# Certificate Generation and Signing examples To test the certgen or csr_example example(s) configure wolfssl with `./configure --enable-certgen --enable-certreq --enable-keygen` or add the defines: ``` #define WOLFSSL_CERT_REQ #define WOLFSSL_CERT_GEN #define WOLFSSL_KEY_GEN ``` To test the csr_w_ed25519_example configure wolfssl with: `./configure --enable-certgen --enable-certreq --enable-ed25519 --enable-keygen` or add the defines: ``` #define WOLFSSL_CERT_REQ #define WOLFSSL_CERT_GEN #define HAVE_ED25519 #define WOLFSSL_KEY_GEN ``` To build use `make`. To cleanup use `make clean`. If having issues building please check comments in the Makefile for setting up your environment ## Certificate Generation Example To run the test do: ``` ./certgen_example Loading CA certificate Successfully read 666 bytes from ./ca-ecc-cert.der Loading the CA key Successfully read 121 bytes from ./ca-ecc-key.der Decoding the CA private key Successfully loaded CA Key Generating a new ECC key Successfully created new ECC key Setting new cert issuer to subject of signer Make Cert returned 490 Signed Cert returned 581 Successfully created new certificate Writing newly generated DER certificate to file "./newCert.der" Successfully output 581 bytes Convert the DER cert to PEM formatted cert Resulting PEM buffer is 843 bytes Successfully converted the DER to PEM to "./newCert.pem" Tests passed ``` You should see the following output when the cert is converted to human readable format. ``` openssl x509 -inform pem -in newCert.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 81179639550048334 (0x1206873ba5ff84e) Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Validity Not Before: Jul 17 15:53:18 2017 GMT Not After : Nov 30 14:53:18 2018 GMT Subject: C=US, ST=MT, L=Bozeman, O=yourOrgNameHere, OU=yourUnitNameHere, CN=www.yourDomain.com/emailAddress=yourEmail@yourDomain.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:15:62:0f:87:13:01:97:65:5c:62:a7:1c:92:bc: 61:df:24:52:ed:49:89:a1:ed:42:86:ad:dd:bf:1c: a8:35:d3:9d:2c:29:12:cb:ce:05:bd:40:0b:24:f3: d7:e0:61:f2:69:51:2a:20:b3:34:13:33:e7:69:b8: d9:81:19:5f:b8 ASN1 OID: prime256v1 NIST CURVE: P-256 Signature Algorithm: ecdsa-with-SHA256 30:45:02:20:75:11:0c:e7:b3:73:20:88:d2:67:69:f2:1a:46: fb:d2:67:31:c7:c7:58:b4:9d:e2:48:95:db:bb:1f:1d:24:ab: 02:21:00:d6:30:b9:c0:32:0d:42:74:56:b0:9e:8f:dc:83:1d: e6:a3:af:99:ea:03:97:4c:dc:d0:11:b8:10:a1:5a:29:a5 -----BEGIN CERTIFICATE----- MIICNTCCAdugAwIBAgIIASBoc7pf+E4wCgYIKoZIzj0EAwIwgZQxCzAJBgNVBAYT AlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQK DAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3Lndv bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMCIYDzIw MTcwNzE3MTU1MzE4WhgPMjAxODExMzAxNDUzMThaMIGnMQswCQYDVQQGEwJVUzEL MAkGA1UECAwCTVQxEDAOBgNVBAcMB0JvemVtYW4xGDAWBgNVBAoMD3lvdXJPcmdO YW1lSGVyZTEZMBcGA1UECwwQeW91clVuaXROYW1lSGVyZTEbMBkGA1UEAwwSd3d3 