Re: [pkix] RFC 5280 and example of a self signed end-entity certificate?
Jeffrey Walton <noloader@gmail.com> Thu, 24 November 2016 22:57 UTC
Return-Path: <noloader@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ACAE129E11 for <pkix@ietfa.amsl.com>; Thu, 24 Nov 2016 14:57:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pgMrGZEqQnPz for <pkix@ietfa.amsl.com>; Thu, 24 Nov 2016 14:56:59 -0800 (PST)
Received: from mail-io0-x242.google.com (mail-io0-x242.google.com [IPv6:2607:f8b0:4001:c06::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C87FB129DFC for <pkix@ietf.org>; Thu, 24 Nov 2016 14:56:51 -0800 (PST)
Received: by mail-io0-x242.google.com with SMTP id h133so6925368ioe.2 for <pkix@ietf.org>; Thu, 24 Nov 2016 14:56:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=nKlfe757v+4RUgStBen8MGc/kVx/ukdN/CnLmoQ07yc=; b=iqM5Uus0FyTjh4QybsPE9UoZ8YZ6uIY0j6vZWCmJPlwXRejM8jQKiT3dLojqi0M5pQ LqKNg01weiWI23D/SkAZrnzY3vZ6Gs2KSawQTNk0rDiyx7EmDmPw6xJNMTKnjkNtFqJi OvffRgrcASaFN0l75KLAn+BqR+3GpgXA/yTSOUDxAINuycABhbCPV9PU9+8tDUtwVYVR 1fXh/0+nr87cC+9CjC9R4+PKV1H6EZJHH0fg36mFCx5bCx8Ho+QbJa2oge9c/fFVsiHz pOB9qDbQ/x++XMc/D24t0y+V/x2MeOK7R2F33Me0+4bij/PAXPNCamgP1M5Nd9rMDm1m fuZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc:content-transfer-encoding; bh=nKlfe757v+4RUgStBen8MGc/kVx/ukdN/CnLmoQ07yc=; b=WOsryDSOEkjTr1ogaXlQSRvKRuS8IO91qxxGyt+ZtwL84hoVXg5itSXXJEcnpx3lLS XAnhC4XivjODXRSWPivq7/sHRBSj7SFdCEqxwQBZT2VueWARx7R3fsBmF6MmNpNHVNZN 2aX/HjxVf6aSIqDLePsdC5879vPfzbTy+zqnskSCfrnu3oCPSKkKo22MziasmsFl+3Xz E5+XOlS+QBJLVjdoroVzPWykDmYb9V3P20lWjKy74BrU7aPjQEUJ4MrGLjf4AdjgNlrY TG1cnxVqWfrB2P/+K4pNo9pNeFtWRn/aPMB8xgEyigBTdnVz3kup3CmEqKcauMfjIKg7 inoA==
X-Gm-Message-State: AKaTC01tTQddHnCAvZu8Hm44GPi/vNwXsHhR5p5LkSSnB/DJQvhQxgZB1hUhD2GdqaXOS0MxypnLqgquFQjdnA==
X-Received: by 10.36.122.135 with SMTP id a129mr4112975itc.103.1480028211152; Thu, 24 Nov 2016 14:56:51 -0800 (PST)
MIME-Version: 1.0
Received: by 10.36.33.205 with HTTP; Thu, 24 Nov 2016 14:56:50 -0800 (PST)
In-Reply-To: <7BE59266-C79D-42FD-A088-70531D6EB4D4@gmail.com>
References: <CAH8yC8m886wq8DOzLcyXgkqQW4vmYCzCdvS78PBtcifMJUEGXA@mail.gmail.com> <1479624960309.7436@cs.auckland.ac.nz> <7BE59266-C79D-42FD-A088-70531D6EB4D4@gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
Date: Thu, 24 Nov 2016 17:56:50 -0500
Message-ID: <CAH8yC8nJSWmEVcbCzeWyO4wzF+jdGQ0Ljht4KnZZ39YoLSnfcQ@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/WZZk-dnfSQ0Q49x5gL1_vmeLEw4>
Cc: PKIX <pkix@ietf.org>
Subject: Re: [pkix] RFC 5280 and example of a self signed end-entity certificate?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: noloader@gmail.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2016 22:57:01 -0000
On Sun, Nov 20, 2016 at 2:06 AM, Yoav Nir <ynir.ietf@gmail.com> wrote: > > On 20 Nov 2016, at 8:56, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: > > Jeffrey Walton <noloader@gmail.com> writes: > > Does anyone know where I might find an example of a elf-signed end-entity > certificate? > > > By finding an elf and getting them to sign one for you? Alternatively, if > you > want a *self*-signed EE cert, by signing one yourself? Or am I missing > something here… > > > I think you’re missing this: > > openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 > -nodes Forgive m if I am wrong... That creates a malformed server certificate because the hostname is placed in the CN and not the SAN, it uses SHA1 by default, and it fails to use UTF-8 strings by default. At minimum, its not following best practices and using deprecated methods. I'm also interested in seeing what an "ideal" or "minimal" client certificate should look like. Especially how a principal name, like "jdoe" (used as a corporate login), should appear since its probably distinct from the Subject DN. Jeff
- [pkix] RFC 5280 and example of a self signed end-… Jeffrey Walton
- Re: [pkix] RFC 5280 and example of a self signed … gmail
- Re: [pkix] RFC 5280 and example of a self signed … Peter Gutmann
- Re: [pkix] RFC 5280 and example of a self signed … Yoav Nir
- Re: [pkix] RFC 5280 and example of a self signed … Jeffrey Walton
- Re: [pkix] RFC 5280 and example of a self signed … Yoav Nir
- Re: [pkix] RFC 5280 and example of a self signed … Jeffrey Walton
- Re: [pkix] RFC 5280 and example of a self signed … Annie
- Re: [pkix] RFC 5280 and example of a self signed … Peter Gutmann