All geek questions in one place

X.509 Libraries

I am looking for a library / module / package with which I could create and sign X.509 certificates, with the ability to conditionally add custom extensions v3 and ndash; which can be quite complicated; for example, this bletchful piece of OpenSSL.cnf used by Kerberos PKINIT is just to represent foo@EXAMPLE.ORG :

  [v3_extensions]
     subjectAltName = email: foo@example.org ,
                 otherName: pkinitSan; SEQUENCE: krb_princ_name_1

 [krb_princ_name_1]
     realm = EXP: 0, GeneralString: EXAMPLE.ORG
     principal_name = EXP: 1, SEQUENCE: krb_princ_seq_1

 [krb_princ_seq_1]
     name_type = EXP: 0, INTEGER: 1
     name_string = EXP: 0, SEQUENCE: krb_principal_1

 [krb_principal_1]
     princ0 = GeneralString: foo

From all that I have found for languages ​​that I know (Perl, Python, Ruby, PHP, Bash and some C #), using openssl from the command line with automatically generated .cnf files ... which is an ugly process. Is there a better way to do this? (Ruby 'openssl' at first looked very pretty, but then I ended up in PKINIT ...)

+6
source share
3 answers

As it turned out, I added exactly this information to the documentation for Ruby 1.9.3, which was recently published by James Britt - look at the documentation for OpenSSL :: X509 :: Certificate , it should answer all your questions.

Modifying the examples to create the specific extensions listed in your example should be simple if the extension is supported by OpenSSL itself.

In more complex cases, for example, a custom other name in your example, you can still use OpenSSL :: X509 :: Extension , which, unfortunately, has not yet been documented. On the other hand, the OpenSSL :: ASN1 module, necessary for such user extensions, was documented for 1.9.3 , and all the code / advice presented there should also apply to 1.9.2. You can also use the ASN1 module to create a multi-valued version of subjectAltName.

+4
source

I would use OpenSSL or a direct shell around a library such as the Ruby openssl library.

OpenSSL is a very powerful and reliable toolkit - and it has the added benefit that you can call it the same way from any scripting language. Using OpenSSL command line tools, you have the advantage that you can interact with the command line to help debug your script; you can also manually generate certificates outside of your script using the same CA.

+2
source

Our SecureBlackbox allows you to create and manage X.509 certificates in C # and allows you to add custom extensions. I believe that BouncyCastle can do this.

+1
source

Source: https://habr.com/ru/post/898545/

More articles:


All Articles