LnlvdXJEb21haW4uY29tMScwJQYJKoZIhvcNAQkBFhh5b3VyRW1haWxAeW91ckRv bWFpbi5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQVYg+HEwGXZVxipxyS vGHfJFLtSYmh7UKGrd2/HKg1050sKRLLzgW9QAsk89fgYfJpUSogszQTM+dpuNmB GV+4MAoGCCqGSM49BAMCA0gAMEUCIHURDOezcyCI0mdp8hpG+9JnMcfHWLSd4kiV 27sfHSSrAiEA1jC5wDINQnRWsJ6P3IMd5qOvmeoDl0zc0BG4EKFaKaU= -----END CERTIFICATE----- ``` ## Certificate Signing Request (CSR) Example ``` ./csr_example ecc -----BEGIN EC PRIVATE KEY----- MHcCAQEEICJ7jM8zdrZCoTdaeXfiNkRA0Wbf+JlATRLzMEghvGiToAoGCCqGSM49 AwEHoUQDQgAEdfzfuFaVgG1icB3Bwqkv27zZQdhUyOTHeN/4VbEoiB69EW5luFHy 6MWJEn+5a75Pp/dQKjlTb8Ukp/f7dRr8gg== -----END EC PRIVATE KEY----- (227) Saved Key PEM to "ecc-key.pem" -----BEGIN CERTIFICATE REQUEST----- MIIBTTCB8wIBAjCBkDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk9SMREwDwYDVQQH DAhQb3J0bGFuZDEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1l bnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5m b0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHX837hWlYBt YnAdwcKpL9u82UHYVMjkx3jf+FWxKIgevRFuZbhR8ujFiRJ/uWu+T6f3UCo5U2/F JKf3+3Ua/IKgADAKBggqhkjOPQQDAgNJADBGAiEAtaKt31WXJkFgI4dFw6dG45F3 Ia4BEV4KoPCBbMs81vICIQCj4IiuQpYH5dIsFuN8h0QGIfXTxdd9eqNsJJ1ElOXt hA== -----END CERTIFICATE REQUEST----- (530) Saved CSR PEM to "ecc-csr.pem" ``` ``` ./csr_example ed25519 -----BEGIN EDDSA PRIVATE KEY----- MFICAQAwBQYDK2VwBCIEIJAf0KRMwpoM8PcjTgNzMlJLtdGGml5kbZRJUlSChaxY oSIEIBsUx1M7yeJiLIY6I/XrWX0VBcyp3UYa5r2IqLiA8Nrg -----END EDDSA PRIVATE KEY----- (180) Saved Key PEM to "ed25519-key.pem" -----BEGIN CERTIFICATE REQUEST----- MIIBETCBxAIBAjCBkDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk9SMREwDwYDVQQH DAhQb3J0bGFuZDEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1l bnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5m b0B3b2xmc3NsLmNvbTAqMAUGAytlcAMhABsUx1M7yeJiLIY6I/XrWX0VBcyp3UYa 5r2IqLiA8NrgoAAwBQYDK2VwA0EAy3o01+L7OaB3qo825GQSKspWijGrFulU1BBQ 3z2Pr2lx6L87awbrWUtwvlXOGHQVl5ZjV+UkZURHMeNnS4Q2CQ== -----END CERTIFICATE REQUEST----- (448) Saved CSR PEM to "ed25519-csr.pem" ``` ## CSR Signing with CA This example shows how to use a CSR to sign it using a CA cert and key to produce an X.509 certificate. To test the csr_sign example configure wolfssl with `./configure -enable-certreq --enable-certgen --enable-ecc --enable-certext CFLAGS=-DOPENSSL_EXTRA_X509_SMALL` or add the defines: ``` #define WOLFSSL_CERT_REQ #define WOLFSSL_CERT_GEN #define WOLFSSL_KEY_GEN #define WOLFSSL_CERT_EXT #define OPENSSL_EXTRA_X509_SMALL ``` ``` % ./csr_sign ecc-csr.pem ca-ecc-cert.der ca-ecc-key.der Loading CA certificate Read 666 bytes from ca-ecc-cert.der CA Cert file detected as DER Loading the CA key Read 121 bytes from ca-ecc-key.der CA Key file detected as DER Loading CA key to ecc_key struct Loading CSR certificate Successfully read 530 bytes from ecc-csr.pem Converted CSR Cert PEM to DER 337 bytes Loaded CSR to DecodedCert struct Decoding Public Key Setting certificate subject Setting certificate issuer Creating certificate... Successfully created certificate 518 Signing certificate... Successfully signed certificate 608 Writing newly generated DER certificate to file "./newCert.der" Successfully output 608 bytes Convert the DER cert to PEM formatted cert Resulting PEM buffer is 879 bytes Successfully converted the DER to PEM to "./newCert.pem" Tests passed ``` ## Certificate Generation Example with alt names The alternate names feature is enabled with the wolfSSL build option `WOLFSSL_ALT_NAMES`. In the certgen_example.c see the `WOLFSSL_ALT_NAMES` sections for how to add this to a CSR. Unfortunately wolfSSL does not yet have an API for this but this example shows how to setup your own ASN.1 format string for using with the wolfSSL certificate structure. TODO: Add an API for this! Example of a cert being generated with this example ``` Certificate: Data: Version: 3 (0x2) Serial Number: 08:1a:be:1b:2e:5a:c5:aa:2c:e5:6d:db:20:22:31:b5 Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com Validity Not Before: May 6 21:14:47 2020 GMT Not After : Sep 19 21:14:47 2021 GMT Subject: C = US, ST = MT, L = Bozeman, O = yourOrgNameHere, OU = yourUnitNameHere, CN = www.yourDomain.com, emailAddress = yourEmail@yourDomain.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:8e:dc:b9:92:59:51:40:2e:3f:33:44:55:70:80: 16:bc:41:84:ab:47:3e:8b:93:6a:a0:16:78:0a:e9: 49:9a:d5:fe:08:cc:c3:23:2f:26:5a:14:cc:b1:8e: db:94:8d:ad:3c:57:a4:3b:4f:e2:f0:7e:28:33:01: 40:57:f0:85:b5 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Subject Alternative Name: DNS:localhost, DNS:example.com, DNS:127.0.0.1 Signature Algorithm: ecdsa-with-SHA256 30:44:02:20:36:08:d9:df:9e:7f:c2:1c:0c:db:06:26:3d:fe: 8e:82:6e:64:07:6e:9b:fb:47:97:0a:d0:63:f6:6c:59:2a:82: 02:20:37:5c:00:eb:0d:7d:95:51:5d:8e:e9:06:c7:a5:6f:7d: 8b:1d:69:8d:8e:f8:5b:ba:13:0e:2a:5f:b4:86:1b:12 -----BEGIN CERTIFICATE----- MIICbjCCAhWgAwIBAgIQCBq+Gy5axaos5W3bICIxtTAKBggqhkjOPQQDAjCBlDEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4x ETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQD DA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b20wIhgPMjAyMDA1MDYyMTE0NDdaGA8yMDIxMDkxOTIxMTQ0N1owgacxCzAJBgNV BAYTAlVTMQswCQYDVQQIDAJNVDEQMA4GA1UEBwwHQm96ZW1hbjEYMBYGA1UECgwP eW91ck9yZ05hbWVIZXJlMRkwFwYDVQQLDBB5b3VyVW5pdE5hbWVIZXJlMRswGQYD VQQDDBJ3d3cueW91ckRvbWFpbi5jb20xJzAlBgkqhkiG9w0BCQEWGHlvdXJFbWFp bEB5b3VyRG9tYWluLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI7cuZJZ UUAuPzNEVXCAFrxBhKtHPouTaqAWeArpSZrV/gjMwyMvJloUzLGO25SNrTxXpDtP 4vB+KDMBQFfwhbWjMDAuMCwGA1UdEQQlMCOCCWxvY2FsaG9zdIILZXhhbXBsZS5j b22CCTEyNy4wLjAuMTAKBggqhkjOPQQDAgNHADBEAiA2CNnfnn/CHAzbBiY9/o6C bmQHbpv7R5cK0GP2bFkqggIgN1wA6w19lVFdjukGx6VvfYsdaY2O+Fu6Ew4qX7SG GxI= -----END CERTIFICATE----- ``` ## Certificate Signing Request (CSR) Example with Crypto Callbacks Example of generating a PEM-encoded certificate signing request (CSR) using the Crypto Callbacks to show signing against HSM/TPM Tested with these wolfSSL build options: ```sh ./autogen.sh # If cloned from GitHub ./configure --enable-certreq --enable-certgen --enable-certext --enable-keygen --enable-cryptocb make make check sudo make install sudo ldconfig # required on some targets ``` ### `csr_cryptocb` Example output ``` % ./csr_cryptocb Invalid input supplied try one of the below examples Examples: ./csr_cryptocb rsa ./csr_cryptocb ecc ./csr_cryptocb ed25519 ``` ``` % ./csr_cryptocb ecc CryptoCb: PK ECDSA-Sign (4) -----BEGIN CERTIFICATE REQUEST----- MIIBTDCB8wIBAjCBkDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk9SMREwDwYDVQQH DAhQb3J0bGFuZDEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1l bnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5m b0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLszrEwnUErG SqUEwzzenzbbci3OlOor+ssgCTksFuhhAumvTdMCk5oxW5eSIX/wzxjakRECNIbo IFgzC4A0idigADAKBggqhkjOPQQDAgNIADBFAiEAmJK6ZapcFw4NTjImNoBrpudZ 6sFvRccABG35QyASvIsCIFXcN4Wo5qiH37OjT7dehbdZvQbJFw4hKOtim1gw5Z4p -----END CERTIFICATE REQUEST----- (525) Saved CSR PEM to "ecc-csr.pem" ``` ``` % ./csr_cryptocb rsa CryptoCb: PK RSA (1) -----BEGIN CERTIFICATE REQUEST----- MIIC1jCCAb4CAQIwgZAxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJPUjERMA8GA1UE BwwIUG9ydGxhbmQxEDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0RldmVsb3Bt ZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGlu Zm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD A9Er/jmkMkU7U8iEKyp8dJq9qipSB0fWpjayBzKO0Lppe8bDRJ7UgUj9LWiii2e7 oXXINixK0hv3i7rPDfnv7PGBHnubA0eav2XMf2UkaaboFIlb5DT3xbAUk/Vnezp6 eOEBVlaRphNCjdI8QJxM79GG3zdRGwyhO/Xxo0o15OHOlt8bfr9Ol9AQ6KgIMIGv IAtDFMV0Z7Qygm+NhsKIQJk2g7oeQHIiF9dSZSRzsM7vGc2u/3hse8ASA9ROcg1Q bTujO6OZXp3I2QyFs9mK2VQm2236rLv/JUzE0Xn0cdOGQBgTsGO1ck4wxJeEhi1W L9cV93/ArvX8W+X7obrTAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAK+RxSIQ4 CqxYbicHcbFZgHrTy7MOoA8uM5XWIP/AKZ4u64zbF2K6XIMItrfIGEouc6MDfKVh W8ml6O75SR/7h/8S/9GClqcuzFqtNflzmb20Oadkl09sRIXPhFXMpt4V+Zc4cOka kcqL0q+oEU+8naRJJ6pa6LL1NWRq79es4DykvtHcGkx0J1VPlu3ux7iYlQ0fVfRs QUI1z3K52qfuchKW5zwkDjkVDbiWPd0/pbtUW2f8TAC21h0NabwMGISrrxmu6SX2 wI8YHCyLX5sMUosQ78vuGBD0bD5rxil0lzO9pjvWiSLZe0ubJ2Qq+FiuqIqITRiy 5AMQEs5siVCCEA== -----END CERTIFICATE REQUEST----- (1062) Saved CSR PEM to "rsa-csr.pem" ``` ``` % ./csr_cryptocb ed25519 CryptoCb: PK ED25519-Sign (6) -----BEGIN CERTIFICATE REQUEST----- MIIBETCBxAIBAjCBkDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk9SMREwDwYDVQQH DAhQb3J0bGFuZDEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRGV2ZWxvcG1l bnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5m b0B3b2xmc3NsLmNvbTAqMAUGAytlcAMhAOZXWxMbx1EUa+079dH6q55stusCCaOZ 9W6/nTz+VDnmoAAwBQYDK2VwA0EAZX+pExcyCYxJHJmmISW8AxfhgJ/PmTPK4+uH 