2024-10-11 10:43:25 +00:00
# Set up CA
## Sources:
- https://www.jimby.name/techbits/recent/openssl_tsa/
## Create directory
```bash
# mkdir certs db private ## should already be created
# chmod 700 private ## should already be set
touch db/index
openssl rand -hex 16 > db/serial
echo ‘ 1001’ > db/crlnumber
echo 01 > tsa_serial
```
## Create files for certificate authority
Create a new private key and root CA certificate request in one step:
```bash
openssl req -new -newkey rsa:2048 -config ./rootca.conf -out ca/root-ca.csr -keyout ca/private/root-ca.key
```
Don’ t forget the password – you’ ll need it again and again below.
Now self-sign the certificate request.
```bash
openssl ca -selfsign -config ./rootca.conf -in ca/root-ca.csr -out ca/root-ca.crt -extensions ca_ext
```
Check the certificate:
```bash
openssl x509 -text -in ca/root-ca.crt -noout
```
## Create certificate for timestamp
To proceed, we first make a key and a certificate request for a non-CA certificate. We use the -subj option so we don’ t
have to use a configuration file for this step. The Country (C=US) and Organization (O=Example Inc.) elements must
match the root certificate.
```bash
openssl req -new \
-newkey rsa:2048 \
-subj "/C=US/O=Example Inc./OU=Engineering/CN=Example Inc. TSA Responder" \
-keyout ca/private/tsa.key \
-out ca/tsa.csr
```
You should use a different password for the tsa.key private key.
Then we generate a non-CA certificate using the -extension tsa_ext command line option which points to the required
extendedKeyUsage in the configuration file.
```bash
openssl ca -config ./rootca.conf -in ca/tsa.csr -out ca/tsa.crt -extensions tsa_ext -days 365
```
Sign with the root-ca.key private key password, and commit to the database.
Examine the new TSA certificate as follows:
```bash
openssl x509 -in ca/tsa.crt -text -noout
```
Ensure that it has CA: false , keyUsage nonRepudiation, and extendedKeyUsage timeStamping.
Requests to the time stamp service usually require that the reply include the certificate chain of the service. We now create the certificate chain as follows:
First, extract just the PEM form of the x509 certificates for root-ca.crt and tsa.crt :
```bash
openssl x509 -in ca/root-ca.crt -outform PEM -out ca/root-ca.pem
openssl x509 -in ca/tsa.crt -outform PEM -out ca/tsa.pem
```
Next, concatenate the two bare certificates ensuring that the root certificate is last in the file:
```bash
cat ca/tsa.pem ca/root-ca.pem > ca/tsa-chain.pem
```
You can verify this chain by just viewing the file:
```bash
cat ca/tsa-chain.pem
```
## Generate a timestamp request
Ok! We are now ready to create a time stamp request. First, we prepare a query:
```bash
openssl ts -query -config ./rootca.conf -cert -data /etc/hosts -out /tmp/request.tsq
```
View the request with
```bash
openssl ts -query -in /tmp/request.tsq -text
```
Note that since we did not request certificate checking (using the -cert option in the request command above), the text
output of this command shows “Certificate required: no”. Also, note that we did not specify our own configuration
file in the above example.
If you want to use a stronger digest algorithm, specify it on the command line (sha512 requested here):
```bash
openssl ts -query -config ./rootca.conf -data /etc/hosts -out /tmp/request.tsr -sha512
```
## Generating a reply
We can now process a reply to the the request. Note that the openssl ts -reply sub-command does require a configuration
file, including the all the tsa sections. In particular, it uses the tsa_policy1(2,3) options we added at the top of the file.
Here (and everywhere you utilize the services of the tsa.crt certificate), you must enter the password for the tsa
certificate private key.
```bash
openssl ts -reply -config ./rootca.conf -queryfile /tmp/request.tsq -chain ca/tsa-chain.pem -out /tmp/response.tsr
```
```bash
openssl ts -reply -config ./rootca.conf -in /tmp/response.tsr -text
```
## Verification
Openssl can also verify the received timestamp ensuring that the data file or data digest the query was based on still
applies to the current version of the file.
```bash
openssl ts -verify -queryfile /tmp/request.tsq -in /tmp/response.tsr -CAfile ca/root-ca.pem -untrusted ca/tsa.pem
```
The OK response ensures that the original signed timestamp is correctly authorized by the root and tsa certificates
(in PEM format).
```bash
openssl ts -verify -data /etc/hosts -in /tmp/response.tsr -CAfile ca/root-ca.pem -untrusted ca/tsa.pem
```
2024-10-11 14:12:33 +00:00
2024-10-22 14:37:31 +00:00
# Préparation à partir d'un certificat d'horodatage au format pkcs12
2024-10-11 14:12:33 +00:00
## Extraire les infos
```bash
openssl pkcs12 -info -in horodatage.p12 -legacy
```
Ca demandera un mot de passe pour déchiffrer, et un autre mot de passe pour chiffrer la clé qui apparaitra.
- on recopie la clé et on fait un copier-coller dans /run/user/1000/ca/private/tsa.key
- on recopie tous les certificats, on supprime les interligne, et on colle ça dans /run/user/1000/ca/tsa-chain.pem
- on recopie le premier certificat, pour céer /run/user/1000/ca/tsa.crt