PKI Activities





Introduction

This page presents some of my involvement with Digital Certificates and Public Key Infrastructure.

One sign of too much involvement in X.509 is to have your own OID arc.  Mine, like thousands of others, is an IANA Private Enterprise Number

https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers
Thus HTT Consulting's arc is:
1.3.6.1.4.1.6715
It has been used for testing and demonstrations, but no lasting OIDs.  That is probably for the best.

Over the years, I have run hot and cold about digital certificates and supporting infrastructure.  It is just so complicated, but there is really no large scale alternative.

The only related standard that has my name attached is
IEEE 802.1AR-2009
New things are coming to PKI.  New algorithms and encodings.

Watch here for some of these developments!


Roll your own CA

I have always wanted to be able to build my own CA.  I have looked at a number of packages, and one of these days I will actually choose one.  Meanwhile...

A good tutorial for rolling your own PKI using RSA certificates has been done by Jamie Nugyen:

https://jamielinux.com/docs/openssl-certificate-authority/introduction.html
Jamie's guide follows the "Common Practice" of using distinguishName for all naming, not using subjectALtName.

But I want an ECDSA PKI and follow the RFCs and current Best Practice using subjectAltName, so I had to take Jamie's work and with other sources, develop a quick guide, and published it as an Internet Draft:
https://datatracker.ietf.org/doc/draft-moskowitz-ecdsa-pki/
Jamie's guide is still very much worth reading, as it goes into a lot of the 'why' as well as shows results.  I do not plan on adding this level of detail.

I need to is add CRL and OCSP support.

It was a bit of a bumpy road; check out the Footnotes section of the draft for some of those bumps.

I really want to move on to EdDSA certificates, but that has to wait for Openssl 1.1.1

Or more likely, sooner we will have Internet Drafts for using CBOR for certificate encoding!  This should make them much smaller.


Adding 802.1AR Certificates to your CA

I am a strong advocate of the IEEE 802.1AR Secure Device Identity technology built on top of X.509.  It does have its specific certificate profile.  The following steps through creating a specific 802.1AR Intermediate ECDSA CA and then the device ECDSA certificates.

This is now included in the above Internet Draft.

There is still work to do on this guide.  In particular, the subjectAltName (SAN) may not be right.  I am still researching the use of hardwareModuleName (HMN).  And the certificates still need to be checked against the 802.1AR PICS (Protocol Implementation Conformance Statement).

You can EMail Robert at mailto:rgm at htt-consult.com  his desk...

Updated

© Robert G. Moskowitz -- 2017