7iTt+VTNvi/Z6IPjlg+UWIbyyCno0RoNnB7GiqnvPn8fVAcsAw== -----END CERTIFICATE REQUEST----- (448) Saved CSR PEM to "ed25519-csr.pem" ``` ## Certificate Generation and Parsing with Custom Extensions Example Example of generating a PEM-encoded and DER-encoded certificate with custom extensions. We then parse those certificates and display the custom extensions using a callback that is called for each unknown extension that is encountered. Tested with these wolfSSL build options: ```sh ./autogen.sh # If cloned from GitHub ./configure --enable-certreq --enable-certext --enable-keygen --enable-certgen --enable-certext CFLAGS="-DWOLFSSL_TEST_CERT -DHAVE_OID_DECODING -DHAVE_OID_ENCODING -DWOLFSSL_CUSTOM_OID" make make check sudo make install sudo ldconfig # required on some targets ``` In the directory where this README.md file is found, build and execute the `custom_ext` and `custom_ext_callback` samples: ```sh make custom_ext make custom_ext_callback ./custom_ext ./custom_ext_callback newCert.der ``` For independent verification of the presence of the extensions, you can pretty-print the certificates using `openssl`: ``` openssl x509 -in newCert.pem -noout -text ``` The output should be similar to this: ``` Certificate: Data: Version: 3 (0x2) Serial Number: 3c:26:f1:35:59:78:2c:1b:56:5f:3d:9c:be:eb:5a:1d Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = info@wolfssl.com Validity Not Before: Mar 3 21:42:52 2022 GMT Not After : Jul 17 21:42:52 2023 GMT Subject: C = US, ST = MT, L = Bozeman, O = yourOrgNameHere, OU = yourUnitNameHere, CN = www.yourDomain.com, emailAddress = yourEmail@yourDomain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:e2:3c:29:23:9f:3d:e4:07:09:2d:61:df:7b:5f: ef:32:cd:17:84:b6:84:b7:44:90:39:39:77:6b:a3: 72:45:88:bd:3f:3a:8a:a7:1d:e6:f0:09:2c:ba:1a: 6b:cf:62:a8:a6:d5:5b:83:21:dc:0e:73:5f:0e:06: f2:53:06:7c:c8:ea:67:82:df:79:4e:18:1b:e2:16: cc:97:aa:d6:72:75:2f:1f:ca:65:e1:40:5b:95:e6: d5:14:ea:de:f1:c1:39:c6:11:3d:a6:01:7b:63:57: 55:8e:b7:d4:54:2e:e2:83:18:a6:74:11:d1:38:87: d0:83:09:80:22:0d:41:ac:cf:40:d4:a1:23:b9:97: 52:b1:e0:88:4d:48:b4:5e:c5:ef:63:c6:3c:e8:42: d7:0d:b0:4a:fe:e1:c4:76:06:4a:a0:a9:0e:0c:45: af:7f:ec:de:78:b8:53:7e:d1:a2:ea:9d:d6:12:3c: a9:cb:88:2d:55:b6:fa:57:d0:28:3e:f1:c0:14:ce: 92:3a:6c:23:56:21:3f:e7:72:d5:8f:94:ee:be:fa: 86:d0:80:6b:3d:bd:ab:b3:5e:08:fb:50:c0:73:0c: 90:18:d3:c3:db:f9:62:56:7f:51:b2:c2:63:b1:00: 1c:6e:da:a3:06:07:52:57:d0:64:cd:a2:11:9f:2d: 93:6b Exponent: 65537 (0x10001) X509v3 extensions: 1.2.3.4.5: critical This is a critical extension 1.2.3.4.6: This is NOT a critical extension Signature Algorithm: ecdsa-with-SHA256 30:45:02:20:7b:5f:77:56:5d:c7:c7:06:8e:bf:c4:95:fa:cc: 71:c8:e8:77:61:6c:7d:d3:84:1d:53:c3:2e:02:5c:77:06:e8: 02:21:00:bf:f0:b4:0f:5c:fd:2b:16:92:35:43:7e:dc:59:bd: 0f:8e:c0:82:e9:54:5d:57:7f:0e:e6:7d:5a:46:27:75:cb ``` Note the section titled "X509v3 extensions:".