # encipherOnly:
- # Undefined in the absence of the keyAgreement bit (keyAgreement is required).
- # Public key used only for enciphering data while performing key agreement.
- # When encipherOnly is asserted AND keyAgreement also set, subject public key may be used ONLY for enciphering data while
- # performing key agreement.
- # decipherOnly:
- # Undefined in the absence of the keyAgreement bit (keyAgreement is required).
- # Public key used only for deciphering data while performing key agreement.
- # When decipherOnly is asserted AND keyAgreement is also set, subject public key may be used ONLY for deciphering data
- # while performing key agreement.
- #--------------------------------------------------------------------
- ##----- RFC 5280 4.2.1.3 -----##
- #--------------------------------------------------------------------
- # https://tools.ietf.org/html/rfc5280
- # id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
- # KeyUsage ::= BIT STRING {
- # digitalSignature (0),
- # nonRepudiation (1),
- # NOTE: Recent editions of X.509 have renamed this bit to contentCommitment
- # keyEncipherment (2),
- # dataEncipherment (3),
- # keyAgreement (4),
- # keyCertSign (5),
- # cRLSign (6),
- # encipherOnly (7),
- # decipherOnly (8) }
- #--------------------------------------------------------------------
- #####################################################################
- ##----- Extended Key Usage -----##
- #--------------------------------------------------------------------
- # serverAuth:
- # SSL/TLS Web/VPN Server authentication EKU which is assigned to a server and distinguishes them as a server for which
- # options, clients can authenticate against. All VPN servers should be signed with this EKU present.
- # This supercedes nscertype as the 'ns' in nscertype stands for NetScape [browser], which hasn't existed for some time.
- # clientAuth:
- # SSL/TLS Web/VPN Client authentication EKU which is assigned to a server client, and distinguishes them as a client only.
- # All VPN clients MUST be signed with this EKU present.
- # codeSigning:
- # Code Signing... self explanatory
- # emailProtection:
- # Email Protection via S/MIME, allows you to send and receive encrypted emails
- # timeStamping:
- # Trusted Timestamping... self explanatory
- # OCSPSigning:
- # OCSP Signing... self explanatory
- # ipsecIKE:
- # IPSec Internet Key Exchange, of which I believe is in the same boat as the three below; however, some research needs
- # to be Performed to determine if this EKU should also no longer be utilized.
- # clientAuth can be utilized in a IPSec VPN client cert.
- # ipsecEndSystem, ipsecTunnel, & ipsecUser:
- # !!! SHOULD NOT BE UTILIZED !!!
- # There were three IPsec-related object identifiers in EKU that were assigned in 1999, and the semantics of these
- # values were never clearly defined. The use of these three EKU values in IKE/IPsec is obsolete and explicitly
- # deprecated by this specification. CAs SHOULD NOT issue certificates for use in IKE with them.
- # msCodeInd:
- # Microsoft Individual Code Signing (authenticode)... self explanatory
- # msCodeCom:
- # Microsoft Commerical Code Signing (authenticode)... self explanatory
- # mcCTLSign:
- # Microsoft Trust List Signing... self explanatory
- # msEFS:
- # Microsoft Encrypted File System... self explanatory
- #--------------------------------------------------------------------
- ##----- RFC 5280 4.2.1.12 -----##
- #--------------------------------------------------------------------
- # https://tools.ietf.org/html/rfc5280
- # anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
- # id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
- # id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
- # TLS WWW server authentication:
- # Key usage bits that may be consistent:
- # digitalSignature, keyEncipherment or keyAgreement
- # id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
- # TLS WWW client authentication:
- # Key usage bits that may be consistent:
- # digitalSignature and/or keyAgreement
- # id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
- # Signing of downloadable executable code
- # Key usage bits that may be consistent:
- # digitalSignature
- # id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
- # Email protection:
- # Key usage bits that may be consistent:
- # digitalSignature, nonRepudiation, and/or (keyEncipherment or keyAgreement)
- # id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
- # Binding the hash of an object to a time
- # Key usage bits that may be consistent:
- # digitalSignature and/or nonRepudiation
- # id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
- # Signing OCSP responses:
- # Key usage bits that may be consistent:
- # digitalSignature and/or nonRepudiation
- #--------------------------------------------------------------------
- #####################################################################
- ##----- Key Exchange Algorithms -----##
- #--------------------------------------------------------------------
- # RSA:
- # Key exchange occurs via encryption of a random value [chosen by the client] via the server public key. This requires the
- # server public key to be an RSA key, and the server certificate must utilize the 'keyAgreement' keyUsage extension).
- # DH_RSA:
- # Key exchange occurs via a static Diffie-Hellman key. Server Public Key must be a Diffie-Hellman key, of which must have
- # been issued by a CA that was using an RSA key signing key.
- # DH_DSA:
- # Like DH_RSA, except that the CA used a DSA key in lieu of RSA.
- # DHE_RSA:
- # Key exchange occurs via an ephemeral Diffie-Hellman; the server dynamically generates & signs a DH public key, sending it to
- # the client. Server Public Key must be an RSA key, and it's certificate must utilize the digitalSignature keyUsage extension
- # DHE_DSA:
- # Like DHE_RSA, except that the CA used a DSA key in lieu of RSA.
- #--------------------------------------------------------------------
- #####################################################################
- ##----- Elliptic-Curve Key Exchange Algorithms -----##
- #--------------------------------------------------------------------
- # ECDH_ECDSA:
- # Like DH_DSA, but with elliptic curves: the server public key must be an ECDH key, with a certificate issued by a CA
- # which utilized an ECDSA public key.
- # ECDH_RSA:
- # Like ECDH_ECDSA, except that the CA used an RSA key
- # ECDHE_ECDSA:
- # The server sends a dynamically generated EC Diffie-Hellman key and signs it with its own ECDSA key. This is equivalent
- # to DHE_DSS, but with elliptic curves for both the Diffie-Hellman and signature.
- # ECDHE_RSA:
- # Like ECDHE_ECDSA, except that the server public key is an RSA key, utilized for signing the ephemeral elliptic-curve
- # Diffie-Hellman key.
- #--------------------------------------------------------------------
- #####################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement