How to get an SCT?
267 views
Skip to first unread message
K T
Aug 6, 2018, 9:02:03 PM8/6/18
to certificate-transparency
Is there a Trillian + CTFE tutorial or script for submitting a precertificate and getting an SCT back from a log?
Martin Smith
Aug 7, 2018, 5:34:14 AM8/7/18
to certificate-...@googlegroups.com
Hi,
You can use any available CT log client to do this. For example:
Martin
On Tue, 7 Aug 2018 at 02:02, K T <mtayl...@gmail.com> wrote:
Is there a Trillian + CTFE tutorial or script for submitting a precertificate and getting an SCT back from a log?
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/d82e1705-f73c-4960-8cc2-de4f6c2744dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
K T
Aug 7, 2018, 1:13:13 PM8/7/18
to certificate-transparency
Thanks. Is there any documentation on that?
On Tuesday, August 7, 2018 at 2:34:14 AM UTC-7, Martin Smith wrote:
Hi,You can use any available CT log client to do this. For example:Martin
On Tue, 7 Aug 2018 at 02:02, K T <mtayl...@gmail.com> wrote:
Is there a Trillian + CTFE tutorial or script for submitting a precertificate and getting an SCT back from a log?--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
Alex Cohn
Aug 7, 2018, 3:28:54 PM8/7/18
to certificate-...@googlegroups.com
If you have a working Go installation, you can download, compile, and install the tool Martin recommended with
and then view the utility's builtin list of commands:
$ ctclient
You're looking for the upload command. To see the available options, use
$ ctclient -h
Specify the path to the PEM-format (pre)certificate chain file and which log you want to add it to:
$ ctclient -log_name argon2018 -cert_chain /path/to/chain.pem upload
Assuming everything goes OK, you will get a text-format SCT back.
What are you trying to do with the SCT? Usually, the only reason one would want to add a precertificate to a log is to get a SCT to embed in a final certificate, but you can only do that if you're operating a trusted CA.
It would be helpful if you could also explain a little more about what you're trying to achieve here - what have you done already? What do you have currently, and what's your end goal?
BTW, the ctclient utility is not specific to Trillian/CTFE and should work with any RFC6962-compliant CT log.
Alex
On Tue, Aug 7, 2018 at 12:13 PM K T <mtayl...@gmail.com> wrote:
Thanks. Is there any documentation on that?
On Tuesday, August 7, 2018 at 2:34:14 AM UTC-7, Martin Smith wrote:
Hi,You can use any available CT log client to do this. For example:Martin
On Tue, 7 Aug 2018 at 02:02, K T <mtayl...@gmail.com> wrote:
Is there a Trillian + CTFE tutorial or script for submitting a precertificate and getting an SCT back from a log?--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/d82e1705-f73c-4960-8cc2-de4f6c2744dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/9cdac821-eebd-48d2-b8f5-02191d905130%40googlegroups.com.
K T
Aug 7, 2018, 4:54:26 PM8/7/18
to certificate-transparency
Thanks. I'm creating an internal CA and CT log. I would like to be able to submit certificates I've created to my CT log and get back SCTs.
I just tried the following:
ctclient -log_uri http://localhost:6965/athos -cert_chain bundle.pem upload
I used the first part of a demo script in the certificate-transparency-go repo to start up a CT personality at the above URI. I'm getting the following error:
2018/08/07 13:39:16 Upload failed: "got HTTP Status \"400 Bad Request\"", detail:
Bad Request
failed to verify add-chain contents: chain failed to verify: x509: certificate signed by unknown authority
I'm aware that this error is due to the fact that I'm not a known CA, but then how can I use my own log?
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/d82e1705-f73c-4960-8cc2-de4f6c2744dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
David Drysdale
Aug 8, 2018, 2:28:42 AM8/8/18
to certificate-...@googlegroups.com
That demo script uses a configuration file for the CT personality that only includes a couple of test root certificates. If you edit that config file to add extra roots_pem_file: entries for your test CA, that should help.
Regards,
David
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/d82e1705-f73c-4960-8cc2-de4f6c2744dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/9cdac821-eebd-48d2-b8f5-02191d905130%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/0de39be9-e7d3-4d45-9cb7-186fb8cadc17%40googlegroups.com.
K T
Aug 8, 2018, 3:42:14 PM8/8/18
to certificate-transparency
That worked! Thanks.
David
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/d82e1705-f73c-4960-8cc2-de4f6c2744dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/9cdac821-eebd-48d2-b8f5-02191d905130%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages