[openssl-users] How to add CT Precertificate SCTs to a server certificate?

193 views
Skip to first unread message

Jeffrey Walton

unread,
Apr 19, 2015, 7:34:02 PM4/19/15
to
Browsers are starting to enforce Certificate Transparency (CT).

Below is a sample of CT Precertificate SCTs, which is required for CT.
It includes a new certificate extension with an OID of
1.3.6.1.4.1.11129.2.4.2.

How do we use `openssl req` and a CONF file to add the information
(assuming we already have the certified timestamps)?

*****

$ openssl s_client -connect embed.ct.digicert.com:443 -tls1
-servername embed.ct.digicert.com | \
openssl x509 -text -noout
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify error:num=20:unable to get local issuer certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:e0:aa:80:19:13:06:8a:28:73:f0:24:29:3e:e4:61
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
Validity
Not Before: Nov 13 00:00:00 2014 GMT
Not After : Nov 18 12:00:00 2015 GMT
Subject: C=US, ST=Utah, L=Lehi, O=DigiCert, Inc.,
CN=embed.ct.digicert.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9a:64:73:61:53:66:b8:aa:80:c7:cc:53:67:6a:
df:da:a9:b1:6a:c5:53:63:55:5f:14:4c:b3:27:d1:
3c:e4:0a:1a:e7:16:48:bc:15:46:7e:63:e8:27:3c:
c5:28:bd:79:cf:34:d5:9a:67:1e:0c:27:6e:ec:00:
5e:69:38:5b:a7:16:4f:b9:09:ec:fc:7e:f2:41:b7:
f9:54:f4:6c:c3:22:a6:f5:99:f4:be:9d:64:26:75:
9e:b2:b9:16:d7:f5:51:9f:53:ce:74:ca:d6:d6:7a:
4a:d4:4d:0e:4d:73:93:30:3c:b9:b8:1d:a0:d8:94:
8c:59:7e:82:a4:4c:82:fc:c3:73:7f:b1:56:28:4e:
b5:f7:73:53:ac:7b:30:a4:bc:b9:6c:c0:b6:67:0d:
19:5e:40:22:11:11:8c:6d:3a:87:47:08:e6:5c:7b:
17:7c:64:7a:a1:ff:8c:7c:37:b6:b7:91:2c:c2:90:
7e:cc:48:1f:57:1e:f9:db:d4:ac:cf:d9:2b:60:ff:
13:2d:88:c5:7e:d8:eb:ec:ed:85:d7:9e:f9:56:32:
ca:c1:6b:24:64:9f:63:ba:83:ee:a1:85:4a:e3:ad:
45:8c:92:95:3a:e0:80:91:9b:60:b5:75:88:86:4e:
0f:81:8c:b5:f4:77:fd:e5:f3:36:f6:33:d6:2b:a0:
c4:91
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:

keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2

X509v3 Subject Key Identifier:
88:4F:83:16:87:AD:AE:1E:FF:04:4A:79:66:92:C6:9F:62:69:4F:B1
X509v3 Subject Alternative Name:
DNS:embed.ct.digicert.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:

Full Name:
URI:http://crl3.digicert.com/ssca-sha2-g3.crl

Full Name:
URI:http://crl4.digicert.com/ssca-sha2-g3.crl

X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.1.1
CPS: https://www.digicert.com/CPS

Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers -
URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt

X509v3 Basic Constraints: critical
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Log ID : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
Timestamp : Nov 13 16:57:03.632 2014 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:06:14:6A:E3:6D:0F:84:5D:6A:98:E7:29:
94:80:8B:F2:A4:23:85:68:4E:F9:BC:50:7C:FF:7B:94:
EB:20:54:82:02:21:00:91:63:83:FD:F6:31:5E:38:08:
AF:A7:5E:00:B7:0B:9B:1F:8B:FD:4D:7E:49:3C:43:E6:
64:E5:4B:F9:60:D7:89
Signed Certificate Timestamp:
Version : v1(0)
Log ID : 68:F6:98:F8:1F:64:82:BE:3A:8C:EE:B9:28:1D:4C:FC:
71:51:5D:67:93:D4:44:D1:0A:67:AC:BB:4F:4F:FB:C4
Timestamp : Nov 13 16:57:03.619 2014 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:61:4F:69:89:80:6A:62:2D:8E:A2:D0:24:
A5:E2:1D:74:67:51:77:C1:9B:DE:99:DE:16:56:2B:02:
77:A8:25:49:02:21:00:D3:41:6C:5D:88:40:F0:7A:FE:
E0:25:09:86:71:63:86:49:54:DD:96:E4:B5:9B:4A:84:
65:A9:25:12:F1:B7:E0
Signature Algorithm: sha256WithRSAEncryption
62:0c:d1:51:08:8a:a3:d1:df:bc:53:ba:e9:58:67:41:ea:5f:
e3:51:f2:0b:9d:24:b4:77:6a:cf:96:ff:c5:ce:1c:55:1e:77:
8a:49:46:7d:19:ef:52:4f:d3:24:b1:f2:95:60:67:40:d4:d1:
f4:27:e4:66:55:45:c6:a5:51:a6:87:d0:09:af:f6:48:9b:df:
24:c9:28:ad:47:b9:f6:a3:86:cb:64:64:3d:90:92:0e:94:f7:
d2:8b:d6:79:b4:df:f2:3f:f5:6e:ea:08:b3:b0:37:87:a3:30:
a7:f1:db:b7:86:b2:39:64:35:93:ee:5f:7b:01:51:5f:b1:e1:
e0:d1:5d:a6:e6:a3:53:3f:66:97:16:8f:18:c4:fa:fc:8e:85:
79:a1:95:7b:69:0b:f5:a4:92:1f:04:cf:ed:f6:95:e3:8f:b4:
2a:6a:be:0c:a2:b6:53:99:5d:50:78:23:1c:fb:cb:2e:1d:be:
b5:8d:83:2e:08:96:f8:c9:be:96:13:ed:61:0f:cf:57:44:ff:
3a:d5:10:b0:bd:08:1f:27:c4:cf:97:17:e8:6a:62:bc:6d:e9:
64:39:a0:36:79:d6:02:84:b7:47:26:9b:5d:b1:92:aa:f1:36:
1a:31:9e:27:f2:25:54:89:17:ac:56:54:b0:e0:41:67:e4:b8:
7b:e0:2c:88
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply all
Reply to author
Forward
0 new messages